From ec05842d313533a6dc5296ca6e4cfae82a08c875 Mon Sep 17 00:00:00 2001 From: Paul Rodwell Date: Mon, 21 Aug 2023 12:17:48 +0100 Subject: [PATCH 1/3] protect assets and sitemap hints that login is required --- server/social.coffee | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/server/social.coffee b/server/social.coffee index fee1861..cf38c06 100644 --- a/server/social.coffee +++ b/server/social.coffee @@ -400,15 +400,17 @@ module.exports = exports = (log, loga, argv) -> false app.all '*', (req, res, next) -> - # todo: think about assets?? - return next() unless /\.(json|html)$/.test req.url + # everything is restricted except site flag, + return next() if req.url is '/favicon.png' + return next() unless /\.(json|html)$/.test req.url or req.url.startsWith('/assets') # prepare to examine remote server's forwarded session res.header 'Access-Control-Allow-Origin', req.get('Origin')||'*' res.header 'Access-Control-Allow-Credentials', 'true' - return next() if isAuthorized(req) || allowedToView(req) + # protect unclaimed by adding "add owner isnt ''" - maybe via parameter + return next() if isAuthorized(req) or allowedToView(req) return res.redirect("/view/#{m[1]}") if m = req.url.match /\/(.*)\.html/ - return res.json([]) if req.url == '/system/sitemap.json' + return res.json(['Login Required']) if req.url == '/system/sitemap.json' # not happy, explain why these pages can't be viewed problem = "This is a restricted wiki requires users to login to view pages. You do not have to be the site owner but you do need to login with a participating email address." From 3305674597de7bac2e9a7191f0215f5c8b967d99 Mon Sep 17 00:00:00 2001 From: Paul Rodwell Date: Mon, 21 Aug 2023 12:19:08 +0100 Subject: [PATCH 2/3] reload after login, if login was required. --- client/security.coffee | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/client/security.coffee b/client/security.coffee index 890a47f..e82230a 100644 --- a/client/security.coffee +++ b/client/security.coffee @@ -31,10 +31,13 @@ claim_wiki = () -> .then (response) -> if response.ok response.json().then (json) -> - ownerName = json.ownerName - window.isClaimed = true - window.isOwner = true - update_footer ownerName, true + if wiki.lineup.bestTitle() is 'Login Required' + location.reload() + else + ownerName = json.ownerName + window.isClaimed = true + window.isOwner = true + update_footer ownerName, true else console.log 'Attempt to claim site failed', response @@ -103,7 +106,10 @@ update_footer = (ownerName, isAuthenticated) -> if !isClaimed claim_wiki() else - update_footer ownerName, true) + if wiki.lineup.bestTitle() is 'Login Required' + location.reload() + else + update_footer ownerName, true) @@ -165,8 +171,6 @@ setup = (user) -> settings.dialogURL = dialogProtocol + '//' + dialogHost + '/auth/loginDialog' settings.relayURL = dialogProtocol + '//' + dialogHost + '/auth/relay.html' settings.dialogAddAltURL = dialogProtocol + '//' + dialogHost + '/auth/addAuthDialog' - - update_footer ownerName, isAuthenticated else console.log 'Unable to fetch client settings: ', response From 5137dd86acaca94e22a656f4afa1f3ddf6971e54 Mon Sep 17 00:00:00 2001 From: Paul Rodwell Date: Mon, 21 Aug 2023 16:54:55 +0100 Subject: [PATCH 3/3] backing off protecting assets - breaks too many things. --- server/social.coffee | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/server/social.coffee b/server/social.coffee index cf38c06..5147444 100644 --- a/server/social.coffee +++ b/server/social.coffee @@ -400,9 +400,9 @@ module.exports = exports = (log, loga, argv) -> false app.all '*', (req, res, next) -> - # everything is restricted except site flag, + # don't protect site flag, return next() if req.url is '/favicon.png' - return next() unless /\.(json|html)$/.test req.url or req.url.startsWith('/assets') + return next() unless /\.(json|html)$/.test req.url # prepare to examine remote server's forwarded session res.header 'Access-Control-Allow-Origin', req.get('Origin')||'*'