Archived
1
0
This repository has been archived on 2024-09-09. You can view files and clone it, but cannot push or open issues or pull requests.
code-server/src/node/http.ts

172 lines
5.7 KiB
TypeScript
Raw Normal View History

import { field, logger } from "@coder/logger"
2020-10-21 01:05:58 +02:00
import * as express from "express"
import * as expressCore from "express-serve-static-core"
import qs from "qs"
2020-02-04 20:27:46 +01:00
import { HttpCode, HttpError } from "../common/http"
2020-10-21 01:05:58 +02:00
import { normalize, Options } from "../common/util"
import { AuthType, DefaultedArgs } from "./cli"
2020-10-21 01:05:58 +02:00
import { commit, rootPath } from "./constants"
import { Heart } from "./heart"
2021-06-07 23:46:59 +02:00
import { getPasswordMethod, IsCookieValidArgs, isCookieValid, sanitizeString } from "./util"
2020-02-04 20:27:46 +01:00
declare global {
// eslint-disable-next-line @typescript-eslint/no-namespace
namespace Express {
export interface Request {
args: DefaultedArgs
heart: Heart
}
}
}
2020-02-04 20:27:46 +01:00
/**
2020-10-21 01:05:58 +02:00
* Replace common variable strings in HTML templates.
2020-02-04 20:27:46 +01:00
*/
2020-10-21 01:05:58 +02:00
export const replaceTemplates = <T extends object>(
req: express.Request,
content: string,
extraOpts?: Omit<T, "base" | "csStaticBase" | "logLevel">,
): string => {
const base = relativeRoot(req)
const options: Options = {
base,
csStaticBase: base + "/static/" + commit + rootPath,
logLevel: logger.level,
...extraOpts,
}
return content
.replace(/{{TO}}/g, (typeof req.query.to === "string" && req.query.to) || "/")
.replace(/{{BASE}}/g, options.base)
.replace(/{{CS_STATIC_BASE}}/g, options.csStaticBase)
.replace(/"{{OPTIONS}}"/, `'${JSON.stringify(options)}'`)
2020-02-04 20:27:46 +01:00
}
/**
2020-11-03 23:45:03 +01:00
* Throw an error if not authorized. Call `next` if provided.
2020-02-04 20:27:46 +01:00
*/
export const ensureAuthenticated = async (
req: express.Request,
_?: express.Response,
next?: express.NextFunction,
): Promise<void> => {
const isAuthenticated = await authenticated(req)
if (!isAuthenticated) {
2020-10-21 01:05:58 +02:00
throw new HttpError("Unauthorized", HttpCode.Unauthorized)
}
2020-11-03 23:45:03 +01:00
if (next) {
next()
}
2020-02-04 20:27:46 +01:00
}
2020-10-21 01:05:58 +02:00
/**
* Return true if authenticated via cookies.
*/
export const authenticated = async (req: express.Request): Promise<boolean> => {
2020-10-21 01:05:58 +02:00
switch (req.args.auth) {
case AuthType.None: {
2020-10-21 01:05:58 +02:00
return true
}
case AuthType.Password: {
2020-10-21 01:05:58 +02:00
// The password is stored in the cookie after being hashed.
const hashedPasswordFromArgs = req.args["hashed-password"]
const passwordMethod = getPasswordMethod(hashedPasswordFromArgs)
const isCookieValidArgs: IsCookieValidArgs = {
passwordMethod,
2021-06-07 23:46:59 +02:00
cookieKey: sanitizeString(req.cookies.key),
passwordFromArgs: req.args.password || "",
hashedPasswordFromArgs: req.args["hashed-password"],
}
return await isCookieValid(isCookieValidArgs)
}
default: {
2020-10-21 01:05:58 +02:00
throw new Error(`Unsupported auth type ${req.args.auth}`)
}
2020-10-21 01:05:58 +02:00
}
2020-02-04 23:55:27 +01:00
}
2020-10-21 01:05:58 +02:00
/**
* Get the relative path that will get us to the root of the page. For each
* slash we need to go up a directory. For example:
* / => .
* /foo => .
* /foo/ => ./..
* /foo/bar => ./..
* /foo/bar/ => ./../..
*/
export const relativeRoot = (req: express.Request): string => {
const depth = (req.originalUrl.split("?", 1)[0].match(/\//g) || []).length
return normalize("./" + (depth > 1 ? "../".repeat(depth - 1) : ""))
2020-02-14 22:57:51 +01:00
}
2020-10-21 01:05:58 +02:00
/**
* Redirect relatively to `/${to}`. Query variables will be preserved.
* `override` will merge with the existing query (use `undefined` to unset).
*/
export const redirect = (
req: express.Request,
res: express.Response,
to: string,
override: expressCore.Query = {},
): void => {
const query = Object.assign({}, req.query, override)
Object.keys(override).forEach((key) => {
if (typeof override[key] === "undefined") {
delete query[key]
}
})
const relativePath = normalize(`${relativeRoot(req)}/${to}`, true)
const queryString = qs.stringify(query)
const redirectPath = `${relativePath}${queryString ? `?${queryString}` : ""}`
logger.debug(`redirecting from ${req.originalUrl} to ${redirectPath}`)
res.redirect(redirectPath)
}
2020-02-04 20:27:46 +01:00
/**
2020-10-21 01:05:58 +02:00
* Get the value that should be used for setting a cookie domain. This will
* allow the user to authenticate once no matter what sub-domain they use to log
* in. This will use the highest level proxy domain (e.g. `coder.com` over
* `test.coder.com` if both are specified).
2020-02-04 20:27:46 +01:00
*/
2020-10-21 01:05:58 +02:00
export const getCookieDomain = (host: string, proxyDomains: string[]): string | undefined => {
const idx = host.lastIndexOf(":")
host = idx !== -1 ? host.substring(0, idx) : host
// If any of these are true we will still set cookies but without an explicit
// `Domain` attribute on the cookie.
2020-10-21 01:05:58 +02:00
if (
// The host can be be blank or missing so there's nothing we can set.
2020-10-21 01:05:58 +02:00
!host ||
// IP addresses can't have subdomains so there's no value in setting the
// domain for them. Assume that anything with a : is ipv6 (valid domain name
// characters are alphanumeric or dashes)...
2020-10-21 01:05:58 +02:00
host.includes(":") ||
// ...and that anything entirely numbers and dots is ipv4 (currently tlds
2020-10-21 01:05:58 +02:00
// cannot be entirely numbers).
!/[^0-9.]/.test(host) ||
// localhost subdomains don't seem to work at all (browser bug?). A cookie
// set at dev.localhost cannot be read by 8080.dev.localhost.
2020-10-21 01:05:58 +02:00
host.endsWith(".localhost") ||
// Domains without at least one dot (technically two since domain.tld will
// become .domain.tld) are considered invalid according to the spec so don't
// set the domain for them. In my testing though localhost is the only
// problem (the browser just doesn't store the cookie at all). localhost has
// an additional problem which is that a reverse proxy might give
// code-server localhost even though the domain is really domain.tld (by
// default NGINX does this).
!host.includes(".")
2020-10-21 01:05:58 +02:00
) {
logger.debug("no valid cookie doman", field("host", host))
return undefined
}
proxyDomains.forEach((domain) => {
if (host.endsWith(domain) && domain.length < host.length) {
host = domain
}
})
logger.debug("got cookie doman", field("host", host))
2020-11-03 23:44:08 +01:00
return host || undefined
2020-10-21 01:05:58 +02:00
}