Permalink
Browse files

improve repository organization - closes #503 closes #488

  • Loading branch information...
1 parent 07af2a3 commit 54918f1d2da0a7eeb7e17f5d1219facffb83cee9 @lloyd lloyd committed Oct 28, 2011
Showing 738 changed files with 907 additions and 1,226 deletions.
View
@@ -4,4 +4,5 @@
/node_modules
/var
/rpmbuild
+/npm-debug.log
View
301 browserid/app.js → bin/browserid 100644 → 100755
@@ -1,3 +1,5 @@
+#!/usr/bin/env node
+
/* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
@@ -37,25 +39,31 @@ const
fs = require('fs'),
path = require('path'),
url = require('url'),
-wsapi = require('./lib/wsapi.js'),
-ca = require('./lib/ca.js'),
-httputils = require('./lib/httputils.js'),
-sessions = require('connect-cookie-session'),
+sessions = require('connect-cookie-session');
+
+// add lib/ to the require path
+require.paths.unshift(path.join(__dirname, '..', 'lib'));
+
+const
+wsapi = require('browserid/wsapi.js'),
+ca = require('browserid/ca.js'),
+httputils = require('httputils.js'),
express = require('express'),
-secrets = require('../libs/secrets.js'),
-db = require('./lib/db.js'),
-configuration = require('../libs/configuration.js'),
-heartbeat = require('../libs/heartbeat.js'),
-substitution = require('../libs/substitute.js');
-metrics = require("../libs/metrics.js"),
-logger = require("../libs/logging.js").logger;
+secrets = require('secrets.js'),
+db = require('db.js'),
+config = require('configuration.js'),
+heartbeat = require('heartbeat.js'),
+metrics = require("metrics.js"),
+logger = require("logging.js").logger,
+forward = require('browserid/http_forward');
-logger.info("browserid server starting up");
+var app = undefined;
-// open the databse
-db.open(configuration.get('database'));
+app = express.createServer();
-const COOKIE_SECRET = secrets.hydrateSecret('browserid_cookie', configuration.get('var_path'));
+logger.info("browserid server starting up");
+
+const COOKIE_SECRET = secrets.hydrateSecret('browserid_cookie', config.get('var_path'));
const COOKIE_KEY = 'browserid_state';
function internal_redirector(new_url, suppress_noframes) {
@@ -68,10 +76,10 @@ function internal_redirector(new_url, suppress_noframes) {
}
function router(app) {
- app.set("views", __dirname + '/views');
+ app.set("views", path.join(__dirname, "..", "resources", "views"));
app.set('view options', {
- production: configuration.get('use_minified_resources')
+ production: config.get('use_minified_resources')
});
// this should probably be an internal redirect
@@ -82,7 +90,7 @@ function router(app) {
title: 'A Better Way to Sign In',
layout: 'dialog_layout.ejs',
useJavascript: true,
- production: configuration.get('use_minified_resources')
+ production: config.get('use_minified_resources')
});
});
@@ -99,7 +107,7 @@ function router(app) {
res.removeHeader('x-frame-options');
res.render('relay.ejs', {
layout: false,
- production: configuration.get('use_minified_resources')
+ production: config.get('use_minified_resources')
});
});
@@ -192,139 +200,160 @@ function router(app) {
});
};
-exports.setup = function(server) {
- // request to logger, dev formatted which omits personal data in the requests
- server.use(express.logger({
- format: 'dev',
- stream: {
- write: function(x) {
- logger.info(typeof x === 'string' ? x.trim() : x);
- }
+// request to logger, dev formatted which omits personal data in the requests
+app.use(express.logger({
+ format: 'dev',
+ stream: {
+ write: function(x) {
+ logger.info(typeof x === 'string' ? x.trim() : x);
}
- }));
-
- // over SSL?
