fix session token/cookie handling for arbitrary server IPs; fix realt…

…ime update distribution via websockets
kaleidos · May 1, 2018 · c19f00b · c19f00b
1 parent f752ec4
commit c19f00b
Show file tree

Hide file tree

Showing 10 changed files with 34 additions and 16,012 deletions.
diff --git a/middlewares/session.js b/middlewares/session.js
@@ -16,7 +16,8 @@ module.exports = (req, res, next) => {
         else db.User.findOne({where: {_id: session.user_id}})
           .then(user => {
             if (!user) {
-              res.clearCookie('sdsession');
+              var domain = (process.env.NODE_ENV == "production") ? new URL(config.get('endpoint')).hostname : req.headers.hostname;
+              res.clearCookie('sdsession', { domain: domain });
 
               if (req.accepts("text/html")) {
                 res.send("Please clear your cookies and try again.");

diff --git a/public/javascripts/spacedeck.js b/public/javascripts/spacedeck.js
diff --git a/public/javascripts/spacedeck_routes.js b/public/javascripts/spacedeck_routes.js
@@ -252,8 +252,6 @@ var SpacedeckRoutes = {
       // #hash
       if (event.currentTarget.hash && event.currentTarget.hash.length>1) return;
 
-      console.log("clicked", event.currentTarget.pathname);
-
       // external link?
       if (event.currentTarget.host != location.host) return;
 
@@ -269,35 +267,6 @@ var SpacedeckRoutes = {
       event.preventDefault();
     }.bind(this));
 
-    if (location.host!=ENV.webHost) {
-      if (!subdomainTeam) {
-        location.href = ENV.webEndpoint;
-        return;
-      } else {
-        if(subdomainTeam.subdomain) {
-          var realHost = (subdomainTeam.subdomain + "." + ENV.webHost);
-          if (location.host != realHost) {
-            location.href = realHost;
-            return;
-          }
-        } else {
-          location.href = ENV.webEndpoint;
-          return;
-        }
-      }
-    } 
-
-    if (this.logged_in) {
-      if (this.user.team) {
-        if (this.user.team.subdomain && this.user.team.subdomain.length > 0) {
-          var realHost = (this.user.team.subdomain + "." + ENV.webHost);         
-          if (location.host != realHost) {
-            location.href = location.protocol + "//" + realHost + location.pathname;
-            return;
-          }
-        }
-      }
-    }
     this.internal_route(location.pathname);
   },
 

diff --git a/public/javascripts/spacedeck_users.js b/public/javascripts/spacedeck_users.js
@@ -48,10 +48,6 @@ SpacedeckUsers = {
     },
 
     finalize_login: function(session_token, on_success) {
-      if(!window.socket_auth || window.socket_auth == '' || window.socket_auth == 'null') {
-        window.socket_auth = session_token;
-      }
-
       this.load_user(function(user) {
         if (this.invitation_token) {
           accept_invitation(this.invitation_token, function(memberships){

diff --git a/public/javascripts/spacedeck_websockets.js b/public/javascripts/spacedeck_websockets.js
@@ -59,13 +59,13 @@ SpacedeckWebsockets = {
         else if (msg.action == "delete" && msg.object) {
           if (this.active_space) {
             var o = msg.object;
-            if(o._id){
+            if (o._id){
               var existing_artifact = this.find_artifact_by_id(o._id);
               if (existing_artifact) {
                 var idx = this.active_space_artifacts.indexOf(existing_artifact);
                 this.active_space_artifacts.splice(idx, 1);
               } else console.log("existing artifact to delete not found");
-            }else console.error("object without _id");
+            } else console.error("object without _id");
           }
         }
       }
@@ -101,11 +101,13 @@ SpacedeckWebsockets = {
       }
 
       if (this.websocket && this.websocket.readyState==1) {
+        var token = "";
+        if (this.user) token = this.user.token;
         var auth_params = {
           action: "auth",
           editor_auth: space_auth,
           editor_name: this.guest_nickname,
-          auth_token: window.socket_auth,
+          auth_token: token,
           space_id: space._id
         };
         console.log("[websocket] auth space");

diff --git a/routes/api/sessions.js b/routes/api/sessions.js
@@ -23,15 +23,11 @@ router.post('/', function(req, res) {
   db.User.findOne({where: {email: email}})
     .error(err => {
       res.sendStatus(404);
-      //res.status(400).json({"error":"session.users"});
     })
     .then(user => {
-      console.log("!!! user: ",user.password_hash);
-
       if (bcrypt.compareSync(password, user.password_hash)) {
         crypto.randomBytes(48, function(ex, buf) {
           var token = buf.toString('hex');
-          console.log("!!! token: ",token);
 
