From a7640b5bbd11f349b24be24228d991110dd43ee5 Mon Sep 17 00:00:00 2001 From: Henry Oswald Date: Thu, 30 Apr 2015 11:57:40 +0100 Subject: [PATCH] changed authentication controller to use req.parsedUrl.pathname as query strings on req.url were breaking the whitelist --- .../Authentication/AuthenticationController.coffee | 3 ++- .../AuthenticationControllerTests.coffee | 12 +++++++++++- .../test/UnitTests/coffee/helpers/MockRequest.coffee | 1 + 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/services/web/app/coffee/Features/Authentication/AuthenticationController.coffee b/services/web/app/coffee/Features/Authentication/AuthenticationController.coffee index 5b6fe447f2..652abbe64d 100644 --- a/services/web/app/coffee/Features/Authentication/AuthenticationController.coffee +++ b/services/web/app/coffee/Features/Authentication/AuthenticationController.coffee @@ -90,7 +90,7 @@ module.exports = AuthenticationController = AuthenticationController._globalLoginWhitelist.push endpoint requireGlobalLogin: (req, res, next) -> - if req.url in AuthenticationController._globalLoginWhitelist + if req._parsedUrl.pathname in AuthenticationController._globalLoginWhitelist return next() if req.headers['authorization']? @@ -98,6 +98,7 @@ module.exports = AuthenticationController = else if req.session.user? return next() else + logger.log url:req.url, "user trying to access endpoint not in global whitelist" return res.redirect "/login" httpAuth: require('express').basicAuth (user, pass)-> diff --git a/services/web/test/UnitTests/coffee/Authentication/AuthenticationControllerTests.coffee b/services/web/test/UnitTests/coffee/Authentication/AuthenticationControllerTests.coffee index 37d36e4268..485aeba475 100644 --- a/services/web/test/UnitTests/coffee/Authentication/AuthenticationControllerTests.coffee +++ b/services/web/test/UnitTests/coffee/Authentication/AuthenticationControllerTests.coffee @@ -284,12 +284,22 @@ describe "AuthenticationController", -> describe "with white listed url", -> beforeEach -> @AuthenticationController.addEndpointToLoginWhitelist "/login" - @req.url = "/login" + @req._parsedUrl.pathname = "/login" @AuthenticationController.requireGlobalLogin @req, @res, @next it "should call next() directly", -> @next.called.should.equal true + + describe "with white listed url and a query string", -> + beforeEach -> + @AuthenticationController.addEndpointToLoginWhitelist "/login" + @req._parsedUrl.pathname = "/login" + @req.url = "/login?query=something" + @AuthenticationController.requireGlobalLogin @req, @res, @next + it "should call next() directly", -> + @next.called.should.equal true + describe "with http auth", -> beforeEach -> @req.headers["authorization"] = "Mock Basic Auth" diff --git a/services/web/test/UnitTests/coffee/helpers/MockRequest.coffee b/services/web/test/UnitTests/coffee/helpers/MockRequest.coffee index e955e084bb..de3fba7a6b 100644 --- a/services/web/test/UnitTests/coffee/helpers/MockRequest.coffee +++ b/services/web/test/UnitTests/coffee/helpers/MockRequest.coffee @@ -5,6 +5,7 @@ class MockRequest params: {} query: {} + _parsedUrl:{} i18n: translate:->