Merge pull request #1714 from sebgie/issue#1680

This commit is contained in:
Hannah Wolfe 2013-12-21 20:18:35 +00:00
commit b80054c4e4

View File

@ -163,9 +163,21 @@ function redirectToSignup(req, res, next) {
}); });
} }
// checkSSL helper function isSSLrequired(isAdmin) {
function redirectSSL(req, res, next) { var forceSSL = url.parse(config().url).protocol === 'https:' ? true : false,
// Check if X-Forarded-Proto headers are sent, if they are check for https. If they are not assume true to avoid infinite redirect loop. forceAdminSSL = (isAdmin && config().forceAdminSSL);
if (forceSSL || forceAdminSSL) {
return true;
}
return false;
}
// Check to see if we should use SSL
// and redirect if needed
function checkSSL(req, res, next) {
if (isSSLrequired(res.isAdmin)) {
// Check if X-Forarded-Proto headers are sent, if they are check for https.
// If they are not assume true to avoid infinite redirect loop.
// If the X-Forwarded-Proto header is missing and Express cannot automatically sense HTTPS the redirect will not be made. // If the X-Forwarded-Proto header is missing and Express cannot automatically sense HTTPS the redirect will not be made.
var httpsHeader = req.header('X-Forwarded-Proto') !== undefined ? req.header('X-Forwarded-Proto').toLowerCase() === 'https' ? true : false : true; var httpsHeader = req.header('X-Forwarded-Proto') !== undefined ? req.header('X-Forwarded-Proto').toLowerCase() === 'https' ? true : false : true;
if (!req.secure && !httpsHeader) { if (!req.secure && !httpsHeader) {
@ -176,24 +188,16 @@ function redirectSSL(req, res, next) {
query: req.query query: req.query
})); }));
} }
next();
}
// Check to see if we should
function checkSSL(req, res, next) {
var forceSSL = url.parse(config().url).protocol === 'https:' ? true : false,
forceAdminSSL = (res.isAdmin && config().forceAdminSSL);
if (forceSSL || forceAdminSSL) {
return redirectSSL(req, res, next);
} }
next(); next();
} }
module.exports = function (server, dbHash) { module.exports = function (server, dbHash) {
var oneYear = 31536000000, var oneHour = 60 * 60 * 1000,
oneYear = 365 * 24 * oneHour,
root = config.paths().webroot, root = config.paths().webroot,
corePath = config.paths().corePath; corePath = config.paths().corePath,
cookie;
// Cache express server instance // Cache express server instance
expressServer = server; expressServer = server;
@ -224,7 +228,7 @@ module.exports = function (server, dbHash) {
expressServer.use(manageAdminAndTheme); expressServer.use(manageAdminAndTheme);
// Force SSL // Force SSL
server.use(checkSSL); expressServer.use(checkSSL);
// Admin only config // Admin only config
expressServer.use(root + '/ghost', middleware.whenEnabled('admin', express['static'](path.join(corePath, '/client/assets')))); expressServer.use(root + '/ghost', middleware.whenEnabled('admin', express['static'](path.join(corePath, '/client/assets'))));
@ -242,11 +246,23 @@ module.exports = function (server, dbHash) {
expressServer.use(root + '/ghost/api/v0.1/db/', middleware.busboy); expressServer.use(root + '/ghost/api/v0.1/db/', middleware.busboy);
// Session handling // Session handling
cookie = {
path: root + '/ghost',
maxAge: 12 * oneHour
};
// if SSL is forced, add secure flag to cookie
// parameter is true, since cookie is used with admin only
if (isSSLrequired(true)) {
cookie.secure = true;
}
expressServer.use(express.cookieParser()); expressServer.use(express.cookieParser());
expressServer.use(express.session({ expressServer.use(express.session({
store: new BSStore(models), store: new BSStore(models),
proxy: true,
secret: dbHash, secret: dbHash,
cookie: { path: root + '/ghost', maxAge: 12 * 60 * 60 * 1000 } cookie: cookie
})); }));
//enable express csrf protection //enable express csrf protection