From 981c319810636bef20473f6269d83d8b308cbd9c Mon Sep 17 00:00:00 2001
From: Chi Vinh Le
Date: Mon, 25 Sep 2017 21:34:35 +0700
Subject: [PATCH 1/4] Clean dependencies
---
client/coral-admin/src/actions/community.js | 5 +-
package.json | 9 +-
yarn.lock | 94 +++++----------------
3 files changed, 25 insertions(+), 83 deletions(-)
diff --git a/client/coral-admin/src/actions/community.js b/client/coral-admin/src/actions/community.js
index 890d834b4..921f0a0a2 100644
--- a/client/coral-admin/src/actions/community.js
+++ b/client/coral-admin/src/actions/community.js
@@ -1,4 +1,4 @@
-import qs from 'qs';
+import queryString from 'query-string';
import {
FETCH_COMMENTERS_REQUEST,
@@ -17,9 +17,8 @@ import {
import t from 'coral-framework/services/i18n';
export const fetchAccounts = (query = {}) => (dispatch, _, {rest}) => {
-
dispatch(requestFetchAccounts());
- rest(`/users?${qs.stringify(query)}`)
+ rest(`/users?${queryString.stringify(query)}`)
.then(({result, page, count, limit, totalPages}) =>{
dispatch({
type: FETCH_COMMENTERS_SUCCESS,
diff --git a/package.json b/package.json
index 115d94c12..702a351cd 100644
--- a/package.json
+++ b/package.json
@@ -103,6 +103,7 @@
"fs-extra": "^4.0.1",
"gql-merge": "^0.0.4",
"graphql": "^0.9.1",
+ "graphql-anywhere": "^3.1.0",
"graphql-docs": "^0.2.0",
"graphql-errors": "^2.1.0",
"graphql-redis-subscriptions": "^1.3.0",
@@ -144,12 +145,11 @@
"passport-local": "^1.0.0",
"pluralize": "^7.0.0",
"postcss-loader": "^1.3.3",
- "postcss-modules": "^0.5.2",
"postcss-smart-import": "^0.5.1",
"precss": "^1.4.0",
"prop-types": "^15.5.10",
"pym.js": "^1.1.1",
- "query-strings": "^0.0.1",
+ "query-string": "^5.0.0",
"react": "^15.4.2",
"react-apollo": "^1.4.12",
"react-dom": "^15.4.2",
@@ -180,7 +180,6 @@
"url-search-params": "^0.9.0",
"uuid": "^3.1.0",
"webpack": "^2.3.1",
- "webpack-sources": "^1.0.1",
"yaml-loader": "^0.4.0",
"yamljs": "^0.2.10"
},
@@ -190,7 +189,6 @@
"chai-http": "^3.0.0",
"enzyme": "^2.9.1",
"eslint": "^4.5.0",
- "eslint-module-utils": "^2.1.1",
"eslint-plugin-json": "^1.2.0",
"eslint-plugin-mocha": "^4.11.0",
"eslint-plugin-promise": "^3.3.1",
@@ -200,8 +198,7 @@
"nodemon": "^1.11.0",
"pre-git": "^3.15.3",
"sinon": "^3.2.1",
- "sinon-chai": "^2.13.0",
- "supertest": "^2.0.1"
+ "sinon-chai": "^2.13.0"
},
"engines": {
"node": "^8"
diff --git a/yarn.lock b/yarn.lock
index 5451ae7bd..6baec97cb 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -1344,10 +1344,6 @@ check-more-types@2.3.0:
version "2.3.0"
resolved "https://registry.yarnpkg.com/check-more-types/-/check-more-types-2.3.0.tgz#b8397c69dc92a3e645f18932c045b09c74419ec4"
-check-valid-url@0.0.2:
- version "0.0.2"
- resolved "https://registry.yarnpkg.com/check-valid-url/-/check-valid-url-0.0.2.tgz#938fc545fc90b71edf800f7345bfd36f3aa0a057"
-
cheerio@^0.20.0:
version "0.20.0"
resolved "https://registry.yarnpkg.com/cheerio/-/cheerio-0.20.0.tgz#5c710f2bab95653272842ba01c6ea61b3545ec35"
@@ -1874,17 +1870,6 @@ css-loader@^0.28.5:
postcss-value-parser "^3.3.0"
source-list-map "^2.0.0"
