mirror of
https://github.com/ether/etherpad-lite.git
synced 2025-01-19 14:13:34 +01:00
Fix socket.io auth: Use connect to parse signed cookies (migrate to express v3)
This commit is contained in:
parent
0f436d5916
commit
0c9c1f514f
3 changed files with 20 additions and 10 deletions
|
@ -3,6 +3,7 @@ var socketio = require('socket.io');
|
|||
var settings = require('../../utils/Settings');
|
||||
var socketIORouter = require("../../handler/SocketIORouter");
|
||||
var hooks = require("ep_etherpad-lite/static/js/pluginfw/hooks");
|
||||
var webaccess = require("ep_etherpad-lite/node/hooks/express/webaccess");
|
||||
|
||||
var padMessageHandler = require("../../handler/PadMessageHandler");
|
||||
|
||||
|
@ -17,12 +18,21 @@ exports.expressCreateServer = function (hook_name, args, cb) {
|
|||
* info */
|
||||
io.set('authorization', function (data, accept) {
|
||||
if (!data.headers.cookie) return accept('No session cookie transmitted.', false);
|
||||
data.cookie = connect.utils.parseCookie(data.headers.cookie);
|
||||
data.sessionID = data.cookie.express_sid;
|
||||
args.app.sessionStore.get(data.sessionID, function (err, session) {
|
||||
if (err || !session) return accept('Bad session / session has expired', false);
|
||||
data.session = new connect.middleware.session.Session(data, session);
|
||||
accept(null, true);
|
||||
|
||||
// Use connect's cookie parser, because it knows how to parse signed cookies
|
||||
connect.cookieParser(webaccess.secret)(data, {}, function(err){
|
||||
if(err) {
|
||||
console.error(err);
|
||||
accept("Couldn't parse request cookies. ", false);
|
||||
return;
|
||||
}
|
||||
|
||||
data.sessionID = data.signedCookies.express_sid;
|
||||
args.app.sessionStore.get(data.sessionID, function (err, session) {
|
||||
if (err || !session) return accept('Bad session / session has expired', false);
|
||||
data.session = new connect.middleware.session.Session(data, session);
|
||||
accept(null, true);
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
|
|
|
@ -88,7 +88,7 @@ exports.basicAuth = function (req, res, next) {
|
|||
});
|
||||
}
|
||||
|
||||
var secret = null;
|
||||
exports.secret = null;
|
||||
|
||||
exports.expressConfigure = function (hook_name, args, cb) {
|
||||
// If the log level specified in the config file is WARN or ERROR the application server never starts listening to requests as reported in issue #158.
|
||||
|
@ -103,10 +103,10 @@ exports.expressConfigure = function (hook_name, args, cb) {
|
|||
|
||||
if (!exports.sessionStore) {
|
||||
exports.sessionStore = new express.session.MemoryStore();
|
||||
secret = randomString(32);
|
||||
exports.secret = randomString(32);
|
||||
}
|
||||
|
||||
args.app.use(express.cookieParser(secret));
|
||||
args.app.use(express.cookieParser(exports.secret));
|
||||
|
||||
args.app.sessionStore = exports.sessionStore;
|
||||
args.app.use(express.session({store: args.app.sessionStore,
|
||||
|
|
|
@ -18,7 +18,7 @@
|
|||
"ueberDB" : "0.1.7",
|
||||
"async" : "0.1.x",
|
||||
"express" : "3.x",
|
||||
"connect" : "1.x",
|
||||
"connect" : "2.4.x",
|
||||
"clean-css" : "0.3.2",
|
||||
"uglify-js" : "1.2.5",
|
||||
"formidable" : "1.0.9",
|
||||
|
|
Loading…
Reference in a new issue