mirror of
https://github.com/TryGhost/Ghost.git
synced 2025-02-03 23:00:14 -05:00
Origin Header revisited
closes #6106 - added override for my-ghost-blog.com - added local IP addresses to be allowed - changed localhost/127.0.0.1 to be allowed in production
This commit is contained in:
Sebastian Gierlinger
parent
03760c3674
commit
245095c199
2 changed files with 34 additions and 20 deletions
|
|
@ -1,10 +1,10 @@
|
||||||
var _ = require('lodash'),
|
var _ = require('lodash'),
|
||||||
passport = require('passport'),
|
passport = require('passport'),
|
||||||
url = require('url'),
|
url = require('url'),
|
||||||
|
os = require('os'),
|
||||||
errors = require('../errors'),
|
errors = require('../errors'),
|
||||||
config = require('../config'),
|
config = require('../config'),
|
||||||
labs = require('../utils/labs'),
|
labs = require('../utils/labs'),
|
||||||
isDevelopment,
|
|
||||||
oauthServer,
|
oauthServer,
|
||||||
|
|
||||||
auth;
|
auth;
|
||||||
|
|
@ -36,15 +36,32 @@ function isBearerAutorizationHeader(req) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function getIPs() {
|
||||||
|
var ifaces = os.networkInterfaces(),
|
||||||
|
ips = [];
|
||||||
|
|
||||||
|
Object.keys(ifaces).forEach(function (ifname) {
|
||||||
|
ifaces[ifname].forEach(function (iface) {
|
||||||
|
// only support IPv4
|
||||||
|
if (iface.family !== 'IPv4') {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
ips.push(iface.address);
|
||||||
|
});
|
||||||
|
});
|
||||||
|
return ips;
|
||||||
|
}
|
||||||
|
|
||||||
function isValidOrigin(origin, client) {
|
function isValidOrigin(origin, client) {
|
||||||
isDevelopment = process.env.NODE_ENV === 'development';
|
var configHostname = url.parse(config.url).hostname;
|
||||||
|
|
||||||
if (origin && client && client.type === 'ua' && (
|
if (origin && client && client.type === 'ua' && (
|
||||||
_.some(client.trustedDomains, {trusted_domain: origin})
|
_.indexOf(getIPs(), origin) >= 0
|
||||||
|| origin === url.parse(config.url).hostname
|
|| _.some(client.trustedDomains, {trusted_domain: origin})
|
||||||
|
|| origin === configHostname
|
||||||
|
|| configHostname === 'my-ghost-blog.com'
|
||||||
|| origin === url.parse(config.urlSSL ? config.urlSSL : '').hostname
|
|| origin === url.parse(config.urlSSL ? config.urlSSL : '').hostname
|
||||||
|| (origin === '127.0.0.1' && isDevelopment)
|
|| (origin === 'localhost')
|
||||||
|| (origin === 'localhost' && isDevelopment)
|
|
||||||
)) {
|
)) {
|
||||||
return true;
|
return true;
|
||||||
} else {
|
} else {
|
||||||
|
|
|
||||||
|
|
@ -128,6 +128,7 @@ describe('Auth', function () {
|
||||||
|
|
||||||
describe('User Authentication', function () {
|
describe('User Authentication', function () {
|
||||||
beforeEach(function () {
|
beforeEach(function () {
|
||||||
|
defaultConfig.url = 'http://my-domain.com';
|
||||||
var newConfig = _.extend({}, config, defaultConfig);
|
var newConfig = _.extend({}, config, defaultConfig);
|
||||||
|
|
||||||
auth.__get__('config', newConfig);
|
auth.__get__('config', newConfig);
|
||||||
|
|
@ -406,8 +407,7 @@ describe('Auth', function () {
|
||||||
done();
|
done();
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should authenticate client with origin `localhost` while in development', function (done) {
|
it('should authenticate client with origin `localhost`', function (done) {
|
||||||
var resetEnvironment = auth.__set__('process.env.NODE_ENV', 'development');
|
|
||||||
req.body = {};
|
req.body = {};
|
||||||
req.body.client_id = testClient;
|
req.body.client_id = testClient;
|
||||||
req.body.client_secret = testSecret;
|
req.body.client_secret = testSecret;
|
||||||
|
|
@ -426,31 +426,28 @@ describe('Auth', function () {
|
||||||
|
|
||||||
next.called.should.be.true;
|
next.called.should.be.true;
|
||||||
next.calledWith(null, client).should.be.true;
|
next.calledWith(null, client).should.be.true;
|
||||||
resetEnvironment();
|
|
||||||
done();
|
done();
|
||||||
});
|
});
|
||||||
|
|
||||||
it('shouldn\'t authenticate client with origin `localhost` by default', function (done) {
|
it('should authenticate client with origin `127.0.0.1`', function (done) {
|
||||||
req.body = {};
|
req.body = {};
|
||||||
req.body.client_id = testClient;
|
req.body.client_id = testClient;
|
||||||
req.body.client_secret = testSecret;
|
req.body.client_secret = testSecret;
|
||||||
req.headers = {};
|
req.headers = {};
|
||||||
req.headers.origin = 'http://localhost';
|
req.headers.origin = 'http://127.0.0.1';
|
||||||
|
|
||||||
res.status = {};
|
res.header = {};
|
||||||
|
|
||||||
sandbox.stub(res, 'status', function (statusCode) {
|
sandbox.stub(res, 'header', function (key, value) {
|
||||||
statusCode.should.eql(401);
|
key.should.equal('Access-Control-Allow-Origin');
|
||||||
return {
|
value.should.equal('http://127.0.0.1');
|
||||||
json: function (err) {
|
|
||||||
err.errors[0].errorType.should.eql('UnauthorizedError');
|
|
||||||
}
|
|
||||||
};
|
|
||||||
});
|
});
|
||||||
|
|
||||||
registerSuccessfulClientPasswordStrategy();
|
registerSuccessfulClientPasswordStrategy();
|
||||||
auth.authenticateClient(req, res, next);
|
auth.authenticateClient(req, res, next);
|
||||||
next.called.should.be.false;
|
|
||||||
|
next.called.should.be.true;
|
||||||
|
next.calledWith(null, client).should.be.true;
|
||||||
done();
|
done();
|
||||||
});
|
});
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue