mirror of
https://github.com/gristlabs/grist-core.git
synced 2024-10-27 20:44:07 +00:00
(core) Fixing origin check during Google Authentication
Summary: Fixing two bugs - Google Auth Endpoint wasn't resolving protocol in a correct way - Google Auth Popup was navigationg to endpoint url based on home url, which was diffent from current page origin Test Plan: n/a Reviewers: paulfitz Reviewed By: paulfitz Subscribers: paulfitz Differential Revision: https://phab.getgrist.com/D2937
This commit is contained in:
parent
95cc2eb282
commit
f8e4fe54ba
@ -1,5 +1,4 @@
|
|||||||
import {get as getBrowserGlobals} from 'app/client/lib/browserGlobals';
|
import {get as getBrowserGlobals} from 'app/client/lib/browserGlobals';
|
||||||
import {getHomeUrl} from 'app/client/models/AppModel';
|
|
||||||
import {reportError} from 'app/client/models/errors';
|
import {reportError} from 'app/client/models/errors';
|
||||||
import {spinnerModal} from 'app/client/ui2018/modals';
|
import {spinnerModal} from 'app/client/ui2018/modals';
|
||||||
import type { DocPageModel } from 'app/client/models/DocPageModel';
|
import type { DocPageModel } from 'app/client/models/DocPageModel';
|
||||||
@ -15,7 +14,7 @@ const G = getBrowserGlobals('window');
|
|||||||
* https://developers.google.com/identity/protocols/oauth2/scopes
|
* https://developers.google.com/identity/protocols/oauth2/scopes
|
||||||
*/
|
*/
|
||||||
function getGoogleAuthEndpoint(scope?: string) {
|
function getGoogleAuthEndpoint(scope?: string) {
|
||||||
return new URL(`auth/google?scope=${scope || ''}`, getHomeUrl()).href;
|
return new URL(`auth/google?scope=${scope || ''}`, window.location.origin).href;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -3,6 +3,7 @@ import { ApiError } from 'app/common/ApiError';
|
|||||||
import {parseSubdomain} from 'app/common/gristUrls';
|
import {parseSubdomain} from 'app/common/gristUrls';
|
||||||
import {expressWrap} from 'app/server/lib/expressWrap';
|
import {expressWrap} from 'app/server/lib/expressWrap';
|
||||||
import * as log from 'app/server/lib/log';
|
import * as log from 'app/server/lib/log';
|
||||||
|
import {getOriginUrl} from 'app/server/lib/requestUtils';
|
||||||
import * as express from 'express';
|
import * as express from 'express';
|
||||||
import {URL} from 'url';
|
import {URL} from 'url';
|
||||||
|
|
||||||
@ -150,7 +151,7 @@ export function addGoogleAuthEndpoint(
|
|||||||
const oAuth2Client = _googleAuthClient();
|
const oAuth2Client = _googleAuthClient();
|
||||||
const scope = req.query.scope || DRIVE_SCOPE;
|
const scope = req.query.scope || DRIVE_SCOPE;
|
||||||
// Create url for origin parameter for a popup window.
|
// Create url for origin parameter for a popup window.
|
||||||
const origin = `${req.protocol}://${req.headers.host}`;
|
const origin = getOriginUrl(req);
|
||||||
const authUrl = oAuth2Client.generateAuthUrl({
|
const authUrl = oAuth2Client.generateAuthUrl({
|
||||||
scope,
|
scope,
|
||||||
prompt: 'select_account',
|
prompt: 'select_account',
|
||||||
|
@ -237,3 +237,16 @@ export function optIntegerParam(p: any): number|undefined {
|
|||||||
export interface RequestWithGristInfo extends Request {
|
export interface RequestWithGristInfo extends Request {
|
||||||
gristInfo?: string;
|
gristInfo?: string;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns original request origin. In case, when a client was connected to proxy
|
||||||
|
* or load balancer, it reads protocol from forwarded headers.
|
||||||
|
* More can be read on:
|
||||||
|
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
|
||||||
|
* https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/x-forwarded-headers.html
|
||||||
|
*/
|
||||||
|
export function getOriginUrl(req: Request) {
|
||||||
|
const host = req.headers.host!;
|
||||||
|
const protocol = req.get("X-Forwarded-Proto") || req.protocol;
|
||||||
|
return `${protocol}://${host}`;
|
||||||
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user