-css-modules-loader-core@^1.0.1:
- version "1.0.1"
- resolved "https://registry.yarnpkg.com/css-modules-loader-core/-/css-modules-loader-core-1.0.1.tgz#94e3eec9bc8174df0f974641f3e0d0550497f694"
- dependencies:
- icss-replace-symbols "1.0.2"
- postcss "5.1.2"
- postcss-modules-extract-imports "1.0.0"
- postcss-modules-local-by-default "1.1.1"
- postcss-modules-scope "1.0.2"
- postcss-modules-values "1.2.2"
-
css-parse@1.7.x:
version "1.7.0"
resolved "https://registry.yarnpkg.com/css-parse/-/css-parse-1.7.0.tgz#321f6cf73782a6ff751111390fc05e2c657d8c9b"
@@ -2057,6 +2042,10 @@ decamelize@^1.0.0, decamelize@^1.1.1, decamelize@^1.1.2:
version "1.2.0"
resolved "https://registry.yarnpkg.com/decamelize/-/decamelize-1.2.0.tgz#f6534d15148269b20352e7bee26f501f9a191290"
+decode-uri-component@^0.2.0:
+ version "0.2.0"
+ resolved "https://registry.yarnpkg.com/decode-uri-component/-/decode-uri-component-0.2.0.tgz#eb3913333458775cb84cd1a1fae062106bb87545"
+
deep-eql@^0.1.3:
version "0.1.3"
resolved "https://registry.yarnpkg.com/deep-eql/-/deep-eql-0.1.3.tgz#ef558acab8de25206cd713906d74e56930eb69f2"
@@ -2406,13 +2395,6 @@ escodegen@^1.6.1:
optionalDependencies:
source-map "~0.2.0"
-eslint-module-utils@^2.1.1:
- version "2.1.1"
- resolved "https://registry.yarnpkg.com/eslint-module-utils/-/eslint-module-utils-2.1.1.tgz#abaec824177613b8a95b299639e1b6facf473449"
- dependencies:
- debug "^2.6.8"
- pkg-dir "^1.0.0"
-
eslint-plugin-json@^1.2.0:
version "1.2.0"
resolved "https://registry.yarnpkg.com/eslint-plugin-json/-/eslint-plugin-json-1.2.0.tgz#9ba73bb0be99d50093e889f5b968463d2a30efae"
@@ -2973,12 +2955,6 @@ gauge@~2.7.1:
strip-ansi "^3.0.1"
wide-align "^1.1.0"
-generic-names@^1.0.1:
- version "1.0.2"
- resolved "https://registry.yarnpkg.com/generic-names/-/generic-names-1.0.2.tgz#e25b7feceb5b5a8f28f5f972a7ccfe57e562adcd"
- dependencies:
- loader-utils "^0.2.16"
-
get-caller-file@^1.0.1:
version "1.0.2"
resolved "https://registry.yarnpkg.com/get-caller-file/-/get-caller-file-1.0.2.tgz#f702e63127e7e231c160a80c1554acb70d5047e5"
@@ -3200,6 +3176,10 @@ graphql-anywhere@^3.0.0, graphql-anywhere@^3.0.1:
version "3.0.1"
resolved "https://registry.yarnpkg.com/graphql-anywhere/-/graphql-anywhere-3.0.1.tgz#73531db861174c8f212eafb9f8e84944b38b4e5a"
+graphql-anywhere@^3.1.0:
+ version "3.1.0"
+ resolved "https://registry.yarnpkg.com/graphql-anywhere/-/graphql-anywhere-3.1.0.tgz#3ea0d8e8646b5cee68035016a9a7557c15c21e96"
+
graphql-docs@^0.2.0:
version "0.2.0"
resolved "https://registry.yarnpkg.com/graphql-docs/-/graphql-docs-0.2.0.tgz#cf803f9c9d354fa03e89073d74e419261a5bfa74"
@@ -3526,7 +3506,7 @@ iconv-lite@^0.4.17, iconv-lite@~0.4.13:
version "0.4.18"
resolved "https://registry.yarnpkg.com/iconv-lite/-/iconv-lite-0.4.18.tgz#23d8656b16aae6742ac29732ea8f0336a4789cf2"
-icss-replace-symbols@1.0.2, icss-replace-symbols@^1.0.2:
+icss-replace-symbols@^1.0.2:
version "1.0.2"
resolved "https://registry.yarnpkg.com/icss-replace-symbols/-/icss-replace-symbols-1.0.2.tgz#cb0b6054eb3af6edc9ab1d62d01933e2d4c8bfa5"
