TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2024-11-29 15:12:58 +03:00
Code Issues Projects Releases Wiki Activity

Relax origin checking in auth middleware

Browse Source 
Refs #6642
- Do not send CORS headers on an invalid "origin"
  header, but otherwise allow the response to
  proceed normally. This enforces CORS for the browser
  but does not blow up non-CORS requests.
This commit is contained in:
Jason Williams 2016-03-26 13:26:57 -05:00
parent 0148ed383d
commit 23c162796a
3 changed files with 10 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
core/server/middleware/auth.js
View File

@ -94,8 +94,8 @@ auth = {
return passport.authenticate(['oauth2-client-password'], {session: false, failWithError: false},
function authenticate(err, client) {
var origin = null,
error;
var origin = null;
if (err) {
return next(err); // will generate a 500 error
}
@ -119,22 +119,12 @@ auth = {
if (!origin && client && client.type === 'ua') {
res.header('Access-Control-Allow-Origin', config.url);
req.client = client;
return next(null, client);
} else if (isValidOrigin(origin, client)) {
res.header('Access-Control-Allow-Origin', req.headers.origin);
}
if (isValidOrigin(origin, client)) {
res.header('Access-Control-Allow-Origin', req.headers.origin);
req.client = client;
return next(null, client);
} else {
error = new errors.UnauthorizedError(i18n.t('errors.middleware.auth.accessDeniedFromUrl', {origin: origin}));
errors.logError(error,
i18n.t('errors.middleware.auth.attemptedToAccessAdmin'),
i18n.t('errors.middleware.auth.forInformationRead', {url: 'http://support.ghost.org/config/#url'})
);
return errors.handleAPIError(error, req, res, next);
}
req.client = client;
return next(null, client);
}
)(req, res, next);
},

10
core/test/functional/routes/api/public_api_spec.js
View File

@ -198,22 +198,20 @@ describe('Public API', function () {
});
});
it('denies access from invalid origin', function (done) {
it('does not send CORS headers on an invalid origin', function (done) {
request.get(testUtils.API.getApiQuery('posts/?client_id=ghost-admin&client_secret=not_available'))
.set('Origin', 'http://invalid-origin')
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(401)
.expect(200)
.end(function (err, res) {
if (err) {
return done(err);
}
should.not.exist(res.headers['x-cache-invalidate']);
var jsonResponse = res.body;
should.exist(jsonResponse);
should.exist(jsonResponse.errors);
testUtils.API.checkResponseValue(jsonResponse.errors[0], ['message', 'errorType']);
should.not.exist(res.headers['access-control-allow-origin']);
done();
});
});

23
core/test/unit/middleware/authentication_spec.js
View File

@ -369,29 +369,6 @@ describe('Auth', function () {
done();
});
it('shouldn\'t authenticate client with invalid origin', function (done) {
req.body = {};
req.body.client_id = testClient;
req.body.client_secret = testSecret;
req.headers = {};
req.headers.origin = 'http://invalid.origin.com';
res.status = {};
sandbox.stub(res, 'status', function (statusCode) {
statusCode.should.eql(401);
return {
json: function (err) {
err.errors[0].errorType.should.eql('UnauthorizedError');
}
};
});
registerSuccessfulClientPasswordStrategy();
auth.authenticateClient(req, res, next);
next.called.should.be.false();
done();
});
it('should authenticate valid/known client', function (done) {
req.body = {};
req.body.client_id = testClient;