devstack/authorizer
4
0
Fork 0
Code Pull Requests Actions Activity

add host check for app

Browse Source
This commit is contained in:
Lakhan Samani
2021-08-03 08:41:33 +05:30
parent dbd19b7465
commit 976316a1ea
7 changed files with 57 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.dockerignore
View File

@@ -3,4 +3,6 @@ server/server
.git .git
.gitignore .gitignore
README.md README.md
ROADMAP.md ROADMAP.md
build
.env

20
.env
View File

@@ -1,20 +0,0 @@
DATABASE_URL=postgres://localhost:5432/lakhansamani
DATABASE_TYPE=postgres
COOKIE_NAME=authorizer
ENV=development
FORGOT_PASSWORD_URI=reset-password
FRONTEND_URL=http://localhost:1234
GITHUB_CLIENT_ID=Iv1.be6b1b73c67b5493
GITHUB_CLIENT_SECRET=458c5bdd6614eb1ec917a6a049dfbe625129431c
GOOGLE_CLIENT_ID=678083311263-1n0k7fmbaq4k24pd1jslboj24bjmjub7.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=oxmxasg70lHWp71xqzEte5wv
JWT_SECRET=randome123
JWT_TYPE=HS256
SENDER_EMAIL=abhay.m.samani@gmail.com
SENDER_PASSWORD="bhySmn@q1w2e3#"
AUTHORIZER_URL=http://localhost:8080
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
ADMIN_SECRET=admin
ENV=production
DISABLE_EMAIL_VERICATION=true

4
.gitignore vendored
View File

@@ -1,4 +1,6 @@
server/server server/server
server/.env server/.env
data data
app/node_modules app/node_modules
build
.env

BIN
build/server
View File

Binary file not shown.

76
server/handlers/app.go
View File

@@ -17,38 +17,58 @@ type State struct {
func AppHandler() gin.HandlerFunc { func AppHandler() gin.HandlerFunc {
return func(c *gin.Context) { return func(c *gin.Context) {
host := c.Request.Host host := "http://" + c.Request.Host
state := c.Query("state") state := c.Query("state")
if state == "" {
c.JSON(400, gin.H{"error": "invalid state"})
return
}
decodedState, err := base64.StdEncoding.DecodeString(state)
if err != nil {
c.JSON(400, gin.H{"error": "[unable to decode state] invalid state"})
return
}
var stateObj State var stateObj State
err = json.Unmarshal(decodedState, &stateObj)
if err != nil { if state == "" {
c.JSON(400, gin.H{"error": "[unable to parse state] invalid state"}) cookie, err := utils.GetAuthToken(c)
return log.Println(`cookie`, cookie)
if err != nil {
c.JSON(400, gin.H{"error": "invalid state"})
return
}
stateObj.AuthorizerURL = host
stateObj.RedirectURL = host + "/app"
} else {
decodedState, err := base64.StdEncoding.DecodeString(state)
if err != nil {
c.JSON(400, gin.H{"error": "[unable to decode state] invalid state"})
return
}
err = json.Unmarshal(decodedState, &stateObj)
if err != nil {
c.JSON(400, gin.H{"error": "[unable to parse state] invalid state"})
return
}
// validate redirect url with allowed origins
if !utils.IsValidRedirectURL(stateObj.RedirectURL) {
c.JSON(400, gin.H{"error": "invalid redirect url"})
return
}
if stateObj.AuthorizerURL == "" {
c.JSON(400, gin.H{"error": "invalid authorizer url"})
return
}
// validate host and domain of authorizer url
if utils.GetDomainName(stateObj.AuthorizerURL) != utils.GetDomainName(host) {
c.JSON(400, gin.H{"error": "invalid host url"})
return
}
} }
// validate redirect url with allowed origins log.Println(gin.H{
if !utils.IsValidRedirectURL(stateObj.RedirectURL) { "data": map[string]string{
c.JSON(400, gin.H{"error": "invalid redirect url"}) "authorizerURL": "http://" + stateObj.AuthorizerURL,
return "redirectURL": stateObj.RedirectURL,
} },
})
log.Println(stateObj)
log.Println(host, utils.GetDomainName(stateObj.AuthorizerURL), utils.GetDomainName(host))
// validate host and domain of authorizer url
if utils.GetDomainName(stateObj.AuthorizerURL) != utils.GetDomainName(host) {
c.JSON(400, gin.H{"error": "invalid host url"})
return
}
// debug the request state // debug the request state
if pusher := c.Writer.Pusher(); pusher != nil { if pusher := c.Writer.Pusher(); pusher != nil {

2
server/utils/cookie.go
View File

@@ -13,7 +13,7 @@ func SetCookie(gc *gin.Context, token string) {
httpOnly := true httpOnly := true
host := GetHostName(gc.Request.Host) host := GetHostName(gc.Request.Host)
log.Println("=> host", host) log.Println("=> cookie host", host)
gc.SetSameSite(http.SameSiteNoneMode) gc.SetSameSite(http.SameSiteNoneMode)
gc.SetCookie(constants.COOKIE_NAME, token, 3600, "/", host, secure, httpOnly) gc.SetCookie(constants.COOKIE_NAME, token, 3600, "/", host, secure, httpOnly)
} }

6
server/utils/urls.go
View File

@@ -1,14 +1,13 @@
package utils package utils
import ( import (
"log"
"net/url" "net/url"
"strings" "strings"
) )
// function to get hostname // function to get hostname
func GetHostName(auth_url string) string { func GetHostName(auth_url string) string {
u, err := url.Parse("//" + auth_url) u, err := url.Parse(auth_url)
if err != nil { if err != nil {
return `localhost` return `localhost`
} }
@@ -20,13 +19,12 @@ func GetHostName(auth_url string) string {
// function to get domain name // function to get domain name
func GetDomainName(auth_url string) string { func GetDomainName(auth_url string) string {
u, err := url.Parse("//" + auth_url) u, err := url.Parse(auth_url)
if err != nil { if err != nil {
return `localhost` return `localhost`
} }
host := u.Hostname() host := u.Hostname()
log.Println("=> host", host)
// code to get root domain in case of sub-domains // code to get root domain in case of sub-domains
hostParts := strings.Split(host, ".") hostParts := strings.Split(host, ".")