Fix socket.io auth: Use connect to parse signed cookies (migrate to express v3)

2012-09-22 16:03:40 +02:00 · 2012-09-22 16:03:40 +02:00 · 0c9c1f514f
parent 0f436d5916
commit 0c9c1f514f
3 changed files with 20 additions and 10 deletions
--- a/src/node/hooks/express/socketio.js
+++ b/src/node/hooks/express/socketio.js
@ -3,6 +3,7 @@ var socketio = require('socket.io');
 var settings = require('../../utils/Settings');
 var socketIORouter = require("../../handler/SocketIORouter");
 var hooks = require("ep_etherpad-lite/static/js/pluginfw/hooks");
+var webaccess = require("ep_etherpad-lite/node/hooks/express/webaccess");

 var padMessageHandler = require("../../handler/PadMessageHandler");

@ -17,12 +18,21 @@ exports.expressCreateServer = function (hook_name, args, cb) {
   * info */
  io.set('authorization', function (data, accept) {
    if (!data.headers.cookie) return accept('No session cookie transmitted.', false);
-    data.cookie = connect.utils.parseCookie(data.headers.cookie);
-    data.sessionID = data.cookie.express_sid;
-    args.app.sessionStore.get(data.sessionID, function (err, session) {
-      if (err || !session) return accept('Bad session / session has expired', false);
-      data.session = new connect.middleware.session.Session(data, session);
-      accept(null, true);
+
+    // Use connect's cookie parser, because it knows how to parse signed cookies
+    connect.cookieParser(webaccess.secret)(data, {}, function(err){
+      if(err) {
+        console.error(err);
+        accept("Couldn't parse request cookies. ", false);
+        return;
+      }
+
+      data.sessionID = data.signedCookies.express_sid;
+      args.app.sessionStore.get(data.sessionID, function (err, session) {
+        if (err || !session) return accept('Bad session / session has expired', false);
+        data.session = new connect.middleware.session.Session(data, session);
+        accept(null, true);
+      });
    });
  });

--- a/src/node/hooks/express/webaccess.js
+++ b/src/node/hooks/express/webaccess.js
@ -88,7 +88,7 @@ exports.basicAuth = function (req, res, next) {
  });
 }

-var secret = null;
+exports.secret = null;

 exports.expressConfigure = function (hook_name, args, cb) {
  // If the log level specified in the config file is WARN or ERROR the application server never starts listening to requests as reported in issue #158.
@ -103,10 +103,10 @@ exports.expressConfigure = function (hook_name, args, cb) {

  if (!exports.sessionStore) {
    exports.sessionStore = new express.session.MemoryStore();
-    secret = randomString(32);
+    exports.secret = randomString(32);
  }
  
-  args.app.use(express.cookieParser(secret));
+  args.app.use(express.cookieParser(exports.secret));

  args.app.sessionStore = exports.sessionStore;
  args.app.use(express.session({store: args.app.sessionStore,
--- a/src/package.json
+++ b/src/package.json
@ -18,7 +18,7 @@
                      "ueberDB"             : "0.1.7",
                      "async"               : "0.1.x",
                      "express"             : "3.x",
-                      "connect"             : "1.x",
+                      "connect"             : "2.4.x",
                      "clean-css"           : "0.3.2",
                      "uglify-js"           : "1.2.5",
                      "formidable"          : "1.0.9",