This repository has been archived by the owner on Sep 30, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 34
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Fourth wall shouldn't be used over HTTP. - Fourth wall shouldn't use an access token which has unnecessary permissions. - Add some documentation about security in the readme. solo @tlwr
- Loading branch information
Toby Lorne
committed
Feb 17, 2018
1 parent
167d16c
commit aade6fc
Showing
4 changed files
with
72 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -0,0 +1,46 @@ | |||
function runPreFlightChecks() { | |||
const isHttp = window.location.protocol == 'http:', | |||
isLocalhost = window.location.hostname == 'localhost' | |||
isUnsafe = !(isHttp && isLocalhost); | |||
|
|||
if (isUnsafe) { | |||
const isHttpMessage = [ | |||
'This page is running over the web over HTTP.', | |||
'You should use HTTPS and rotate your access token.', | |||
].join(' '); | |||
alert(isHttpMessage); | |||
} | |||
|
|||
// We will: | |||
// - Make a request to the github rate limit endpoint | |||
// (This will not affect the rate limit) | |||
// - Check what scopes we have access to | |||
const token = new FourthWall.getQueryVariables().token, | |||
ghUrl = 'https://api.github.com/rate_limit', | |||
authGhUrl = ghUrl + '?access_token=' + token; | |||
|
|||
fetch(authGhUrl) | |||
.then(function (response) { return response.headers; }) | |||
.then(function (headers) { return headers.get('x-oauth-scopes') }) | |||
.then(function (scopes) { return scopes.split(', '); }) | |||
.then(function (scopes) { | |||
const allowedScopes = ['repo:status', 'repo_deployment', 'read:org']; | |||
let badScopes = scopes.filter(function(scope) { | |||
return allowedScopes.indexOf(scope) < 0; | |||
}); | |||
|
|||
if (badScopes.length > 0) { | |||
let badScopesString = badScopes.join(' '), | |||
badScopesMessage = [ | |||
'You have the following unnecessary scopes: <', | |||
badScopesString, | |||
'>; these scopes should be removed.', | |||
'Clicking accept will reload this page.', | |||
'Reloading the page will show this message unless the scopes are correct.', | |||
].join(' '); | |||
|
|||
alert(badScopesMessage); | |||
window.location.reload(true); | |||
} | |||
}); | |||
} |