libretic
/
etherpad-lite
5
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

express: New `expressPreSession` server-side hook

This commit is contained in:
Richard Hansen 2021-12-17 16:29:45 -05:00
parent 0b1ec20c5c
commit 72f4ae444d
3 changed files with 34 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -19,6 +19,7 @@
#### For plugin authors
* New `expressPreSession` server-side hook.
* New APIs for processing attributes: `ep_etherpad-lite/static/js/attributes`
(low-level API) and `ep_etherpad-lite/static/js/AttributeMap` (high-level
API).

29
doc/api/hooks_server-side.md
View File

@ -58,6 +58,35 @@ Run during startup after the named plugin is initialized.
Context properties: None
## `expressPreSession`
Called from: `src/node/hooks/express.js`
Called during server startup just before the
[`express-session`](https://www.npmjs.com/package/express-session) middleware is
added to the Express Application object. Use this hook to add route handlers or
middleware that executes before `express-session` state is created and
authentication is performed. This is useful for creating public endpoints that
don't spam the database with new `express-session` records or trigger
authentication.
**WARNING:** All handlers registered during this hook run before the built-in
authentication checks, so any handled endpoints will be public unless the
handler itself authenticates the user.
Context properties:
* `app`: The Express [Application](https://expressjs.com/en/4x/api.html#app)
object.
Example:
```javascript
exports.expressPreSession = async (hookName, {app}) => {
app.get('/hello-world', (req, res) => res.send('hello world'));
};
```
## `expressConfigure`
Called from: `src/node/hooks/express.js`

4
src/node/hooks/express.js
View File

@ -204,6 +204,10 @@ exports.restartServer = async () => {
// If webaccess.preAuthorize explicitly grants access, webaccess.checkAccess will skip all checks.
app.use(webaccess.preAuthorize);
// Give plugins an opportunity to install handlers/middleware after the preAuthorize middleware
// but before the express-session middleware. This allows plugins to avoid creating an
// express-session record in the database when it is not needed (e.g., public static content).
await hooks.aCallAll('expressPreSession', {app});
app.use(exports.sessionMiddleware);
app.use(cookieParser(settings.sessionKey, {}));
app.use(webaccess.checkAccess);