@@ -4761,7 +4741,7 @@ metascraper@^1.0.7:
popsicle "^6.2.0"
to-title-case "^1.0.0"
-methods@1.x, methods@^1.1.1, methods@^1.1.2, methods@~1.1.2:
+methods@^1.1.1, methods@^1.1.2, methods@~1.1.2:
version "1.1.2"
resolved "https://registry.yarnpkg.com/methods/-/methods-1.1.2.tgz#5529a4d67654134edcc5266656835b0f851afcee"
@@ -5542,12 +5522,6 @@ pinkie@^2.0.0:
version "2.0.4"
resolved "https://registry.yarnpkg.com/pinkie/-/pinkie-2.0.4.tgz#72556b80cfa0d48a974e80e77248e80ed4f7f870"
-pkg-dir@^1.0.0:
- version "1.0.0"
- resolved "https://registry.yarnpkg.com/pkg-dir/-/pkg-dir-1.0.0.tgz#7a4b508a8d5bb2d629d447056ff4e9c9314cf3d4"
- dependencies:
- find-up "^1.0.0"
-
pkg-dir@^2.0.0:
version "2.0.0"
resolved "https://registry.yarnpkg.com/pkg-dir/-/pkg-dir-2.0.0.tgz#f6d5d1109e19d63edf428e0bd57e12777615334b"
@@ -5803,48 +5777,33 @@ postcss-mixins@^2.1.0:
postcss "^5.0.10"
postcss-simple-vars "^1.0.1"
-postcss-modules-extract-imports@1.0.0:
- version "1.0.0"
- resolved "https://registry.yarnpkg.com/postcss-modules-extract-imports/-/postcss-modules-extract-imports-1.0.0.tgz#5b07f368e350cda6fd5c8844b79123a7bd3e37be"
- dependencies:
- postcss "^5.0.4"
-
postcss-modules-extract-imports@^1.0.0:
version "1.0.1"
resolved "https://registry.yarnpkg.com/postcss-modules-extract-imports/-/postcss-modules-extract-imports-1.0.1.tgz#8fb3fef9a6dd0420d3f6d4353cf1ff73f2b2a341"
dependencies:
postcss "^5.0.4"
-postcss-modules-local-by-default@1.1.1, postcss-modules-local-by-default@^1.0.1:
+postcss-modules-local-by-default@^1.0.1:
version "1.1.1"
resolved "https://registry.yarnpkg.com/postcss-modules-local-by-default/-/postcss-modules-local-by-default-1.1.1.tgz#29a10673fa37d19251265ca2ba3150d9040eb4ce"
dependencies:
css-selector-tokenizer "^0.6.0"
postcss "^5.0.4"
-postcss-modules-scope@1.0.2, postcss-modules-scope@^1.0.0:
+postcss-modules-scope@^1.0.0:
version "1.0.2"
resolved "https://registry.yarnpkg.com/postcss-modules-scope/-/postcss-modules-scope-1.0.2.tgz#ff977395e5e06202d7362290b88b1e8cd049de29"
dependencies:
css-selector-tokenizer "^0.6.0"
postcss "^5.0.4"
-postcss-modules-values@1.2.2, postcss-modules-values@^1.1.0:
+postcss-modules-values@^1.1.0:
version "1.2.2"
resolved "https://registry.yarnpkg.com/postcss-modules-values/-/postcss-modules-values-1.2.2.tgz#f0e7d476fe1ed88c5e4c7f97533a3e772ad94ca1"
dependencies:
icss-replace-symbols "^1.0.2"
postcss "^5.0.14"
-postcss-modules@^0.5.2:
- version "0.5.2"
- resolved "https://registry.yarnpkg.com/postcss-modules/-/postcss-modules-0.5.2.tgz#9d682fed3f282bd64b2aa4feb6f22a2af435ffda"
- dependencies:
- css-modules-loader-core "^1.0.1"
- generic-names "^1.0.1"
- postcss "^5.1.2"
- string-hash "^1.1.0"
-
postcss-nested@^1.0.0:
version "1.0.1"
resolved "https://registry.yarnpkg.com/postcss-nested/-/postcss-nested-1.0.1.tgz#91f28f4e6e23d567241ac154558a0cfab4cc0d8f"
@@ -5995,15 +5954,7 @@ postcss-zindex@^2.0.1:
postcss "^5.0.4"
uniqs "^2.0.0"
-postcss@5.1.2:
- version "5.1.2"
- resolved "https://registry.yarnpkg.com/postcss/-/postcss-5.1.2.tgz#bd84886a66bcad489afaf7c673eed5ef639551e2"
