(core) Fix bug forcing login on some form URLs

Summary: Login (and other) middleware was included in the public form URL by mistake, forcing logins on forms hosted on non-personal sites. Test Plan: Browser test. Reviewers: paulfitz Reviewed By: paulfitz Differential Revision: https://phab.getgrist.com/D4181
2024-10-27 20:44:07 +00:00 · 2024-02-01 11:47:53 -05:00 · 2024-02-01 11:47:53 -05:00 · cb298e63d4
commit cb298e63d4
parent 716144ed46
3 changed files with 1072 additions and 1034 deletions
--- a/app/server/lib/AppEndpoint.ts
+++ b/app/server/lib/AppEndpoint.ts
@ -25,10 +25,11 @@ import {addOrgToPathIfNeeded, pruneAPIResult, trustOrigin} from 'app/server/lib/
 import {ISendAppPageOptions} from 'app/server/lib/sendAppPage';

 export interface AttachOptions {
-  app: express.Application;                // Express app to which to add endpoints
-  middleware: express.RequestHandler[];    // Middleware to apply for all endpoints except docs
-  docMiddleware: express.RequestHandler[]; // Middleware to apply for doc landing pages
-  forceLogin: express.RequestHandler|null; // Method to force user to login (if logins are possible)
+  app: express.Application;                 // Express app to which to add endpoints
+  middleware: express.RequestHandler[];     // Middleware to apply for all endpoints except docs and forms
+  docMiddleware: express.RequestHandler[];  // Middleware to apply for doc landing pages
+  formMiddleware: express.RequestHandler[]; // Middleware to apply for form landing pages
+  forceLogin: express.RequestHandler|null;  // Method to force user to login (if logins are possible)
  docWorkerMap: IDocWorkerMap|null;
  sendAppPage: (req: express.Request, resp: express.Response, options: ISendAppPageOptions) => Promise<void>;
  dbManager: HomeDBManager;
@ -37,8 +38,8 @@ export interface AttachOptions {
 }

 export function attachAppEndpoint(options: AttachOptions): void {
-  const {app, middleware, docMiddleware, docWorkerMap, forceLogin,
-         sendAppPage, dbManager, plugins, gristServer} = options;
+  const {app, middleware, docMiddleware, formMiddleware, docWorkerMap,
+         forceLogin, sendAppPage, dbManager, plugins, gristServer} = options;
  // Per-workspace URLs open the same old Home page, and it's up to the client to notice and
  // render the right workspace.
  app.get(['/', '/ws/:wsId', '/p/:page'], ...middleware, expressWrap(async (req, res) =>
@ -226,7 +227,7 @@ export function attachAppEndpoint(options: AttachOptions): void {
          ...docMiddleware, docHandler);
  app.get('/:urlId([^-/]{12,})(/:slug([^/]+):remainder(*))?',
          ...docMiddleware, docHandler);
-  app.get('/forms/:urlId([^/]+)/:sectionId', ...middleware, expressWrap(async (req, res) => {
+  app.get('/forms/:urlId([^/]+)/:sectionId', ...formMiddleware, expressWrap(async (req, res) => {
    const formUrl = gristServer.getHomeUrl(req,
      `/api/s/${req.params.urlId}/forms/${req.params.sectionId}`);
    const response = await fetch(formUrl, {
--- a/app/server/lib/FlexServer.ts
+++ b/app/server/lib/FlexServer.ts
@ -1036,6 +1036,9 @@ export class FlexServer implements GristServer {
        this._redirectToOrgMiddleware,
        welcomeNewUser
      ],
+      formMiddleware: [
+        forcedLoginMiddleware,
+      ],
      forceLogin: this._redirectToLoginUnconditionally,
      docWorkerMap: isSingleUserMode() ? null : this._docWorkerMap,
      sendAppPage: this._sendAppPage,
--- a/test/nbrowser/FormView.ts
+++ b/test/nbrowser/FormView.ts