Archives/gristlabs_grist-core
1
0
Fork 0
mirror of https://github.com/gristlabs/grist-core.git synced 2026-03-02 04:09:24 +00:00
Code Issues Projects Releases Wiki Activity

(core) Fixing origin check during Google Authentication

Browse Source 
Summary:
Fixing two bugs
- Google Auth Endpoint wasn't resolving protocol in a correct way
- Google Auth Popup was navigationg to endpoint url based on home url, which
  was diffent from current page origin

Test Plan: n/a

Reviewers: paulfitz

Reviewed By: paulfitz

Subscribers: paulfitz

Differential Revision: https://phab.getgrist.com/D2937
This commit is contained in:
Jarosław Sadziński
2021-07-23 00:21:09 +02:00
parent 95cc2eb282
commit f8e4fe54ba
3 changed files with 21 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
app/server/lib/GoogleAuth.ts
View File

@@ -1,10 +1,11 @@
import { auth } from '@googleapis/oauth2';
import { ApiError } from 'app/common/ApiError';
import { parseSubdomain } from 'app/common/gristUrls';
import { expressWrap } from 'app/server/lib/expressWrap';
import {auth} from '@googleapis/oauth2';
import {ApiError} from 'app/common/ApiError';
import {parseSubdomain} from 'app/common/gristUrls';
import {expressWrap} from 'app/server/lib/expressWrap';
import * as log from 'app/server/lib/log';
import {getOriginUrl} from 'app/server/lib/requestUtils';
import * as express from 'express';
import { URL } from 'url';
import {URL} from 'url';
/**
* Google Auth Endpoint for performing server side authentication. More information can be found
@@ -150,7 +151,7 @@ export function addGoogleAuthEndpoint(
const oAuth2Client = _googleAuthClient();
const scope = req.query.scope || DRIVE_SCOPE;
// Create url for origin parameter for a popup window.
const origin = `${req.protocol}://${req.headers.host}`;
const origin = getOriginUrl(req);
const authUrl = oAuth2Client.generateAuthUrl({
scope,
prompt: 'select_account',

13
app/server/lib/requestUtils.ts
View File

@@ -237,3 +237,16 @@ export function optIntegerParam(p: any): number|undefined {
export interface RequestWithGristInfo extends Request {
gristInfo?: string;
}
/**
* Returns original request origin. In case, when a client was connected to proxy
* or load balancer, it reads protocol from forwarded headers.
* More can be read on:
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
* https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/x-forwarded-headers.html
*/
export function getOriginUrl(req: Request) {
const host = req.headers.host!;
const protocol = req.get("X-Forwarded-Proto") || req.protocol;
return `${protocol}://${host}`;
}