Merge pull request #15 from fedwiki/paul90/no-referer

Don't rely on referer
2017-11-12 10:46:57 -08:00 · 2017-11-12 10:46:57 -08:00 · 6f60d07a3a
commit 6f60d07a3a
parent 54db3c3334 980efed393
3 changed files with 21 additions and 33 deletions
--- a/client/security.coffee
+++ b/client/security.coffee
@ -82,6 +82,8 @@ update_footer = (ownerName, isAuthenticated) ->
        $('footer > #security > #addAltAuth').click (e) ->
          e.preventDefault

+          document.cookie = "wikiName=#{window.location.host}" + ";domain=.#{settings.cookieDomain}; path=/; max-age=300;"
+
          w = WinChan.open({
            url: settings.dialogAddAltURL
            relay_url: settings.relayURL
@ -129,6 +131,8 @@ update_footer = (ownerName, isAuthenticated) ->
    $('footer > #security > #show-security-dialog').click (e) ->
      e.preventDefault()

+      document.cookie = "wikiName=#{window.location.host}" + ";domain=.#{settings.cookieDomain}; path=/; max-age=300;"
+
      w = WinChan.open({
        url: settings.dialogURL
        relay_url: settings.relayURL
--- a/package.json
+++ b/package.json
@ -5,22 +5,22 @@
  "author": "Paul Rodwell <paul.rodwell@btinternet.com> (http://rodwell.me)",
  "license": "MIT",
  "dependencies": {
-    "coffee-script": "^1.12.4",
-    "es6-promise": "^4.1.0",
+    "coffeescript": "^1.12.7",
+    "es6-promise": "^4.1.1",
    "lodash": "^4.17.4",
-    "passport": "^0.3.2",
+    "passport": "^0.4.0",
    "passport-github": "^1.1.0",
    "passport-google-oauth20": "^1.0.0",
    "passport-twitter": "^1.0.4",
    "persona-pass": "^0.2.1",
-    "qs": "^6.4.0",
+    "qs": "^6.5.1",
    "whatwg-fetch": "^2.0.3"
  },
  "devDependencies": {
-    "coffeeify": "^2.1.0",
+    "coffeeify": "^3.0.1",
    "grunt": "^1.0.1",
-    "grunt-browserify": "~5",
-    "grunt-contrib-watch": "~1",
+    "grunt-browserify": "^5.2.0",
+    "grunt-contrib-watch": "^1.0.0",
    "grunt-git-authors": "^3.2.0",
    "grunt-nsp": "*",
    "grunt-retire": "^1.0.7"
--- a/server/social.coffee
+++ b/server/social.coffee
@ -308,7 +308,7 @@ module.exports = exports = (log, loga, argv) ->
      res.json settings

    app.get '/auth/loginDialog', (req, res) ->
-      referer = req.headers.referer
+      cookies = req.cookies
      schemeButtons = []
      _(ids).forEach (scheme) ->
        switch scheme
@ -317,10 +317,7 @@ module.exports = exports = (log, loga, argv) ->
          when "google" then schemeButtons.push({button: "<a href='/auth/google' class='scheme-button google-button'><span>Google</span></a>"})

      info = {
-        wikiName: if useHttps
-          url.parse(referer).hostname
-        else
-          url.parse(referer).host
+        wikiName: cookies['wikiName']
        wikiHostName: if wikiHost
          "part of " + req.hostname + " wiki farm"
        else
@ -332,7 +329,7 @@ module.exports = exports = (log, loga, argv) ->
      res.render(path.join(__dirname, '..', 'views', 'securityDialog.html'), info)

    app.get '/auth/personaLogin', (req, res) ->
-      referer = req.headers.referer
+      cookies = req.cookies
      schemeButtons = []
      if Date.now() < personaEnd
        schemeButtons.push({
@ -350,10 +347,7 @@ module.exports = exports = (log, loga, argv) ->
                    });
                   </script>"})
        info = {
-          wikiName: if useHttps
-            url.parse(referer).hostname
-          else
-            url.parse(referer).host
+          wikiName: cookies['wikiName']
          wikiHostName: if wikiHost
            "part of " + req.hostname + " wiki farm"
          else
@ -365,10 +359,7 @@ module.exports = exports = (log, loga, argv) ->
        }
      else
        info = {
-          wikiName: if useHttps
-            url.parse(referer).hostname
-          else
-            url.parse(referer).host
+          wikiName: cookies['wikiName']
          wikiHostName: if wikiHost
            "part of " + req.hostname + " wiki farm"
          else
@ -379,15 +370,10 @@ module.exports = exports = (log, loga, argv) ->
      res.render(path.join(__dirname, '..', 'views', 'personaDialog.html'), info)

    app.get '/auth/loginDone', (req, res) ->
-      referer = req.headers.referer
-      if referer is undefined
-        referer = ''
+      cookies = req.cookies

      info = {
-        wikiName: if useHttps
-          url.parse(referer).hostname
-        else
-          url.parse(referer).host
+        wikiName: cookies['wikiName']
        wikiHostName: if wikiHost
          "part of " + req.hostname + " wiki farm"
        else
@ -406,7 +392,8 @@ module.exports = exports = (log, loga, argv) ->
      # this the user is authenticated
      user = getUser(req)
      if user
-        referer = req.headers.referer
+        cookies = req.cookies
+

        currentSchemes = _.keys(user)
        altSchemes = _.difference(ids, currentSchemes)
@ -419,10 +406,7 @@ module.exports = exports = (log, loga, argv) ->
            when "google" then schemeButtons.push({button: "<a href='/auth/google' class='scheme-button google-button'><span>Google</span></a>"})

        info = {
-          wikiName: if useHttps
-            url.parse(referer).hostname
-          else
-            url.parse(referer).host
+          wikiName: cookies['wikiName']
          wikiHostName: if wikiHost
            "part of " + req.hostname + " wiki farm"
          else