mirror of
https://github.com/TryGhost/Ghost.git
synced 2025-01-04 17:04:59 +03:00
Handling Origin Header
closes #6106 - added better error message for client and console - added exclusion of localhost/127.0.0.1 for dev mode
This commit is contained in:
Sebastian Gierlinger
parent
8f620b6dce
commit
8c50609491
@ -1,9 +1,10 @@
|
|||||||
var _ = require('lodash'),
|
var _ = require('lodash'),
|
||||||
passport = require('passport'),
|
passport = require('passport'),
|
||||||
url = require('url'),
|
url = require('url'),
|
||||||
errors = require('../errors'),
|
errors = require('../errors'),
|
||||||
config = require('../config'),
|
config = require('../config'),
|
||||||
labs = require('../utils/labs'),
|
labs = require('../utils/labs'),
|
||||||
|
isDevelopment,
|
||||||
oauthServer,
|
oauthServer,
|
||||||
|
|
||||||
auth;
|
auth;
|
||||||
@ -36,10 +37,14 @@ function isBearerAutorizationHeader(req) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
function isValidOrigin(origin, client) {
|
function isValidOrigin(origin, client) {
|
||||||
|
isDevelopment = process.env.NODE_ENV === 'development';
|
||||||
|
|
||||||
if (origin && client && client.type === 'ua' && (
|
if (origin && client && client.type === 'ua' && (
|
||||||
_.some(client.trustedDomains, {trusted_domain: origin})
|
_.some(client.trustedDomains, {trusted_domain: origin})
|
||||||
|| origin === url.parse(config.url).hostname
|
|| origin === url.parse(config.url).hostname
|
||||||
|| origin === url.parse(config.urlSSL ? config.urlSSL : '').hostname
|
|| origin === url.parse(config.urlSSL ? config.urlSSL : '').hostname
|
||||||
|
|| (origin === '127.0.0.1' && isDevelopment)
|
||||||
|
|| (origin === 'localhost' && isDevelopment)
|
||||||
)) {
|
)) {
|
||||||
return true;
|
return true;
|
||||||
} else {
|
} else {
|
||||||
@ -70,7 +75,8 @@ auth = {
|
|||||||
|
|
||||||
return passport.authenticate(['oauth2-client-password'], {session: false, failWithError: false},
|
return passport.authenticate(['oauth2-client-password'], {session: false, failWithError: false},
|
||||||
function authenticate(err, client) {
|
function authenticate(err, client) {
|
||||||
var origin = null;
|
var origin = null,
|
||||||
|
error;
|
||||||
if (err) {
|
if (err) {
|
||||||
return next(err); // will generate a 500 error
|
return next(err); // will generate a 500 error
|
||||||
}
|
}
|
||||||
@ -94,7 +100,12 @@ auth = {
|
|||||||
req.client = client;
|
req.client = client;
|
||||||
return next(null, client);
|
return next(null, client);
|
||||||
} else {
|
} else {
|
||||||
return errors.handleAPIError(new errors.UnauthorizedError('Access denied.'), req, res, next);
|
error = new errors.UnauthorizedError('Access Denied from url: ' + origin + '. Please use the url configured in config.js.');
|
||||||
|
errors.logError(error,
|
||||||
|
'You have attempted to access your Ghost admin panel from a url that does not appear in config.js.',
|
||||||
|
'For information on how to fix this, please visit http://support.ghost.org/config/#url.'
|
||||||
|
);
|
||||||
|
return errors.handleAPIError(error, req, res, next);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
)(req, res, next);
|
)(req, res, next);
|
||||||
|
|||||||
@ -406,6 +406,54 @@ describe('Auth', function () {
|
|||||||
done();
|
done();
|
||||||
});
|
});
|
||||||
|
|
||||||
|
it('should authenticate client with origin `localhost` while in development', function (done) {
|
||||||
|
var resetEnvironment = auth.__set__('process.env.NODE_ENV', 'development');
|
||||||
|
req.body = {};
|
||||||
|
req.body.client_id = testClient;
|
||||||
|
req.body.client_secret = testSecret;
|
||||||
|
req.headers = {};
|
||||||
|
req.headers.origin = 'http://localhost';
|
||||||
|
|
||||||
|
res.header = {};
|
||||||
|
|
||||||
|
sandbox.stub(res, 'header', function (key, value) {
|
||||||
|
key.should.equal('Access-Control-Allow-Origin');
|
||||||
|
value.should.equal('http://localhost');
|
||||||
|
});
|
||||||
|
|
||||||
|
registerSuccessfulClientPasswordStrategy();
|
||||||
|
auth.authenticateClient(req, res, next);
|
||||||
|
|
||||||
|
next.called.should.be.true;
|
||||||
|
next.calledWith(null, client).should.be.true;
|
||||||
|
resetEnvironment();
|
||||||
|
done();
|
||||||
|
});
|
||||||
|
|
||||||
|
it('shouldn\'t authenticate client with origin `localhost` by default', function (done) {
|
||||||
|
req.body = {};
|
||||||
|
req.body.client_id = testClient;
|
||||||
|
req.body.client_secret = testSecret;
|
||||||
|
req.headers = {};
|
||||||
|
req.headers.origin = 'http://localhost';
|
||||||
|
|
||||||
|
res.status = {};
|
||||||
|
|
||||||
|
sandbox.stub(res, 'status', function (statusCode) {
|
||||||
|
statusCode.should.eql(401);
|
||||||
|
return {
|
||||||
|
json: function (err) {
|
||||||
|
err.errors[0].errorType.should.eql('UnauthorizedError');
|
||||||
|
}
|
||||||
|
};
|
||||||
|
});
|
||||||
|
|
||||||
|
registerSuccessfulClientPasswordStrategy();
|
||||||
|
auth.authenticateClient(req, res, next);
|
||||||
|
next.called.should.be.false;
|
||||||
|
done();
|
||||||
|
});
|
||||||
|
|
||||||
it('should authenticate client with id in query', function (done) {
|
it('should authenticate client with id in query', function (done) {
|
||||||
req.body = {};
|
req.body = {};
|
||||||
req.query = {};
|
req.query = {};
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user