- var overSSL = (configuration.get('scheme') == 'https');
-
- server.use(express.cookieParser());
-
- var cookieSessionMiddleware = sessions({
- secret: COOKIE_SECRET,
- key: COOKIE_KEY,
- cookie: {
- path: '/wsapi',
- httpOnly: true,
- // IMPORTANT: we allow users to go 1 weeks on the same device
- // without entering their password again
- maxAge: configuration.get('authentication_duration_ms'),
- secure: overSSL
- }
- });
-
- // cookie sessions && cache control
- server.use(function(req, resp, next) {
- // cookie sessions are only applied to calls to /wsapi
- // as all other resources can be aggressively cached
- // by layers higher up based on cache control headers.
- // the fallout is that all code that interacts with sessions
- // should be under /wsapi
- if (/^\/wsapi/.test(req.url)) {
- // explicitly disallow caching on all /wsapi calls (issue #294)
- resp.setHeader('Cache-Control', 'no-cache, max-age=0');
-
- // we set this parameter so the connect-cookie-session
- // sends the cookie even though the local connection is HTTP
- // (the load balancer does SSL)
- if (overSSL)
- req.connection.proxySecure = true;
-
- return cookieSessionMiddleware(req, resp, next);
-
+ }
+}));
+
+// if these are verify requests, we'll redirect them off
+// to the verifier
+if (config.get('verifier_url')) {
+ app.use(function(req, res, next) {
+ if (/^\/verify$/.test(req.url)) {
+ forward(
+ config.get('verifier_url'), req, res,
+ function(err) {
+ if (err) {
+ logger.error("error forwarding request:", err);
+ }
+ });
} else {
return next();
}
});
+}
- // verify all JSON responses are objects - prevents regression on issue #217
- server.use(function(req, resp, next) {
- var realRespJSON = resp.json;
- resp.json = function(obj) {
- if (!obj || typeof obj !== 'object') {
- logger.error("INTERNAL ERROR! *all* json responses must be objects");
- throw "internal error";
- }
- realRespJSON.call(resp, obj);
- };
+// over SSL?
+var overSSL = (config.get('scheme') == 'https');
+
+app.use(express.cookieParser());
+
+var cookieSessionMiddleware = sessions({
+ secret: COOKIE_SECRET,
+ key: COOKIE_KEY,
+ cookie: {
+ path: '/wsapi',
+ httpOnly: true,
+ // IMPORTANT: we allow users to go 1 weeks on the same device
+ // without entering their password again
+ maxAge: config.get('authentication_duration_ms'),
+ secure: overSSL
+ }
+});
+
+// cookie sessions && cache control
+app.use(function(req, resp, next) {
+ // cookie sessions are only applied to calls to /wsapi
+ // as all other resources can be aggressively cached
+ // by layers higher up based on cache control headers.
+ // the fallout is that all code that interacts with sessions
+ // should be under /wsapi
+ if (/^\/wsapi/.test(req.url)) {
+ // explicitly disallow caching on all /wsapi calls (issue #294)
+ resp.setHeader('Cache-Control', 'no-cache, max-age=0');
+
+ // we set this parameter so the connect-cookie-session
+ // sends the cookie even though the local connection is HTTP
+ // (the load balancer does SSL)
+ if (overSSL)
+ req.connection.proxySecure = true;
+
+ return cookieSessionMiddleware(req, resp, next);
+
+ } else {
return next();
- });
-
- server.use(express.bodyParser());
-
- // Check CSRF token early. POST requests are only allowed to
- // /wsapi and they always must have a valid csrf token
- server.use(function(req, resp, next) {
- // only on POSTs
- if (req.method == "POST") {
- var denied = false;
- if (!/^\/wsapi/.test(req.url)) { // post requests only allowed to /wsapi
- denied = true;
- logger.warn("CSRF validation failure: POST only allowed to /wsapi urls. not '" + req.url + "'");
- }
-
- if (req.session === undefined) { // there must be a session
- denied = true;
- logger.warn("CSRF validation failure: POST calls to /wsapi require an active session");
- }
+ }
+});
- // the session must have a csrf token
- if (typeof req.session.csrf !== 'string') {
- denied = true;
- logger.warn("CSRF validation failure: POST calls to /wsapi require an csrf token to be set");