- dependencies:
- js-base64 "^2.1.9"
- source-map "^0.5.6"
- supports-color "^3.1.2"
-
-postcss@^5.0.0, postcss@^5.0.10, postcss@^5.0.11, postcss@^5.0.12, postcss@^5.0.13, postcss@^5.0.14, postcss@^5.0.16, postcss@^5.0.19, postcss@^5.0.2, postcss@^5.0.4, postcss@^5.0.5, postcss@^5.0.6, postcss@^5.0.8, postcss@^5.1.2, postcss@^5.2.13, postcss@^5.2.15, postcss@^5.2.16, postcss@^5.2.17, postcss@^5.2.4, postcss@^5.2.5:
+postcss@^5.0.0, postcss@^5.0.10, postcss@^5.0.11, postcss@^5.0.12, postcss@^5.0.13, postcss@^5.0.14, postcss@^5.0.16, postcss@^5.0.19, postcss@^5.0.2, postcss@^5.0.4, postcss@^5.0.5, postcss@^5.0.6, postcss@^5.0.8, postcss@^5.2.13, postcss@^5.2.15, postcss@^5.2.16, postcss@^5.2.17, postcss@^5.2.4, postcss@^5.2.5:
version "5.2.17"
resolved "https://registry.yarnpkg.com/postcss/-/postcss-5.2.17.tgz#cf4f597b864d65c8a492b2eabe9d706c879c388b"
dependencies:
@@ -6274,11 +6225,13 @@ query-string@^4.1.0, query-string@^4.2.2:
object-assign "^4.1.0"
strict-uri-encode "^1.0.0"
-query-strings@^0.0.1:
- version "0.0.1"
- resolved "https://registry.yarnpkg.com/query-strings/-/query-strings-0.0.1.tgz#d22bab97c9d39e2267b3b8e5f78592424b3e58cd"
+query-string@^5.0.0:
+ version "5.0.0"
+ resolved "https://registry.yarnpkg.com/query-string/-/query-string-5.0.0.tgz#fbdf7004b4d2aff792f9871981b7a2794f555947"
dependencies:
- check-valid-url "0.0.2"
+ decode-uri-component "^0.2.0"
+ object-assign "^4.1.0"
+ strict-uri-encode "^1.0.0"
querystring-es3@^0.2.0:
version "0.2.1"
@@ -7280,13 +7233,6 @@ superagent@^2.0.0:
qs "^6.1.0"
readable-stream "^2.0.5"
-supertest@^2.0.1:
- version "2.0.1"
- resolved "https://registry.yarnpkg.com/supertest/-/supertest-2.0.1.tgz#a058081d788f1515d4700d7502881e6b759e44cd"
- dependencies:
- methods "1.x"
- superagent "^2.0.0"
-
supports-color@3.1.2, supports-color@^3.1.0:
version "3.1.2"
resolved "https://registry.yarnpkg.com/supports-color/-/supports-color-3.1.2.tgz#72a262894d9d408b956ca05ff37b2ed8a6e2a2d5"
From 825e1b5e5c57802c2939e496b3ac7240826841af Mon Sep 17 00:00:00 2001
From: Wyatt Johnson
Date: Mon, 25 Sep 2017 14:50:33 -0600
Subject: [PATCH 2/4] Fixes to password reset flow
---
routes/api/account/index.js | 24 ++++------
services/domainlist.js | 53 +++++++++++-----------
services/users.js | 42 ++++++-----------
test/server/services/domainlist.js | 73 +++++++++++++++++++++++++++++-
4 files changed, 123 insertions(+), 69 deletions(-)
diff --git a/routes/api/account/index.js b/routes/api/account/index.js
index 99cb9a468..85558d33c 100644
--- a/routes/api/account/index.js
+++ b/routes/api/account/index.js
@@ -50,22 +50,18 @@ router.post('/password/reset', async (req, res, next) => {
try {
let token = await UsersService.createPasswordResetToken(email, loc);
- if (!token) {
- res.status(204).end();
- return;
+ if (token) {
+ await mailer.sendSimple({
+ template: 'password-reset',
+ locals: {
+ token,
+ rootURL: ROOT_URL
+ },
+ subject: 'Password Reset',
+ to: email
+ });
}
- // Send the password reset email.
