mirror of
https://github.com/ether/etherpad-lite.git
synced 2025-02-01 03:12:42 +01:00
express: Move preAuthorize hook after express-session
The `ep_openid_connect` plugin needs access to session state before authorization checks are made (to securely redirect the user back to the start page when authentication completes). Now that the `expressPreSession` hook exists, the rationale for moving `preAuthorize` before the `express-session` middleware is gone. This change undoes the following commits: *bf35dcfc50*0b1ec20c5c*30544b564e
This commit is contained in:
Richard Hansen
parent
75637708c0
commit
d3984aa621
3 changed files with 19 additions and 56 deletions
|
|
@ -204,18 +204,13 @@ exports.restartServer = async () => {
|
||||||
},
|
},
|
||||||
});
|
});
|
||||||
|
|
||||||
app.use(webaccess.preAuthorize);
|
// Give plugins an opportunity to install handlers/middleware before the express-session
|
||||||
// Give plugins an opportunity to install handlers/middleware after the preAuthorize middleware
|
// middleware. This allows plugins to avoid creating an express-session record in the database
|
||||||
// but before the express-session middleware. This allows plugins to avoid creating an
|
// when it is not needed (e.g., public static content).
|
||||||
// express-session record in the database when it is not needed (e.g., public static content).
|
|
||||||
await hooks.aCallAll('expressPreSession', {app});
|
await hooks.aCallAll('expressPreSession', {app});
|
||||||
app.use([
|
app.use(exports.sessionMiddleware);
|
||||||
// If webaccess.preAuthorize explicitly granted access, webaccess.nextRouteIfPreAuthorized will
|
|
||||||
// call `next('route')` which will skip the remaining middlewares in this list.
|
app.use(webaccess.checkAccess);
|
||||||
webaccess.nextRouteIfPreAuthorized,
|
|
||||||
exports.sessionMiddleware,
|
|
||||||
webaccess.checkAccess,
|
|
||||||
]);
|
|
||||||
|
|
||||||
await Promise.all([
|
await Promise.all([
|
||||||
hooks.aCallAll('expressConfigure', {app}),
|
hooks.aCallAll('expressConfigure', {app}),
|
||||||
|
|
|
||||||
|
|
@ -45,9 +45,8 @@ exports.userCanModify = (padId, req) => {
|
||||||
// Exported so that tests can set this to 0 to avoid unnecessary test slowness.
|
// Exported so that tests can set this to 0 to avoid unnecessary test slowness.
|
||||||
exports.authnFailureDelayMs = 1000;
|
exports.authnFailureDelayMs = 1000;
|
||||||
|
|
||||||
const preAuthorize = async (req, res, next) => {
|
const checkAccess = async (req, res, next) => {
|
||||||
const requireAdmin = req.path.toLowerCase().startsWith('/admin');
|
const requireAdmin = req.path.toLowerCase().startsWith('/admin');
|
||||||
const locals = res.locals._webaccess = {requireAdmin, skip: false};
|
|
||||||
|
|
||||||
// ///////////////////////////////////////////////////////////////////////////////////////////////
|
// ///////////////////////////////////////////////////////////////////////////////////////////////
|
||||||
// Step 1: Check the preAuthorize hook for early permit/deny (permit is only allowed for non-admin
|
// Step 1: Check the preAuthorize hook for early permit/deny (permit is only allowed for non-admin
|
||||||
|
|
@ -56,7 +55,8 @@ const preAuthorize = async (req, res, next) => {
|
||||||
// ///////////////////////////////////////////////////////////////////////////////////////////////
|
// ///////////////////////////////////////////////////////////////////////////////////////////////
|
||||||
|
|
||||||
let results;
|
let results;
|
||||||
const preAuthorizeNext = (...args) => { locals.skip = true; next(...args); };
|
let skip = false;
|
||||||
|
const preAuthorizeNext = (...args) => { skip = true; next(...args); };
|
||||||
try {
|
try {
|
||||||
results = await aCallFirst('preAuthorize', {req, res, next: preAuthorizeNext},
|
results = await aCallFirst('preAuthorize', {req, res, next: preAuthorizeNext},
|
||||||
// This predicate will cause aCallFirst to call the hook functions one at a time until one
|
// This predicate will cause aCallFirst to call the hook functions one at a time until one
|
||||||
|
|
@ -64,13 +64,13 @@ const preAuthorize = async (req, res, next) => {
|
||||||
// page, truthy entries are filtered out before checking to see whether the list is empty.
|
// page, truthy entries are filtered out before checking to see whether the list is empty.
|
||||||
// This prevents plugin authors from accidentally granting admin privileges to the general
|
// This prevents plugin authors from accidentally granting admin privileges to the general
|
||||||
// public.
|
// public.
|
||||||
(r) => (locals.skip || (r != null && r.filter((x) => (!requireAdmin || !x)).length > 0)));
|
(r) => (skip || (r != null && r.filter((x) => (!requireAdmin || !x)).length > 0)));
|
||||||
} catch (err) {
|
} catch (err) {
|
||||||
httpLogger.error(`Error in preAuthorize hook: ${err.stack || err.toString()}`);
|
httpLogger.error(`Error in preAuthorize hook: ${err.stack || err.toString()}`);
|
||||||
if (!locals.skip) res.status(500).send('Internal Server Error');
|
if (!skip) res.status(500).send('Internal Server Error');
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
if (locals.skip) return;
|
if (skip) return;
|
||||||
if (requireAdmin) {
|
if (requireAdmin) {
|
||||||
// Filter out all 'true' entries to prevent plugin authors from accidentally granting admin
|
// Filter out all 'true' entries to prevent plugin authors from accidentally granting admin
|
||||||
// privileges to the general public.
