libre-service.eu/pad.libre-service.eu-etherpad
libre-service.eu/pad.libre-service.eu-etherpad
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-01-31 19:02:59 +01:00
Code Issues Projects Releases Wiki Activity

express: Skip express-session middleware if pre-authorized

Browse source
This commit is contained in:
Richard Hansen 2021-12-18 17:00:02 -05:00
parent 649fbdccf5
commit 30544b564e
2 changed files with 18 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
src/node/hooks/express.js
View file

@ -202,15 +202,19 @@ exports.restartServer = async () => {
}, },
}); });
// If webaccess.preAuthorize explicitly grants access, webaccess.checkAccess will skip all checks.
app.use(webaccess.preAuthorize); app.use(webaccess.preAuthorize);
// Give plugins an opportunity to install handlers/middleware after the preAuthorize middleware // Give plugins an opportunity to install handlers/middleware after the preAuthorize middleware
// but before the express-session middleware. This allows plugins to avoid creating an // but before the express-session middleware. This allows plugins to avoid creating an
// express-session record in the database when it is not needed (e.g., public static content). // express-session record in the database when it is not needed (e.g., public static content).
await hooks.aCallAll('expressPreSession', {app}); await hooks.aCallAll('expressPreSession', {app});
app.use(exports.sessionMiddleware); app.use([
app.use(cookieParser(settings.sessionKey, {})); // If webaccess.preAuthorize explicitly granted access, webaccess.nextRouteIfPreAuthorized will
app.use(webaccess.checkAccess); // call `next('route')` which will skip the remaining middlewares in this list.
webaccess.nextRouteIfPreAuthorized,
exports.sessionMiddleware,
cookieParser(settings.sessionKey, {}),
webaccess.checkAccess,
]);
await Promise.all([ await Promise.all([
hooks.aCallAll('expressConfigure', {app}), hooks.aCallAll('expressConfigure', {app}),

10
src/node/hooks/express/webaccess.js
View file

@ -200,12 +200,22 @@ const checkAccess = async (req, res, next) => {
* Express middleware that allows plugins to explicitly grant/deny access via the `preAuthorize` * Express middleware that allows plugins to explicitly grant/deny access via the `preAuthorize`
* hook before `checkAccess` is run. If access is explicitly granted: * hook before `checkAccess` is run. If access is explicitly granted:
* - `next('route')` will be called, which can be used to bypass later checks * - `next('route')` will be called, which can be used to bypass later checks
* - `nextRouteIfPreAuthorized` will simply call `next('route')`
* - `checkAccess` will simply call `next('route')` * - `checkAccess` will simply call `next('route')`
*/ */
exports.preAuthorize = (req, res, next) => { exports.preAuthorize = (req, res, next) => {
preAuthorize(req, res, next).catch((err) => next(err || new Error(err))); preAuthorize(req, res, next).catch((err) => next(err || new Error(err)));
}; };
/**
* Express middleware that simply calls `next('route')` if the request has been explicitly granted
* access by `preAuthorize` (otherwise it calls `next()`). This can be used to bypass later checks.
*/
exports.nextRouteIfPreAuthorized = (req, res, next) => {
if (res.locals._webaccess.skip) return next('route');
next();
};
/** /**
* Express middleware to authenticate the user and check authorization. Must be installed after the * Express middleware to authenticate the user and check authorization. Must be installed after the
* express-session middleware. If the request is pre-authorized, this middleware simply calls * express-session middleware. If the request is pre-authorized, this middleware simply calls