- await mailer.sendSimple({
- template: 'password-reset', // needed to know which template to render!
- locals: { // specifies the template locals.
- token,
- rootURL: ROOT_URL
- },
- subject: 'Password Reset',
- to: email
- });
-
res.status(204).end();
} catch (e) {
return next(e);
diff --git a/services/domainlist.js b/services/domainlist.js
index 29673e2b6..a75d62dca 100644
--- a/services/domainlist.js
+++ b/services/domainlist.js
@@ -2,6 +2,8 @@ const debug = require('debug')('talk:services:domainlist');
const _ = require('lodash');
const SettingsService = require('./settings');
+const {ROOT_URL} = require('../config');
+
/**
* The root domainlist object.
* @type {Object}
@@ -17,31 +19,24 @@ class Domainlist {
/**
* Loads domains white list in from the database
*/
- load() {
- return SettingsService
- .retrieve()
- .then((settings) => {
-
- // Insert the settings domains whitelist.
- this.upsert(settings.domains);
- });
+ async load() {
+ const {domains} = await SettingsService.retrieve();
+ this.upsert(domains);
}
/**
* Inserts the domains whitelist data
* @param {Array} list list of domains to be set to the whitelist
*/
- upsert(lists) {
+ async upsert(lists) {
// Add the domains to this array and also be sure are all unique domains
if (!('whitelist' in lists)) {
return;
}
- this.lists['whitelist'] = Domainlist.parseList(lists['whitelist']);
- debug(`Added ${lists['whitelist'].length} domains to the whitelist.`);
-
- return Promise.resolve(this);
+ this.lists.whitelist = Domainlist.parseList(lists.whitelist);
+ debug(`Added ${lists.whitelist.length} domains to the whitelist.`);
}
/**
@@ -51,19 +46,22 @@ class Domainlist {
*/
match(list, url) {
+ // Parse the url that we're matching with.
const domainToMatch = Domainlist.parseURL(url);
// This will return true in the event that at least one blockword is found
// in the phrase.
- for (let i = 0; i < list.length; i++) {
- if (list[i] === domainToMatch) {
- return true;
- }
- }
+ return list.indexOf(domainToMatch) >= 0;
+ }
- // We've walked over all the whitelisted domains, and haven't had a
- // mismatch... It is not an allowed domain!
- return false;
+ /**
+ * Checks to see if the passed url matches the domain of the root path.
+ *
+ * @param {String} url
+ * @returns {Boolean} true if the domains match
+ */
+ static matchMount(url) {
+ return Domainlist.parseURL(url) === Domainlist.parseURL(ROOT_URL);
}
/**
@@ -84,7 +82,7 @@ class Domainlist {
let domain;
// removes protocol and get domain
- if (url.indexOf('://') > -1) {
+ if (url.indexOf('//') > -1) {
domain = url.split('/')[2];
} else {
domain = url.split('/')[0];
@@ -96,13 +94,14 @@ class Domainlist {
return domain.toLowerCase();
}
- static urlCheck(url) {
+ static async urlCheck(url) {
const dl = new Domainlist();
- return dl.load()
- .then(() => {
- return dl.match(dl.lists['whitelist'], url);
- });
+ // Load the domain list.
