changed authentication controller to use req.parsedUrl.pathname as query strings on req.url were breaking the whitelist

This commit is contained in:
Henry Oswald 2015-04-30 11:57:40 +01:00
parent 635f79d2f6
commit a7640b5bbd
3 changed files with 14 additions and 2 deletions

View file

@ -90,7 +90,7 @@ module.exports = AuthenticationController =
AuthenticationController._globalLoginWhitelist.push endpoint
requireGlobalLogin: (req, res, next) ->
if req.url in AuthenticationController._globalLoginWhitelist
if req._parsedUrl.pathname in AuthenticationController._globalLoginWhitelist
return next()
if req.headers['authorization']?
@ -98,6 +98,7 @@ module.exports = AuthenticationController =
else if req.session.user?
return next()
else
logger.log url:req.url, "user trying to access endpoint not in global whitelist"
return res.redirect "/login"
httpAuth: require('express').basicAuth (user, pass)->

View file

@ -284,12 +284,22 @@ describe "AuthenticationController", ->
describe "with white listed url", ->
beforeEach ->
@AuthenticationController.addEndpointToLoginWhitelist "/login"
@req.url = "/login"
@req._parsedUrl.pathname = "/login"
@AuthenticationController.requireGlobalLogin @req, @res, @next
it "should call next() directly", ->
@next.called.should.equal true
describe "with white listed url and a query string", ->
beforeEach ->
@AuthenticationController.addEndpointToLoginWhitelist "/login"
@req._parsedUrl.pathname = "/login"
@req.url = "/login?query=something"
@AuthenticationController.requireGlobalLogin @req, @res, @next
it "should call next() directly", ->
@next.called.should.equal true
describe "with http auth", ->
beforeEach ->
@req.headers["authorization"] = "Mock Basic Auth"

View file

@ -5,6 +5,7 @@ class MockRequest
params: {}
query: {}
_parsedUrl:{}
i18n:
translate:->