- }
+config.performSubstitution(app);
- // and the token must match what is sent in the post body
- if (req.body.csrf != req.session.csrf) {
- denied = true;
- // if any of these things are false, then we'll block the request
- logger.warn("CSRF validation failure, token mismatch. got:" + req.body.csrf + " want:" + req.session.csrf);
- }
+// verify all JSON responses are objects - prevents regression on issue #217
+app.use(function(req, resp, next) {
+ var realRespJSON = resp.json;
+ resp.json = function(obj) {
+ if (!obj || typeof obj !== 'object') {
+ logger.error("INTERNAL ERROR! *all* json responses must be objects");
+ throw "internal error";
+ }
+ realRespJSON.call(resp, obj);
+ };
+ return next();
+});
+
+app.use(express.bodyParser());
+
+// Check CSRF token early. POST requests are only allowed to
+// /wsapi and they always must have a valid csrf token
+app.use(function(req, resp, next) {
+ // only on POSTs
+ if (req.method == "POST") {
+ var denied = false;
+ if (!/^\/wsapi/.test(req.url)) { // post requests only allowed to /wsapi
+ denied = true;
+ logger.warn("CSRF validation failure: POST only allowed to /wsapi urls. not '" + req.url + "'");
+ }
- if (denied) return httputils.badRequest(resp, "CSRF violation");
+ if (req.session === undefined) { // there must be a session
+ denied = true;
+ logger.warn("CSRF validation failure: POST calls to /wsapi require an active session");
+ }
+ // the session must have a csrf token
+ if (typeof req.session.csrf !== 'string') {
+ denied = true;
+ logger.warn("CSRF validation failure: POST calls to /wsapi require an csrf token to be set");
}
- return next();
- });
- // a tweak to get the content type of host-meta correct
- server.use(function(req, resp, next) {
- if (req.url === '/.well-known/host-meta') {
- resp.setHeader('content-type', 'text/xml');
+ // and the token must match what is sent in the post body
+ if (req.body.csrf != req.session.csrf) {
+ denied = true;
+ // if any of these things are false, then we'll block the request
+ logger.warn("CSRF validation failure, token mismatch. got:" + req.body.csrf + " want:" + req.session.csrf);
}
- next();
- });
- // Strict Transport Security
- server.use(function(req, resp, next) {
- if (overSSL) {
- // expires in 30 days, include subdomains like www
- resp.setHeader("Strict-Transport-Security", "max-age=2592000; includeSubdomains");
- }
- next();
- });
+ if (denied) return httputils.badRequest(resp, "CSRF violation");
- // prevent framing
- server.use(function(req, resp, next) {
- resp.setHeader('x-frame-options', 'DENY');
- next();
- });
+ }
+ return next();
+});
- // add middleware to re-write urls if needed
- configuration.performSubstitution(server);
+// a tweak to get the content type of host-meta correct
+app.use(function(req, resp, next) {
+ if (req.url === '/.well-known/host-meta') {
+ resp.setHeader('content-type', 'text/xml');
+ }
+ next();
+});
+
+// Strict Transport Security
+app.use(function(req, resp, next) {
+ if (overSSL) {
+ // expires in 30 days, include subdomains like www
+ resp.setHeader("Strict-Transport-Security", "max-age=2592000; includeSubdomains");
+ }
+ next();
+});
- // add the actual URL handlers other than static
- router(server);
-}
+// prevent framing
+app.use(function(req, resp, next) {
+ resp.setHeader('x-frame-options', 'DENY');
+ next();
+});
-exports.shutdown = function() {
- db.close();
-};
+// add the actual URL handlers other than static
+router(app);
+
+// use the express 'static' middleware for serving of static files (cache headers, HTTP range, etc)
+app.use(express.static(path.join(__dirname, "..", "resources", "static")));
+
+// open the databse
+db.open(config.get('database'), function () {
+ app.listen(config.get('port'), config.get('hostname'), function() {
+ logger.info("running on http://" + app.address().address + ":" + app.address().port);
+ });
+});
Oops, something went wrong.

0 comments on commit 54918f1

Please sign in to comment.