+ await dl.load();
+
+ // Perform a match.
+ return dl.match(dl.lists.whitelist, url);
}
}
diff --git a/services/users.js b/services/users.js
index 35810ef7f..faea67d75 100644
--- a/services/users.js
+++ b/services/users.js
@@ -1,8 +1,6 @@
const assert = require('assert');
const uuid = require('uuid');
const bcrypt = require('bcryptjs');
-const url = require('url');
-const Wordlist = require('./wordlist');
const errors = require('../errors');
const {
@@ -22,9 +20,10 @@ const USER_ROLES = require('../models/enum/user_roles');
const RECAPTCHA_WINDOW_SECONDS = 60 * 10; // 10 minutes.
const RECAPTCHA_INCORRECT_TRIGGER = 5; // after 3 incorrect attempts, recaptcha will be required.
-const SettingsService = require('./settings');
const ActionsService = require('./actions');
const MailerService = require('./mailer');
+const Wordlist = require('./wordlist');
+const Domainlist = require('./domainlist');
const EMAIL_CONFIRM_JWT_SUBJECT = 'email_confirm';
const PASSWORD_RESET_JWT_SUBJECT = 'password_reset';
@@ -557,11 +556,10 @@ module.exports = class UsersService {
email = email.toLowerCase();
- const [user, settings] = await Promise.all([
+ const [user, domainValidated] = await Promise.all([
UserModel.findOne({profiles: {$elemMatch: {id: email}}}),
- SettingsService.retrieve(),
+ Domainlist.urlCheck(loc),
]);
-
if (!user) {
// Since we don't want to reveal that the email does/doesn't exist
@@ -569,19 +567,11 @@ module.exports = class UsersService {
// endpoint.
return;
}
- let redirectDomain;
- try {
- const {hostname, port} = url.parse(loc);
- redirectDomain = hostname;
- if (port) {
- redirectDomain += `:${port}`;
- }
- } catch (e) {
- throw new Error('redirect location is invalid');
- }
- if (settings.domains.whitelist.indexOf(redirectDomain) === -1) {
- throw new Error('redirect location is not on the list of acceptable domains');
+ // If the domain didn't match any of the whitelisted domains and if it
+ // didn't match the mount domain, then throw an error.
+ if (!domainValidated && !Domainlist.matchMount(loc)) {
+ throw new Error('user supplied location exists on non-permitted domain');
}
const payload = {
@@ -619,16 +609,14 @@ module.exports = class UsersService {
* Verifies a jwt and returns the associated user.
* @param {String} token the JSON Web Token to verify
*/
- static verifyPasswordResetToken(token) {
- return UsersService
- .verifyToken(token, {
- subject: PASSWORD_RESET_JWT_SUBJECT
- })
+ static async verifyPasswordResetToken(token) {
+ const {userId, loc} = await UsersService.verifyToken(token, {
+ subject: PASSWORD_RESET_JWT_SUBJECT
+ });
- // TODO: add search by __v as well
- .then((decoded) => {
- return Promise.all([UsersService.findById(decoded.userId), decoded.loc]);
- });
+ const user = await UsersService.findById(userId);
+
+ return [user, loc];
}
/**
diff --git a/test/server/services/domainlist.js b/test/server/services/domainlist.js
index 9dafa438a..33afdda87 100644
--- a/test/server/services/domainlist.js
+++ b/test/server/services/domainlist.js
@@ -26,13 +26,84 @@ describe('services.Domainlist', () => {
});
+ describe('#parseURL', () => {
+ it('parses the domain correctly', () => {
+ [
+ ['http://google.ca/test', 'google.ca'],
+ ['http://google.ca:80/test', 'google.ca'],
+ ['https://google.ca/test', 'google.ca'],
+ ['https://google.ca:443/test', 'google.ca'],
+ ['//google.ca/test', 'google.ca'],
+ ['//google.ca:80/test', 'google.ca'],
+ ['//google.ca:443/test', 'google.ca'],
+ ['google.ca/test', 'google.ca'],
+ ['google.ca:80/test', 'google.ca'],
+ ['google.ca:443/test', 'google.ca'],
+ ['http://google.ca/', 'google.ca'],
+ ['http://google.ca:80/', 'google.ca'],
+ ['https://google.ca/', 'google.ca'],
+ ['https://google.ca:443/', 'google.ca'],
