mirror of
https://github.com/TryGhost/Ghost.git
synced 2024-12-15 19:52:01 +03:00
bc25348fcc
closes #5873 - replaced redirectPathname with url method - added tests
61 lines
2.0 KiB
JavaScript
61 lines
2.0 KiB
JavaScript
var config = require('../config'),
|
|
url = require('url'),
|
|
checkSSL;
|
|
|
|
function isSSLrequired(isAdmin, configUrl, forceAdminSSL) {
|
|
var forceSSL = url.parse(configUrl).protocol === 'https:' ? true : false;
|
|
if (forceSSL || (isAdmin && forceAdminSSL)) {
|
|
return true;
|
|
}
|
|
return false;
|
|
}
|
|
|
|
// The guts of checkSSL. Indicate forbidden or redirect according to configuration.
|
|
// Required args: forceAdminSSL, url and urlSSL should be passed from config. reqURL from req.url
|
|
function sslForbiddenOrRedirect(opt) {
|
|
var forceAdminSSL = opt.forceAdminSSL,
|
|
reqUrl = url.parse(opt.reqUrl), // expected to be relative-to-root
|
|
baseUrl = url.parse(opt.configUrlSSL || opt.configUrl),
|
|
response = {
|
|
// Check if forceAdminSSL: { redirect: false } is set, which means
|
|
// we should just deny non-SSL access rather than redirect
|
|
isForbidden: (forceAdminSSL && forceAdminSSL.redirect !== undefined && !forceAdminSSL.redirect),
|
|
|
|
redirectUrl: function redirectUrl(query) {
|
|
return url.format({
|
|
protocol: 'https:',
|
|
hostname: baseUrl.hostname,
|
|
port: baseUrl.port,
|
|
pathname: reqUrl.pathname,
|
|
query: query
|
|
});
|
|
}
|
|
};
|
|
|
|
return response;
|
|
}
|
|
|
|
// Check to see if we should use SSL
|
|
// and redirect if needed
|
|
checkSSL = function checkSSL(req, res, next) {
|
|
if (isSSLrequired(res.isAdmin, config.url, config.forceAdminSSL)) {
|
|
if (!req.secure) {
|
|
var response = sslForbiddenOrRedirect({
|
|
forceAdminSSL: config.forceAdminSSL,
|
|
configUrlSSL: config.urlSSL,
|
|
configUrl: config.url,
|
|
reqUrl: req.url
|
|
});
|
|
|
|
if (response.isForbidden) {
|
|
return res.sendStatus(403);
|
|
} else {
|
|
return res.redirect(301, response.redirectUrl(req.query));
|
|
}
|
|
}
|
|
}
|
|
next();
|
|
};
|
|
|
|
module.exports = checkSSL;
|