Calipso fails to initiate the session when proxy-search request comes in

[sashuk]

Hello, hope that this will really help. I have Calipso working on my 80 port, so some guys constantly are bombing 80 port with proxy-search requests

GET http://www.baidu.com/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.baidu.com/
Host: www.baidu.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive

The problem is that when these requests happen, following error crashes the Calipso

Cannot read property 'user' of undefined
TypeError: Cannot read property 'user' of undefined
    at PermissionFilter.check (C:\calipso\production\lib\core\Permission.js:183:27)
    at CalipsoMenu.addMenuItem (C:\calipso\production\lib\core\Menu.js:83:27)
    at Object.route (C:\calipso\production\modules\community\geothemes\geothemes.js:96:19)
    at routeModule (C:\calipso\production\lib\core\Module.js:133:15)
    at iterator (C:\calipso\production\lib\core\Module.js:54:5)
    at _asyncMap (C:\calipso\production\node_modules\async\lib\async.js:185:13)
    at async.forEach (C:\calipso\production\node_modules\async\lib\async.js:86:13)
    at Array.forEach (native)
    at _forEach (C:\calipso\production\node_modules\async\lib\async.js:26:24)
    at async.forEach (C:\calipso\production\node_modules\async\lib\async.js:85:9)

C:\calipso\production\node_modules\step\lib\step.js:39
        throw arguments[0];
                       ^
TypeError: Cannot read property 'user' of undefined
    at PermissionFilter.check (C:\calipso\production\lib\core\Permission.js:183:27)
    at CalipsoMenu.addMenuItem (C:\calipso\production\lib\core\Menu.js:83:27)
    at C:\calipso\production\lib\core\Module.js:145:24
    at Function.allMatched (C:\calipso\production\lib\core\Router.js:254:11)
    at next (C:\calipso\production\node_modules\step\lib\step.js:51:23)
    at next.parallel (C:\calipso\production\node_modules\step\lib\step.js:83:14)
    at check (C:\calipso\production\node_modules\step\lib\step.js:99:9)
    at process.startup.processNextTick.process._tickCallback (node.js:244:9)

I've made a bit of research, and it appears that in the case of these requests object _req.session_ is not initialized, so the application crashes when tries to use it. So, I had to make a terrible, but working fix - in calipso.js, in routingFn() I've put this code:

    /*
    Fix for not-initialized session in Express - weird requests cause broken session,
    so everything that relies upon it - breaks as well.
    */
    if (!req.session) {
        console.log("Fake session insert");
        req.session = {
            cookie: { path: '/', _expires: '', originalMaxAge: '', httpOnly: true },
            user: {isAdmin: false},
            fake: true
        };

I understand that this is an issue of Express or Everyauth library, but maybe there is a known solution for Calipso.

And thanks for a Calipso CMS!

[richtera]

Which branch are you using, I thought this was fixed some time ago, but I'll make sure it gets into whatever branch you're using.
Thanks
Andy

On Dec 15, 2014, at 4:44 AM, Alex notifications@github.com wrote:

Hello, hope that this will really help. I have Calipso working on my 80 port, so some guys constantly are bombing 80 port with proxy-search requests

GET http://www.baidu.com/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Type: application/x-www-form-urlencoded
Accept: /
Referer: http://www.baidu.com/
Host: www.baidu.com
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
The problem is that when these requests happen, following error crashes the Calipso

Cannot read property 'user' of undefined
TypeError: Cannot read property 'user' of undefined
at PermissionFilter.check (C:\calipso\production\lib\core\Permission.js:183:27)
at CalipsoMenu.addMenuItem (C:\calipso\production\lib\core\Menu.js:83:27)
at Object.route (C:\calipso\production\modules\community\geothemes\geothemes.js:96:19)
at routeModule (C:\calipso\production\lib\core\Module.js:133:15)
at iterator (C:\calipso\production\lib\core\Module.js:54:5)
at _asyncMap (C:\calipso\production\node_modules\async\lib\async.js:185:13)
at async.forEach (C:\calipso\production\node_modules\async\lib\async.js:86:13)
at Array.forEach (native)
at _forEach (C:\calipso\production\node_modules\async\lib\async.js:26:24)
at async.forEach (C:\calipso\production\node_modules\async\lib\async.js:85:9)

