TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-03 08:25:06 +03:00
Code Issues Projects Releases Wiki Activity

Origin Header revisited

Browse Source 
closes #6106
- added override for my-ghost-blog.com
- added local IP addresses to be allowed
- changed localhost/127.0.0.1 to be allowed in production
This commit is contained in:
Sebastian Gierlinger 2015-11-26 13:11:31 +01:00
parent 03760c3674
commit 245095c199
2 changed files with 34 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
core/server/middleware/auth.js
View File

@ -1,10 +1,10 @@
var _ = require('lodash'),
passport = require('passport'),
url = require('url'),
os = require('os'),
errors = require('../errors'),
config = require('../config'),
labs = require('../utils/labs'),
isDevelopment,
oauthServer,
auth;
@ -36,15 +36,32 @@ function isBearerAutorizationHeader(req) {
return false;
}
function getIPs() {
var ifaces = os.networkInterfaces(),
ips = [];
Object.keys(ifaces).forEach(function (ifname) {
ifaces[ifname].forEach(function (iface) {
// only support IPv4
if (iface.family !== 'IPv4') {
return;
}
ips.push(iface.address);
});
});
return ips;
}
function isValidOrigin(origin, client) {
isDevelopment = process.env.NODE_ENV === 'development';
var configHostname = url.parse(config.url).hostname;
if (origin && client && client.type === 'ua' && (
_.some(client.trustedDomains, {trusted_domain: origin})
|| origin === url.parse(config.url).hostname
_.indexOf(getIPs(), origin) >= 0
|| _.some(client.trustedDomains, {trusted_domain: origin})
|| origin === configHostname
|| configHostname === 'my-ghost-blog.com'
|| origin === url.parse(config.urlSSL ? config.urlSSL : '').hostname
|| (origin === '127.0.0.1' && isDevelopment)
|| (origin === 'localhost' && isDevelopment)
|| (origin === 'localhost')
)) {
return true;
} else {

25
core/test/unit/middleware/authentication_spec.js
View File

@ -128,6 +128,7 @@ describe('Auth', function () {
describe('User Authentication', function () {
beforeEach(function () {
defaultConfig.url = 'http://my-domain.com';
var newConfig = _.extend({}, config, defaultConfig);
auth.__get__('config', newConfig);
@ -406,8 +407,7 @@ describe('Auth', function () {
done();
});
it('should authenticate client with origin `localhost` while in development', function (done) {
var resetEnvironment = auth.__set__('process.env.NODE_ENV', 'development');
it('should authenticate client with origin `localhost`', function (done) {
req.body = {};
req.body.client_id = testClient;
req.body.client_secret = testSecret;
@ -426,31 +426,28 @@ describe('Auth', function () {
next.called.should.be.true;
next.calledWith(null, client).should.be.true;
resetEnvironment();
done();
});
it('shouldn\'t authenticate client with origin `localhost` by default', function (done) {
it('should authenticate client with origin `127.0.0.1`', function (done) {
req.body = {};
req.body.client_id = testClient;
req.body.client_secret = testSecret;
req.headers = {};
req.headers.origin = 'http://localhost';
req.headers.origin = 'http://127.0.0.1';
res.status = {};
res.header = {};
sandbox.stub(res, 'status', function (statusCode) {
statusCode.should.eql(401);
return {
json: function (err) {
err.errors[0].errorType.should.eql('UnauthorizedError');
}
};
sandbox.stub(res, 'header', function (key, value) {
key.should.equal('Access-Control-Allow-Origin');
value.should.equal('http://127.0.0.1');
});
registerSuccessfulClientPasswordStrategy();
auth.authenticateClient(req, res, next);
next.called.should.be.false;
next.called.should.be.true;
next.calledWith(null, client).should.be.true;
done();
});