+ ['//google.ca/', 'google.ca'],
+ ['//google.ca:80/', 'google.ca'],
+ ['//google.ca:443/', 'google.ca'],
+ ['google.ca/', 'google.ca'],
+ ['google.ca:80/', 'google.ca'],
+ ['google.ca:443/', 'google.ca'],
+ ['google.ca', 'google.ca'],
+ ['http://google.ca', 'google.ca'],
+ ['http://google.ca:80', 'google.ca'],
+ ['https://google.ca', 'google.ca'],
+ ['https://google.ca:443', 'google.ca'],
+ ['//google.ca', 'google.ca'],
+ ['//google.ca:80', 'google.ca'],
+ ['//google.ca:443', 'google.ca'],
+ ['google.ca', 'google.ca'],
+ ['google.ca:80', 'google.ca'],
+ ['google.ca:443', 'google.ca'],
+ ['http://google.Ca/test', 'google.ca'],
+ ['http://google.ca:80/test', 'google.ca'],
+ ['https://google.Ca/test', 'google.ca'],
+ ['https://google.ca:443/test', 'google.ca'],
+ ['//google.Ca/test', 'google.ca'],
+ ['//google.Ca:80/test', 'google.ca'],
+ ['//google.Ca:443/test', 'google.ca'],
+ ['google.Ca/test', 'google.ca'],
+ ['google.ca:80/test', 'google.ca'],
+ ['google.ca:443/test', 'google.ca'],
+ ['http://Google.ca/', 'google.ca'],
+ ['http://google.Ca:80/', 'google.ca'],
+ ['https://Google.ca/', 'google.ca'],
+ ['https://google.Ca:443/', 'google.ca'],
+ ['//Google.ca/', 'google.ca'],
+ ['//google.Ca:80/', 'google.ca'],
+ ['//google.Ca:443/', 'google.ca'],
+ ['Google.ca/', 'google.ca'],
+ ['google.Ca:80/', 'google.ca'],
+ ['google.Ca:443/', 'google.ca'],
+ ['Google.ca', 'google.ca'],
+ ['http://Google.ca', 'google.ca'],
+ ['http://google.Ca:80', 'google.ca'],
+ ['https://Google.ca', 'google.ca'],
+ ['https://google.Ca:443', 'google.ca'],
+ ['//Google.ca', 'google.ca'],
+ ['//google.Ca:80', 'google.ca'],
+ ['//google.Ca:443', 'google.ca'],
+ ['Google.ca', 'google.ca'],
+ ['google.Ca:80', 'google.ca'],
+ ['google.Ca:443', 'google.ca'],
+ ].forEach(([domain, hostname]) => {
+ expect(Domainlist.parseURL(domain), `domain ${domain} should be parsed as ${hostname}`).to.equal(hostname);
+ });
+ });
+ });
+
describe('#match', () => {
const whiteList = Domainlist.parseList(domainlists['whitelist']);
it('does match on an included domain', () => {
[
- 'wapo.com',
+ 'http://wapo.com',
'nytimes.com'
].forEach((domain) => {
expect(domainlist.match(whiteList, domain)).to.be.true;
From 203d3c7ee961763df004e161e6b61cb2b87a19e7 Mon Sep 17 00:00:00 2001
From: Wyatt Johnson
Date: Mon, 25 Sep 2017 16:12:40 -0600
Subject: [PATCH 3/4] bug fixes
---
app.js | 18 +++--------
routes/api/account/index.js | 17 +++++------
services/email/email-confirm.html.ejs | 2 +-
services/email/email-confirm.txt.ejs | 2 +-
services/email/password-reset.html.ejs | 2 +-
services/email/password-reset.txt.ejs | 2 +-
services/locals.js | 20 ++++++++++++
services/mailer.js | 4 +++
services/users.js | 6 +++-
views/admin/password-reset.ejs | 42 ++++++++++++++++++++------
10 files changed, 77 insertions(+), 38 deletions(-)
create mode 100644 services/locals.js
diff --git a/app.js b/app.js
index 9da2041fc..2989ae00a 100644
--- a/app.js
+++ b/app.js
@@ -6,13 +6,9 @@ const merge = require('lodash/merge');
const helmet = require('helmet');
const compression = require('compression');
const cookieParser = require('cookie-parser');
-const {
- BASE_URL,
- BASE_PATH,
- MOUNT_PATH,
- STATIC_URL,
- HELMET_CONFIGURATION,
-} = require('./url');
+const {HELMET_CONFIGURATION} = require('./config');
+const {MOUNT_PATH} = require('./url');
+const {applyLocals} = require('./services/locals');
const routes = require('./routes');
const debug = require('debug')('talk:app');
@@ -57,12 +53,8 @@ app.set('view engine', 'ejs');
// ROUTES
//==============================================================================
-// Apply the BASE_PATH, BASE_URL, and MOUNT_PATH on the app.locals, which will
-// make them available on the templates and the routers.
