Remove ?dest= redirect logic for /login and use referrer instead

This commit is contained in:
Calvin Montgomery 2017-08-22 17:25:18 -07:00
parent a48cab81b9
commit 7e6312f9d1
2 changed files with 19 additions and 7 deletions

View file

@ -18,6 +18,19 @@ var csrf = require("./csrf");
const LOGGER = require('@calzoneman/jsli')('web/auth');
function getSafeReferrer(req) {
const referrer = req.header('referer');
const { hostname } = url.parse(referrer);
// TODO: come back to this when refactoring http alt domains
if (hostname === Config.get('http.root-domain')
|| Config.get('http.alt-domains').includes(hostname)) {
return referrer;
} else {
return null;
}
}
/**
* Processes a login request. Sets a cookie upon successful authentication
*/
@ -27,7 +40,7 @@ function handleLogin(req, res) {
var name = req.body.name;
var password = req.body.password;
var rememberMe = req.body.remember;
var dest = req.body.dest || req.header("referer") || null;
var dest = req.body.dest || getSafeReferrer(req) || null;
dest = dest && dest.match(/login|logout/) ? null : dest;
if (typeof name !== "string" || typeof password !== "string") {
@ -36,6 +49,7 @@ function handleLogin(req, res) {
}
var host = req.hostname;
// TODO: remove this check from /login, make it generic middleware
if (host.indexOf(Config.get("http.root-domain")) === -1 &&
Config.get("http.alt-domains").indexOf(host) === -1) {
LOGGER.warn("Attempted login from non-approved domain " + host);
@ -102,7 +116,7 @@ function handleLoginPage(req, res) {
});
}
var redirect = req.query.dest || req.header("referer");
var redirect = getSafeReferrer(req);
var locals = {};
if (!/\/register/.test(redirect)) {
locals.redirect = redirect;
@ -120,7 +134,7 @@ function handleLogout(req, res) {
res.clearCookie("auth");
res.locals.loggedIn = res.locals.loginName = res.locals.superadmin = false;
// Try to find an appropriate redirect
var dest = req.body.dest || req.header("referer");
var dest = req.body.dest || getSafeReferrer(req);
dest = dest && dest.match(/login|logout|account/) ? null : dest;
var host = req.hostname;

View file

@ -33,7 +33,7 @@ mixin navdefaultlinks(page)
li: a(href=loginDomain+"/account/profile") Profile
li: a(href=loginDomain+"/account/edit") Change Password/Email
else
li: a(href=loginDomain+"/login?dest=" + encodeURIComponent(baseUrl + page)) Login
li: a(href=loginDomain+"/login") Login
li: a(href=loginDomain+"/register") Register
mixin navsuperadmin(newTab)
@ -55,7 +55,6 @@ mixin navloginform(redirect)
.visible-lg
form#loginform.navbar-form.navbar-right(action=loginDomain+"/login", method="post")
input(type="hidden", name="_csrf", value=csrfToken)
input(type="hidden", name="dest", value=baseUrl + redirect)
.form-group
input#username.form-control(type="text", name="name", placeholder="Username")
.form-group
@ -68,14 +67,13 @@ mixin navloginform(redirect)
button#login.btn.btn-default(type="submit") Login
.visible-md
p#loginform.navbar-text.pull-right
a#login.navbar-link(href=loginDomain+"/login?dest="+encodeURIComponent(baseUrl+redirect)) Log in
a#login.navbar-link(href=loginDomain+"/login") Log in
span  · 
a#register.navbar-link(href="/register") Register
mixin navlogoutform(redirect)
form#logoutform.navbar-text.pull-right(action="/logout", method="post")
input(type="hidden", name="dest", value=baseUrl + redirect)
input(type="hidden", name="_csrf", value=csrfToken)
span#welcome Welcome, #{loginName}
span  ·