|
// privileges to the general public.
|
||||||
|
|
@ -78,22 +78,11 @@ const preAuthorize = async (req, res, next) => {
|
||||||
}
|
}
|
||||||
if (results.length > 0) {
|
if (results.length > 0) {
|
||||||
// Access was explicitly granted or denied. If any value is false then access is denied.
|
// Access was explicitly granted or denied. If any value is false then access is denied.
|
||||||
if (!results.every((x) => x)) {
|
if (results.every((x) => x)) return next();
|
||||||
// Access explicitly denied.
|
|
||||||
if (await aCallFirst0('preAuthzFailure', {req, res})) return;
|
if (await aCallFirst0('preAuthzFailure', {req, res})) return;
|
||||||
// No plugin handled the pre-authentication authorization failure.
|
// No plugin handled the pre-authentication authorization failure.
|
||||||
return res.status(403).send('Forbidden');
|
return res.status(403).send('Forbidden');
|
||||||
}
|
}
|
||||||
// Access explicitly granted.
|
|
||||||
locals.skip = true;
|
|
||||||
return next('route');
|
|
||||||
}
|
|
||||||
next();
|
|
||||||
};
|
|
||||||
|
|
||||||
const checkAccess = async (req, res, next) => {
|
|
||||||
const {locals: {_webaccess: {requireAdmin, skip}}} = res;
|
|
||||||
if (skip) return next('route');
|
|
||||||
|
|
||||||
// This helper is used in steps 2 and 4 below, so it may be called twice per access: once before
|
// This helper is used in steps 2 and 4 below, so it may be called twice per access: once before
|
||||||
// authentication is checked and once after (if settings.requireAuthorization is true).
|
// authentication is checked and once after (if settings.requireAuthorization is true).
|
||||||
|
|
@ -197,30 +186,9 @@ const checkAccess = async (req, res, next) => {
|
||||||
res.status(403).send('Forbidden');
|
res.status(403).send('Forbidden');
|
||||||
};
|
};
|
||||||
|
|
||||||
/**
|
|
||||||
* Express middleware that allows plugins to explicitly grant/deny access via the `preAuthorize`
|
|
||||||
* hook before `checkAccess` is run. If access is explicitly granted:
|
|
||||||
* - `next('route')` will be called, which can be used to bypass later checks
|
|
||||||
* - `nextRouteIfPreAuthorized` will simply call `next('route')`
|
|
||||||
* - `checkAccess` will simply call `next('route')`
|
|
||||||
*/
|
|
||||||
exports.preAuthorize = (req, res, next) => {
|
|
||||||
preAuthorize(req, res, next).catch((err) => next(err || new Error(err)));
|
|
||||||
};
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Express middleware that simply calls `next('route')` if the request has been explicitly granted
|
|
||||||
* access by `preAuthorize` (otherwise it calls `next()`). This can be used to bypass later checks.
|
|
||||||
*/
|
|
||||||
exports.nextRouteIfPreAuthorized = (req, res, next) => {
|
|
||||||
if (res.locals._webaccess.skip) return next('route');
|
|
||||||
next();
|
|
||||||
};
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Express middleware to authenticate the user and check authorization. Must be installed after the
|
* Express middleware to authenticate the user and check authorization. Must be installed after the
|
||||||
* express-session middleware. If the request is pre-authorized, this middleware simply calls
|
* express-session middleware.
|
||||||
* `next('route')`.
|
|
||||||
*/
|
*/
|
||||||
exports.checkAccess = (req, res, next) => {
|
exports.checkAccess = (req, res, next) => {
|
||||||
checkAccess(req, res, next).catch((err) => next(err || new Error(err)));
|
checkAccess(req, res, next).catch((err) => next(err || new Error(err)));
|
||||||
|
|
|
||||||
|
|
@ -191,11 +191,11 @@ describe(__filename, function () {
|
||||||
await agent.get('/').expect(200);
|
await agent.get('/').expect(200);
|
||||||
assert.deepEqual(callOrder, ['preAuthorize_0']);
|
assert.deepEqual(callOrder, ['preAuthorize_0']);
|
||||||
});
|
});
|
||||||
it('bypasses authenticate and authorize hooks for static content, defers', async function () {
|
it('static content (expressPreSession) bypasses all auth checks', async function () {
|
||||||
settings.requireAuthentication = true;
|
settings.requireAuthentication = true;
|
||||||
settings.requireAuthorization = true;
|
settings.requireAuthorization = true;
|
||||||
await agent.get('/static/robots.txt').expect(200);
|
await agent.get('/static/robots.txt').expect(200);
|
||||||
assert.deepEqual(callOrder, ['preAuthorize_0', 'preAuthorize_1']);
|
assert.deepEqual(callOrder, []);
|
||||||
});
|
});
|
||||||
it('cannot grant access to /admin', async function () {
|
it('cannot grant access to /admin', async function () {
|
||||||
handlers.preAuthorize[0].innerHandle = () => [true];
|
handlers.preAuthorize[0].innerHandle = () => [true];
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue