This repository was archived by the owner on Nov 13, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathindex.js
155 lines (123 loc) · 5.37 KB
/
index.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
'use strict';
// The Staff Single Sign On (S3O) public key is available at https://s3o.ft.com/publickey.
// — S3O validates only @ft.com google accounts (and a whitelist of non-ft.com accounts).
// — It's intended to change sporadically and without warning, mainly for security testing.
// — Currently it comes in DER format and needs to be converted to PEM format
const debug = require('debug')('middleware:auth:s3o');
const querystring = require('querystring');
const url = require('url');
const urlencoded = require('body-parser').urlencoded({extended: true});
const { authenticate, publickey, cookies } = require('@financial-times/s3o-middleware-utils');
const { getUsername, getToken, normaliseRequestCookies, setCookies, clearCookies } = require('./lib/cookies');
const { USERNAME: S3O_USERNAME_COOKIE } = cookies;
const publicKeyPoller = publickey.poller(debug);
const { authenticateToken, validate } = authenticate(publickey.poller(debug));
const authS3O = function (req, res, next) {
debug('S3O: Start.');
normaliseRequestCookies(req);
// Check for s3o username/token URL parameters.
// These parameters come from https://s3o.ft.com. It redirects back after it does the google authentication.
if (req.method === 'POST' && req.query.username) {
urlencoded(req, res, function () {
debug(`S3O: Found parameter token for ${S3O_USERNAME_COOKIE}: ${req.query.username}`);
let isAuthenticated;
try {
isAuthenticated = authenticateToken(req.query.username, req.hostname, req.body.token);
} catch (e) {
res.status(500).send(e);
return;
}
if (isAuthenticated) {
setCookies(res, req.query.username, req.body.token);
// Strip the username and token from the URL (but keep any other parameters)
// Set 2nd parameter to true to parse the query string (so we can easily delete ?username=)
let cleanURL = url.parse(req.originalUrl, true);
// Node prefers ‘search’ over ‘query’ so remove ‘search’
delete cleanURL.search;
delete cleanURL.query.username;
debug('S3O: Parameters detected in URL and body. Redirecting to base path: ' + url.format(cleanURL));
// Don't cache any redirection responses.
res.header('Cache-Control', 'private, no-cache, no-store, must-revalidate');
res.header('Pragma', 'no-cache');
res.header('Expires', 0);
res.redirect(url.format(cleanURL));
} else {
clearCookies(res);
res.status(403);
res.send('<h1>Authentication error.</h1><p>For access, please log in with your FT account</p>');
}
});
// Check for s3o username/token cookies
} else if (getUsername(req) && getToken(req)) {
debug(`S3O: Found cookie token for ${S3O_USERNAME_COOKIE}: ${getUsername(req)}`);
let isAuthenticated;
try {
isAuthenticated = authenticateToken(getUsername(req), req.hostname, getToken(req));
} catch(e) {
res.status(500).send(e);
return;
}
if (isAuthenticated) {
next();
} else {
res.send('<h1>Authentication error.</h1><p>For access, please log in with your FT account</p>');
}
// Send the user to s3o to authenticate
} else {
const s3o_system_code = req.headers['x-s3o-systemcode'];
const protocol = (req.headers['x-forwarded-proto'] && req.headers['x-forwarded-proto'] === 'https') ? 'https' : req.protocol;
// Get the original port, either from the proxy or by
// splitting it out from the hostname
const originalPort = req.headers['x-forwarded-port'] || (
req.get('host').includes(':') ?
req.get('host').split(':').pop() :
undefined
);
// Environments like Heroku send a forwarded port even if it's one
// of the defaults, like 80 or 443. We need to ignore these
const hostWithPort = req.hostname + (
originalPort && originalPort !== '80' && originalPort !== '443' ?
`:${originalPort}` :
''
);
const originalLocation = protocol + '://' + hostWithPort + req.originalUrl;
const parameters = querystring.stringify({
post: true,
host: req.hostname,
redirect: originalLocation,
});
const s3o_url_v2 = `https://s3o.ft.com/v2/authenticate?${parameters}`;
let s3o_url_v4 = `https://s3ov4.in.ft.com/v2/authenticate?${parameters}`;
if (s3o_system_code) {
s3o_url_v4 += '&systemcode='+ encodeURIComponent(s3o_system_code);
}
const s3o_url = req.headers['x-s3o-version'] === 'v4' ? s3o_url_v4 : s3o_url_v2;
debug(`S3O: No token/${S3O_USERNAME_COOKIE} found. Redirecting to ${s3o_url}`);
// Don't cache any redirection responses.
res.header('Cache-Control', 'private, no-cache, no-store, must-revalidate');
res.header('Pragma', 'no-cache');
res.header('Expires', 0);
return res.redirect(s3o_url);
}
};
// Alternative authentication middleware which does not redirect to S3O when
// cookies are missing or invalid. This can be used in front of API calls
// where a redirect will be undesirable
const authS3ONoRedirect = function (req, res, next) {
debug('S3O: Start.');
normaliseRequestCookies(req);
const username = getUsername(req);
const token = getToken(req);
if (username && token && authenticateToken(username, req.hostname, token)) {
debug('S3O: Authentication succeeded');
return next();
};
debug('S3O: Authentication failed');
clearCookies(res);
res.send('Forbidden');
return false;
}
module.exports = authS3O;
module.exports.authS3ONoRedirect = authS3ONoRedirect;
module.exports.validate = validate;
module.exports.ready = publicKeyPoller({ promise: true }).then(() => true);