Skip to content

Commit

Permalink
Prevent request auth header. Closes #38
Browse files Browse the repository at this point in the history
  • Loading branch information
@hueniverse
hueniverse committed Sep 11, 2015
1 parent 7bf28a0 commit 7fb1e01
Show file tree
Hide file tree
Showing 4 changed files with 122 additions and 25 deletions.
2 changes: 1 addition & 1 deletion API.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -227,7 +227,7 @@ Sends an endpoint request to the server where:
- `method` - the requested HTTP method (can also be any method string supported by the
server). Defaults to `'GET'`.
- `headers` - an object where each key is a request header and the value the header
content. Defaults to no headers.
content. Cannot include an Authorization header. Defaults to no headers.
- `payload` - the request payload sent to the server.

### `client.message(message, callback)`
Expand Down
6 changes: 4 additions & 2 deletions lib/index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,8 @@ var internals = {
isSecure: true,
isHttpOnly: true,
path: '/'
}
},
headers: null
}
};

Expand Down Expand Up @@ -50,7 +51,8 @@ internals.schema = Joi.object({
])
})
.allow(false)
.required()
.required(),
headers: Joi.array().items(Joi.string()).allow(null)
});


Expand Down
64 changes: 42 additions & 22 deletions lib/socket.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -258,6 +258,12 @@ internals.Socket.prototype._processRequest = function (request) {
return this._send(Boom.badRequest('Message missing path'), { id: request.id });
}

if (request.headers &&
internals.caseInsensitiveKey(request.headers, 'authorization')) {

return this._send(Boom.badRequest('Cannot include an Authorization header'), { id: request.id });
}

if (path[0] !== '/') { // Route id
var route = this._listener._connection.lookup(path);
if (!route) {
Expand Down Expand Up @@ -350,6 +356,34 @@ internals.Socket.prototype._processSubscription = function (request) {
};


internals.Socket.prototype._authenticate = function () {

var self = this;

var config = this._listener._settings.auth;
if (!config) {
return;
}

var cookies = this._ws.upgradeReq.headers.cookie;
if (!cookies) {
return;
}

this._listener._connection.states.parse(cookies, function (err, state, failed) {

var auth = state[config.cookie];
if (auth) {
self.auth = {
isAuthenticated: true,
credentials: auth.credentials,
artifacts: auth.artifacts
};
}
});
};


internals.parse = function (message, next) {

var obj = null;
Expand Down Expand Up @@ -382,29 +416,15 @@ internals.stringify = function (message, next) {
};


internals.Socket.prototype._authenticate = function () {

var self = this;

var config = this._listener._settings.auth;
if (!config) {
return;
}
internals.caseInsensitiveKey = function (object, key) {

var cookies = this._ws.upgradeReq.headers.cookie;
if (!cookies) {
return;
var keys = Object.keys(object);
for (var i = 0, il = keys.length; i < il; ++i) {
var current = keys[i];
if (key === current.toLowerCase()) {
return object[current];
}
}

this._listener._connection.states.parse(cookies, function (err, state, failed) {

var auth = state[config.cookie];
if (auth) {
self.auth = {
isAuthenticated: true,
credentials: auth.credentials,
artifacts: auth.artifacts
};
}
});
return undefined;
};
75 changes: 75 additions & 0 deletions test/socket.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -690,6 +690,81 @@ describe('Socket', function () {
});
});

describe('_processRequest()', function () {

it('passed headers', function (done) {

var server = new Hapi.Server();
server.connection();
server.register({ register: Nes, options: { auth: false } }, function (err) {

expect(err).to.not.exist();

server.route({
method: 'GET',
path: '/',
handler: function (request, reply) {

return reply('hello ' + request.headers.a);
}
});

server.start(function (err) {

var client = new Nes.Client('http://localhost:' + server.info.port);
client.connect(function () {

client.request({ path: '/', headers: { a: 'b' } }, function (err, payload, statusCode, headers) {

expect(err).to.not.exist();
expect(payload).to.equal('hello b');
expect(statusCode).to.equal(200);
expect(headers).to.contain({ 'content-type': 'text/html; charset=utf-8' });

client.disconnect();
server.stop(done);
});
});
});
});
});

it('errors on authorization header', function (done) {

var server = new Hapi.Server();
server.connection();
server.register({ register: Nes, options: { auth: false } }, function (err) {

expect(err).to.not.exist();

server.route({
method: 'GET',
path: '/',
handler: function (request, reply) {

return reply('hello');
}
});

server.start(function (err) {

var client = new Nes.Client('http://localhost:' + server.info.port);
client.connect(function () {

client.request({ path: '/', headers: { Authorization: 'something' } }, function (err, payload, statusCode, headers) {

expect(err).to.exist();
expect(err.message).to.equal('Cannot include an Authorization header');

client.disconnect();
server.stop(done);
});
});
});
});
});
});

describe('_processMessage()', function () {

it('calls onMessage callback', function (done) {
Expand Down

0 comments on commit 7fb1e01

Please sign in to comment.