C:\calipso\production\node_modules\step\lib\step.js:39
throw arguments[0];
^
TypeError: Cannot read property 'user' of undefined
at PermissionFilter.check (C:\calipso\production\lib\core\Permission.js:183:27)
at CalipsoMenu.addMenuItem (C:\calipso\production\lib\core\Menu.js:83:27)
at C:\calipso\production\lib\core\Module.js:145:24
at Function.allMatched (C:\calipso\production\lib\core\Router.js:254:11)
at next (C:\calipso\production\node_modules\step\lib\step.js:51:23)
at next.parallel (C:\calipso\production\node_modules\step\lib\step.js:83:14)
at check (C:\calipso\production\node_modules\step\lib\step.js:99:9)
at process.startup.processNextTick.process._tickCallback (node.js:244:9)
I've made a bit of research, and it appears that in the case of these requests object req.session is not initialized, so the application crashes when tries to use it. So, I had to make a terrible, but working fix - in calipso.js, in routingFn() I've put this code:

/*
Fix for not-initialized session in Express - weird requests cause broken session,
so everything that relies upon it - breaks as well.
*/
if (!req.session) {
    console.log("Fake session insert");
    req.session = {
        cookie: { path: '/', _expires: '', originalMaxAge: '', httpOnly: true },
        user: {isAdmin: false},
        fake: true
    };

I understand that this is an issue of Express or Everyauth library, but maybe there is a known solution for Calipso.

And thanks for a Calipso CMS!

—
Reply to this email directly or view it on GitHub #267.

[sashuk]

I am using master branch (yesterday I've checked out fresh 0.3.50 version, and it still was failing at these requests)

[richtera]

I pushed and published a fix to this. I am currently working on the module_refactor which now also contains this fix.
The module refactor branch uses calipso as a normal npm module instead of the current “copy into place kind of thing”
Thanks
Andy

On Dec 15, 2014, at 4:44 AM, Alex notifications@github.com wrote:

183

[richtera]

BTW: Which authentication are you using? I was unable to readily reproduce the problem, but I could see that the code didn’t double check that req.session was set.
Andy

On Dec 15, 2014, at 4:44 AM, Alex notifications@github.com wrote:

183

[sashuk]

Thanks for an explanation!
So, basically I should migrate to module_refactor branch is order to avoid this error?
I was using basic authentication with login/password stored in the MongoDB without bcrypt (because of Windows operating-system).

[richtera]

I fixed the error in both branches and published a new npm. Eventually i
will migrate the npm to the new branch
Andy

Sent from my iPhone

On Dec 19, 2014, at 12:46 AM, Alex notifications@github.com wrote:

Thanks for an explanation!
So, basically I should migrate to module_refactor branch is order to avoid
this error?
I was using basic authentication with login/password stored in the MongoDB
without bcrypt (because of Windows operating-system).

—
Reply to this email directly or view it on GitHub
#267 (comment).

[richtera]

This has been fixed.

[sashuk]

Well, I guess it is a Windows thing, but I manage to recreate this bug on master and module_refactor freshly-installed branch.

[richtera]

You're still seeing the session problem?
Andy

Sent from my iPhone

On Dec 22, 2014, at 8:42 AM, Alex notifications@github.com wrote:

Well, I guess it is a Windows thing, but I manage to recreate this bug on
master and module_refactor freshly-installed branch.

—
Reply to this email directly or view it on GitHub
#267 (comment).

[sashuk]

Yes, the same problem - the log from the very installation is shown below. The error is thrown because no session is initialized (unable to read _req.session.user_ property)

22 Dec 22:40:39 - info: Installing module content
22 Dec 22:40:39 - info: Installing module contentTypes
22 Dec 22:40:39 - info: Installing module permissions
22 Dec 22:40:39 - info: Installing module user
22 Dec 22:40:39 - info: Content types module installed ...
22 Dec 22:40:39 - info: Content module installed ...
22 Dec 22:40:39 - info: User module installed ...
22 Dec 22:40:39 - info: User Roles sub-module installed ...
22 Dec 22:41:12 - error: Cannot read property 'user' of undefined Calipso Module: user
22 Dec 22:41:12 - info: No Calipso module routes matched the current URL /http://www.baidu.com/

