Remove ?dest= redirect logic for /login and use referrer instead
This commit is contained in:
parent
a48cab81b9
commit
7e6312f9d1
|
@ -18,6 +18,19 @@ var csrf = require("./csrf");
|
|||
|
||||
const LOGGER = require('@calzoneman/jsli')('web/auth');
|
||||
|
||||
function getSafeReferrer(req) {
|
||||
const referrer = req.header('referer');
|
||||
const { hostname } = url.parse(referrer);
|
||||
|
||||
// TODO: come back to this when refactoring http alt domains
|
||||
if (hostname === Config.get('http.root-domain')
|
||||
|| Config.get('http.alt-domains').includes(hostname)) {
|
||||
return referrer;
|
||||
} else {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Processes a login request. Sets a cookie upon successful authentication
|
||||
*/
|
||||
|
@ -27,7 +40,7 @@ function handleLogin(req, res) {
|
|||
var name = req.body.name;
|
||||
var password = req.body.password;
|
||||
var rememberMe = req.body.remember;
|
||||
var dest = req.body.dest || req.header("referer") || null;
|
||||
var dest = req.body.dest || getSafeReferrer(req) || null;
|
||||
dest = dest && dest.match(/login|logout/) ? null : dest;
|
||||
|
||||
if (typeof name !== "string" || typeof password !== "string") {
|
||||
|
@ -36,6 +49,7 @@ function handleLogin(req, res) {
|
|||
}
|
||||
|
||||
var host = req.hostname;
|
||||
// TODO: remove this check from /login, make it generic middleware
|
||||
if (host.indexOf(Config.get("http.root-domain")) === -1 &&
|
||||
Config.get("http.alt-domains").indexOf(host) === -1) {
|
||||
LOGGER.warn("Attempted login from non-approved domain " + host);
|
||||
|
@ -102,7 +116,7 @@ function handleLoginPage(req, res) {
|
|||
});
|
||||
}
|
||||
|
||||
var redirect = req.query.dest || req.header("referer");
|
||||
var redirect = getSafeReferrer(req);
|
||||
var locals = {};
|
||||
if (!/\/register/.test(redirect)) {
|
||||
locals.redirect = redirect;
|
||||
|
@ -120,7 +134,7 @@ function handleLogout(req, res) {
|
|||
res.clearCookie("auth");
|
||||
res.locals.loggedIn = res.locals.loginName = res.locals.superadmin = false;
|
||||
// Try to find an appropriate redirect
|
||||
var dest = req.body.dest || req.header("referer");
|
||||
var dest = req.body.dest || getSafeReferrer(req);
|
||||
dest = dest && dest.match(/login|logout|account/) ? null : dest;
|
||||
|
||||
var host = req.hostname;
|
||||
|
|
|
@ -33,7 +33,7 @@ mixin navdefaultlinks(page)
|
|||
li: a(href=loginDomain+"/account/profile") Profile
|
||||
li: a(href=loginDomain+"/account/edit") Change Password/Email
|
||||
else
|
||||
li: a(href=loginDomain+"/login?dest=" + encodeURIComponent(baseUrl + page)) Login
|
||||
li: a(href=loginDomain+"/login") Login
|
||||
li: a(href=loginDomain+"/register") Register
|
||||
|
||||
mixin navsuperadmin(newTab)
|
||||
|
@ -55,7 +55,6 @@ mixin navloginform(redirect)
|
|||
.visible-lg
|
||||
form#loginform.navbar-form.navbar-right(action=loginDomain+"/login", method="post")
|
||||
input(type="hidden", name="_csrf", value=csrfToken)
|
||||
input(type="hidden", name="dest", value=baseUrl + redirect)
|
||||
.form-group
|
||||
input#username.form-control(type="text", name="name", placeholder="Username")
|
||||
.form-group
|
||||
|
@ -68,14 +67,13 @@ mixin navloginform(redirect)
|
|||
button#login.btn.btn-default(type="submit") Login
|
||||
.visible-md
|
||||
p#loginform.navbar-text.pull-right
|
||||
a#login.navbar-link(href=loginDomain+"/login?dest="+encodeURIComponent(baseUrl+redirect)) Log in
|
||||
a#login.navbar-link(href=loginDomain+"/login") Log in
|
||||
span ·
|
||||
a#register.navbar-link(href="/register") Register
|
||||
|
||||
|
||||
mixin navlogoutform(redirect)
|
||||
form#logoutform.navbar-text.pull-right(action="/logout", method="post")
|
||||
input(type="hidden", name="dest", value=baseUrl + redirect)
|
||||
input(type="hidden", name="_csrf", value=csrfToken)
|
||||
span#welcome Welcome, #{loginName}
|
||||
span ·
|
||||
|
|
Loading…
Reference in a new issue