(core) Fixing origin check during Google Authentication

Summary:
Fixing two bugs
- Google Auth Endpoint wasn't resolving protocol in a correct way
- Google Auth Popup was navigationg to endpoint url based on home url, which
  was diffent from current page origin

Test Plan: n/a

Reviewers: paulfitz

Reviewed By: paulfitz

Subscribers: paulfitz

Differential Revision: https://phab.getgrist.com/D2937
This commit is contained in:
Jarosław Sadziński 2021-07-23 00:21:09 +02:00
parent 95cc2eb282
commit f8e4fe54ba
3 changed files with 21 additions and 8 deletions

View File

@ -1,5 +1,4 @@
import {get as getBrowserGlobals} from 'app/client/lib/browserGlobals'; import {get as getBrowserGlobals} from 'app/client/lib/browserGlobals';
import {getHomeUrl} from 'app/client/models/AppModel';
import {reportError} from 'app/client/models/errors'; import {reportError} from 'app/client/models/errors';
import {spinnerModal} from 'app/client/ui2018/modals'; import {spinnerModal} from 'app/client/ui2018/modals';
import type { DocPageModel } from 'app/client/models/DocPageModel'; import type { DocPageModel } from 'app/client/models/DocPageModel';
@ -15,7 +14,7 @@ const G = getBrowserGlobals('window');
* https://developers.google.com/identity/protocols/oauth2/scopes * https://developers.google.com/identity/protocols/oauth2/scopes
*/ */
function getGoogleAuthEndpoint(scope?: string) { function getGoogleAuthEndpoint(scope?: string) {
return new URL(`auth/google?scope=${scope || ''}`, getHomeUrl()).href; return new URL(`auth/google?scope=${scope || ''}`, window.location.origin).href;
} }
/** /**

View File

@ -3,6 +3,7 @@ import { ApiError } from 'app/common/ApiError';
import {parseSubdomain} from 'app/common/gristUrls'; import {parseSubdomain} from 'app/common/gristUrls';
import {expressWrap} from 'app/server/lib/expressWrap'; import {expressWrap} from 'app/server/lib/expressWrap';
import * as log from 'app/server/lib/log'; import * as log from 'app/server/lib/log';
import {getOriginUrl} from 'app/server/lib/requestUtils';
import * as express from 'express'; import * as express from 'express';
import {URL} from 'url'; import {URL} from 'url';
@ -150,7 +151,7 @@ export function addGoogleAuthEndpoint(
const oAuth2Client = _googleAuthClient(); const oAuth2Client = _googleAuthClient();
const scope = req.query.scope || DRIVE_SCOPE; const scope = req.query.scope || DRIVE_SCOPE;
// Create url for origin parameter for a popup window. // Create url for origin parameter for a popup window.
const origin = `${req.protocol}://${req.headers.host}`; const origin = getOriginUrl(req);
const authUrl = oAuth2Client.generateAuthUrl({ const authUrl = oAuth2Client.generateAuthUrl({
scope, scope,
prompt: 'select_account', prompt: 'select_account',

View File

@ -237,3 +237,16 @@ export function optIntegerParam(p: any): number|undefined {
export interface RequestWithGristInfo extends Request { export interface RequestWithGristInfo extends Request {
gristInfo?: string; gristInfo?: string;
} }
/**
* Returns original request origin. In case, when a client was connected to proxy
* or load balancer, it reads protocol from forwarded headers.
* More can be read on:
* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
* https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/x-forwarded-headers.html
*/
export function getOriginUrl(req: Request) {
const host = req.headers.host!;
const protocol = req.get("X-Forwarded-Proto") || req.protocol;
return `${protocol}://${host}`;
}