C:\calipso\testrefactor\node_modules\step\lib\step.js:39
        throw arguments[0];
                       ^
TypeError: Cannot read property 'user' of undefined
    at processTheme (C:\calipso\testrefactor\lib\core\Themes.js:407:30)
    at Object.module.exports.Theme.theme.render (C:\calipso\testrefactor\lib\core\Themes.js:132:11)
    at doResponse (C:\calipso\testrefactor\lib\core\Module.js:304:19)
    at C:\calipso\testrefactor\lib\core\Module.js:186:7
    at Function.done (C:\calipso\testrefactor\lib\core\Module.js:273:7)
    at next (C:\calipso\testrefactor\node_modules\step\lib\step.js:51:23)
    at next.parallel (C:\calipso\testrefactor\node_modules\step\lib\step.js:83:14)
    at check (C:\calipso\testrefactor\node_modules\step\lib\step.js:99:9)
    at next.group (C:\calipso\testrefactor\node_modules\step\lib\step.js:116:22)
    at Function.allMatched (C:\calipso\testrefactor\lib\core\Router.js:269:11)

C:\calipso\testrefactor>

[richtera]

This must be in a second place then. I saw you added an initialization to the session, but that can cause problems with the authentication system.
I wonder how to debug this. Ok. I’ll check out whether I forgot another place to check that both session and session.user is defined.
Andy

On Dec 22, 2014, at 9:23 AM, Alex notifications@github.com wrote:

Yes, the same problem - the log from the very installation is shown below. The error is thrown because no session is initialized (unable to read req.session.user property)

22 Dec 22:40:39 - info: Installing module content
22 Dec 22:40:39 - info: Installing module contentTypes
22 Dec 22:40:39 - info: Installing module permissions
22 Dec 22:40:39 - info: Installing module user
22 Dec 22:40:39 - info: Content types module installed ...
22 Dec 22:40:39 - info: Content module installed ...
22 Dec 22:40:39 - info: User module installed ...
22 Dec 22:40:39 - info: User Roles sub-module installed ...
22 Dec 22:41:12 - error: Cannot read property 'user' of undefined Calipso Module: user
22 Dec 22:41:12 - info: No Calipso module routes matched the current URL /http://www.baidu.com/

C:\calipso\testrefactor\node_modules\step\lib\step.js:39
throw arguments[0];
^
TypeError: Cannot read property 'user' of undefined
at processTheme (C:\calipso\testrefactor\lib\core\Themes.js:407:30)
at Object.module.exports.Theme.theme.render (C:\calipso\testrefactor\lib\core\Themes.js:132:11)
at doResponse (C:\calipso\testrefactor\lib\core\Module.js:304:19)
at C:\calipso\testrefactor\lib\core\Module.js:186:7
at Function.done (C:\calipso\testrefactor\lib\core\Module.js:273:7)
at next (C:\calipso\testrefactor\node_modules\step\lib\step.js:51:23)
at next.parallel (C:\calipso\testrefactor\node_modules\step\lib\step.js:83:14)
at check (C:\calipso\testrefactor\node_modules\step\lib\step.js:99:9)
at next.group (C:\calipso\testrefactor\node_modules\step\lib\step.js:116:22)
at Function.allMatched (C:\calipso\testrefactor\lib\core\Router.js:269:11)

C:\calipso\testrefactor>
—
Reply to this email directly or view it on GitHub #267 (comment).

[sashuk]

Thanks a lot! I'll try to examine it as well.

[richtera]

I am unable to get into a scenario where the session is undefined. Which URL are you executing when this happens?
Thanks
Andy

On Dec 22, 2014, at 9:56 AM, Alex notifications@github.com wrote:

Thanks a lot! I'll try to examine it as well.

—
Reply to this email directly or view it on GitHub #267 (comment).

[sashuk]

You need to telnet calipso in order to simulate it, the example request was listed in the very ticket. Basically it simulates proxy-search request (pretty bad guys who are doing it).

[richtera]

This seems to actually be a bug in express.session. If the URL doesn't start with / then session will not get defined at all. I added a wrapper to express.session to default the session to {} in that case.
I just pushed this to both branches.

[sashuk]

Great that finally figured that out.