           var session = {
             user_id: user._id,
@@ -47,7 +43,7 @@ router.post('/', function(req, res) {
               res.sendStatus(500);
             })
             .then(() => {
-              var domain = (process.env.NODE_ENV == "production") ? new URL(config.get('endpoint')).hostname : "localhost";
+              var domain = (process.env.NODE_ENV == "production") ? new URL(config.get('endpoint')).hostname : req.headers.hostname;
               res.cookie('sdsession', token, { domain: domain, httpOnly: true });
               res.status(201).json(session);
             });
@@ -60,16 +56,14 @@ router.post('/', function(req, res) {
 
 router.delete('/current', function(req, res, next) {
   if (req.user) {
-    /*var user = req.user;
-    var newSessions = user.sessions.filter( function(session){
-      return session.token != req.token;
-    });*/
-    //user.sessions = newSessions;
-    //user.save(function(err, result) {
-      var domain = new URL(config.get('endpoint')).hostname;
-      res.clearCookie('sdsession', { domain: domain });
-      res.sendStatus(204);
-    //});
+    var token = req.cookies['sdsession'];
+    db.Session.findOne({where: {token: token}})
+      .then(session => {
+        session.destroy();
+      });
+    var domain = (process.env.NODE_ENV == "production") ? new URL(config.get('endpoint')).hostname : req.headers.hostname;
+    res.clearCookie('sdsession', { domain: domain });
+    res.sendStatus(204);
   } else {
     res.sendStatus(404);
   }

diff --git a/routes/api/space_artifacts.js b/routes/api/space_artifacts.js
@@ -133,7 +133,7 @@ router.post('/:artifact_id/payload', function(req, res, next) {
     var progress_callback = function(progress_msg) {
       a.description = progress_msg;
       a.save();
-      redis.sendMessage("update", a, a.toJSON(), req.channelId);
+      redis.sendMessage("update", a, JSON.stringify(a), req.channelId);
     };
 
     stream.on('finish', function() {
@@ -171,6 +171,7 @@ router.put('/:artifact_id', function(req, res, next) {
   }}).then(rows => {
     db.unpackArtifact(newAttr);
     db.Space.update({ updated_at: new Date() }, {where: {_id: req.space._id} });
+    newAttr._id = a._id;
     res.distributeUpdate("Artifact", newAttr);
   });
 });

diff --git a/routes/api/space_exports.js b/routes/api/space_exports.js
@@ -240,7 +240,6 @@ router.get('/zip', function(req, res, next) {
 });
 
 router.get('/html', function(req, res) {
-  console.log("!!!!! hello ");
   db.Artifact.findAll({where: {
     space_id: req.space._id
   }}).then(function(artifacts) {

diff --git a/routes/api/users.js b/routes/api/users.js
@@ -25,8 +25,15 @@ var glob = require('glob');
 
 router.get('/current', function(req, res, next) {
   if (req.user) {
-    console.log(req.user.team);
-    res.status(200).json(req.user);
+    var u = _.clone(req.user.dataValues);
+    delete u.password_hash;
+    delete u.password_reset_token;
+    delete u.confirmation_token;
+    u.token = req.cookies['sdsession'];
+
+    console.log(u);
+
+    res.status(200).json(u);
   } else {
     res.status(401).json({"error":"user_not_found"});
   }

diff --git a/views/spacedeck.html b/views/spacedeck.html
@@ -22,29 +22,13 @@
       window.browser_lang = '[[locale]]';
       window.csrf_token = '[[csrf_token]]';
 
-      {% if process.env.NODE_ENV != "production" %}
-        var ENV = {
-          name: 'development',
-          webHost: "localhost:9666",
-          webEndpoint:"http://localhost:9666",
-          apiEndpoint: "http://localhost:9666",
-          websocketsEndpoint: "ws://localhost:9666"
-        };
-      {% else %}
-        var ENV = {
-          name: 'production',
-          webHost: location.host,
-          webEndpoint: location.origin,
-          apiEndpoint: location.origin,
-          websocketsEndpoint: location.origin.replace("https:","wss:").replace("http:","ws:")
-        };
-      {% endif %}
-
-      {% if subdomain_team %}
-        var subdomainTeam = [[ subdomain_team | json | safe ]];
-      {% else %}
-        var subdomainTeam = null;
-      {% endif %}
+      var ENV = {
+        name: 'development',
+        webHost: location.host,
+        webEndpoint: location.origin,
+        apiEndpoint: location.origin,
+        websocketsEndpoint: location.origin.replace("https:","wss:").replace("http:","ws:")
+      };
     </script>
 
     {% if process.env.NODE_ENV == "production" %}