add host check for app
This commit is contained in:
Lakhan Samani
@@ -3,4 +3,6 @@ server/server
|
||||
.git
|
||||
.gitignore
|
||||
README.md
|
||||
ROADMAP.md
|
||||
ROADMAP.md
|
||||
build
|
||||
.env
|
||||
20
.env
20
.env
@@ -1,20 +0,0 @@
|
||||
DATABASE_URL=postgres://localhost:5432/lakhansamani
|
||||
DATABASE_TYPE=postgres
|
||||
COOKIE_NAME=authorizer
|
||||
ENV=development
|
||||
FORGOT_PASSWORD_URI=reset-password
|
||||
FRONTEND_URL=http://localhost:1234
|
||||
GITHUB_CLIENT_ID=Iv1.be6b1b73c67b5493
|
||||
GITHUB_CLIENT_SECRET=458c5bdd6614eb1ec917a6a049dfbe625129431c
|
||||
GOOGLE_CLIENT_ID=678083311263-1n0k7fmbaq4k24pd1jslboj24bjmjub7.apps.googleusercontent.com
|
||||
GOOGLE_CLIENT_SECRET=oxmxasg70lHWp71xqzEte5wv
|
||||
JWT_SECRET=randome123
|
||||
JWT_TYPE=HS256
|
||||
SENDER_EMAIL=abhay.m.samani@gmail.com
|
||||
SENDER_PASSWORD="bhySmn@q1w2e3#"
|
||||
AUTHORIZER_URL=http://localhost:8080
|
||||
SMTP_HOST=smtp.gmail.com
|
||||
SMTP_PORT=587
|
||||
ADMIN_SECRET=admin
|
||||
ENV=production
|
||||
DISABLE_EMAIL_VERICATION=true
|
||||
4
.gitignore
vendored
4
.gitignore
vendored
@@ -1,4 +1,6 @@
|
||||
server/server
|
||||
server/.env
|
||||
data
|
||||
app/node_modules
|
||||
app/node_modules
|
||||
build
|
||||
.env
|
||||
BIN
build/server
BIN
build/server
Binary file not shown.
@@ -17,38 +17,58 @@ type State struct {
|
||||
|
||||
func AppHandler() gin.HandlerFunc {
|
||||
return func(c *gin.Context) {
|
||||
host := c.Request.Host
|
||||
host := "http://" + c.Request.Host
|
||||
state := c.Query("state")
|
||||
if state == "" {
|
||||
c.JSON(400, gin.H{"error": "invalid state"})
|
||||
return
|
||||
}
|
||||
|
||||
decodedState, err := base64.StdEncoding.DecodeString(state)
|
||||
if err != nil {
|
||||
c.JSON(400, gin.H{"error": "[unable to decode state] invalid state"})
|
||||
return
|
||||
}
|
||||
var stateObj State
|
||||
err = json.Unmarshal(decodedState, &stateObj)
|
||||
if err != nil {
|
||||
c.JSON(400, gin.H{"error": "[unable to parse state] invalid state"})
|
||||
return
|
||||
|
||||
if state == "" {
|
||||
cookie, err := utils.GetAuthToken(c)
|
||||
log.Println(`cookie`, cookie)
|
||||
if err != nil {
|
||||
c.JSON(400, gin.H{"error": "invalid state"})
|
||||
return
|
||||
}
|
||||
|
||||
stateObj.AuthorizerURL = host
|
||||
stateObj.RedirectURL = host + "/app"
|
||||
|
||||
} else {
|
||||
decodedState, err := base64.StdEncoding.DecodeString(state)
|
||||
if err != nil {
|
||||
c.JSON(400, gin.H{"error": "[unable to decode state] invalid state"})
|
||||
return
|
||||
}
|
||||
|
||||
err = json.Unmarshal(decodedState, &stateObj)
|
||||
if err != nil {
|
||||
c.JSON(400, gin.H{"error": "[unable to parse state] invalid state"})
|
||||
return
|
||||
}
|
||||
|
||||
// validate redirect url with allowed origins
|
||||
if !utils.IsValidRedirectURL(stateObj.RedirectURL) {
|
||||
c.JSON(400, gin.H{"error": "invalid redirect url"})
|
||||
return
|
||||
}
|
||||
|
||||
if stateObj.AuthorizerURL == "" {
|
||||
c.JSON(400, gin.H{"error": "invalid authorizer url"})
|
||||
return
|
||||
}
|
||||
|
||||
// validate host and domain of authorizer url
|
||||
if utils.GetDomainName(stateObj.AuthorizerURL) != utils.GetDomainName(host) {
|
||||
c.JSON(400, gin.H{"error": "invalid host url"})
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
// validate redirect url with allowed origins
|
||||
if !utils.IsValidRedirectURL(stateObj.RedirectURL) {
|
||||
c.JSON(400, gin.H{"error": "invalid redirect url"})
|
||||
return
|
||||
}
|
||||
|
||||
log.Println(stateObj)
|
||||
log.Println(host, utils.GetDomainName(stateObj.AuthorizerURL), utils.GetDomainName(host))
|
||||
// validate host and domain of authorizer url
|
||||
if utils.GetDomainName(stateObj.AuthorizerURL) != utils.GetDomainName(host) {
|
||||
c.JSON(400, gin.H{"error": "invalid host url"})
|
||||
return
|
||||
}
|
||||
log.Println(gin.H{
|
||||
"data": map[string]string{
|
||||
"authorizerURL": "http://" + stateObj.AuthorizerURL,
|
||||
"redirectURL": stateObj.RedirectURL,
|
||||
},
|
||||
})
|
||||
|
||||
// debug the request state
|
||||
if pusher := c.Writer.Pusher(); pusher != nil {
|
||||
|
||||
@@ -13,7 +13,7 @@ func SetCookie(gc *gin.Context, token string) {
|
||||
httpOnly := true
|
||||
|
||||
host := GetHostName(gc.Request.Host)
|
||||
log.Println("=> host", host)
|
||||
log.Println("=> cookie host", host)
|
||||
gc.SetSameSite(http.SameSiteNoneMode)
|
||||
gc.SetCookie(constants.COOKIE_NAME, token, 3600, "/", host, secure, httpOnly)
|
||||
}
|
||||
|
||||
@@ -1,14 +1,13 @@
|
||||
package utils
|
||||
|
||||
import (
|
||||
"log"
|
||||
"net/url"
|
||||
"strings"
|
||||
)
|
||||
|
||||
// function to get hostname
|
||||
func GetHostName(auth_url string) string {
|
||||
u, err := url.Parse("//" + auth_url)
|
||||
u, err := url.Parse(auth_url)
|
||||
if err != nil {
|
||||
return `localhost`
|
||||
}
|
||||
@@ -20,13 +19,12 @@ func GetHostName(auth_url string) string {
|
||||
|
||||
// function to get domain name
|
||||
func GetDomainName(auth_url string) string {
|
||||
u, err := url.Parse("//" + auth_url)
|
||||
u, err := url.Parse(auth_url)
|
||||
if err != nil {
|
||||
return `localhost`
|
||||
}
|
||||
|
||||
host := u.Hostname()
|
||||
log.Println("=> host", host)
|
||||
|
||||
// code to get root domain in case of sub-domains
|
||||
hostParts := strings.Split(host, ".")
|
||||
|
||||
Reference in New Issue
Block a user