-app.locals.BASE_URL = BASE_URL;
-app.locals.BASE_PATH = BASE_PATH;
-app.locals.MOUNT_PATH = MOUNT_PATH;
-app.locals.STATIC_URL = STATIC_URL;
+// Add the locals to the app renderer.
+applyLocals(app.locals);
debug(`mounting routes on the ${MOUNT_PATH} path`);
diff --git a/routes/api/account/index.js b/routes/api/account/index.js
index 85558d33c..c35f709cb 100644
--- a/routes/api/account/index.js
+++ b/routes/api/account/index.js
@@ -4,9 +4,6 @@ const UsersService = require('../../../services/users');
const mailer = require('../../../services/mailer');
const authorization = require('../../../middleware/authorization');
const errors = require('../../../errors');
-const {
- ROOT_URL
-} = require('../../../config');
//==============================================================================
// ROUTES
@@ -55,7 +52,6 @@ router.post('/password/reset', async (req, res, next) => {
template: 'password-reset',
locals: {
token,
- rootURL: ROOT_URL
},
subject: 'Password Reset',
to: email
@@ -74,22 +70,23 @@ router.post('/password/reset', async (req, res, next) => {
* 2) the new password {String}
*/
router.put('/password/reset', async (req, res, next) => {
-
- const {
- token,
- password
- } = req.body;
+ const {check} = req.query;
+ const {token, password} = req.body;
if (!token) {
return next(errors.ErrMissingToken);
}
- if (!password || password.length < 8) {
+ if (check !== 'true' && (!password || password.length < 8)) {
return next(errors.ErrPasswordTooShort);
}
try {
let [user, loc] = await UsersService.verifyPasswordResetToken(token);
+ if (check === 'true') {
+ res.status(204).end();
+ return;
+ }
// Change the users' password.
await UsersService.changePassword(user.id, password);
diff --git a/services/email/email-confirm.html.ejs b/services/email/email-confirm.html.ejs
index 08a505521..8a1bd05f7 100644
--- a/services/email/email-confirm.html.ejs
+++ b/services/email/email-confirm.html.ejs
@@ -1,3 +1,3 @@
<%= t('email.confirm.has_been_requested') %> <%= email %>.
-<%= t('email.confirm.to_confirm') %> Confirm Email
+<%= t('email.confirm.to_confirm') %> Confirm Email
<%= t('email.confirm.if_you_did_not') %>
diff --git a/services/email/email-confirm.txt.ejs b/services/email/email-confirm.txt.ejs
index 6d3cb219c..d327220a7 100644
--- a/services/email/email-confirm.txt.ejs
+++ b/services/email/email-confirm.txt.ejs
@@ -4,6 +4,6 @@
<%= t('email.confirm.to_confirm') %>
- <%= rootURL %>/confirm/endpoint#<%= token %>
+ <%= BASE_URL %>confirm/endpoint#<%= token %>
<%= t('email.confirm.if_you_did_not') %>
diff --git a/services/email/password-reset.html.ejs b/services/email/password-reset.html.ejs
index 258f0d079..c0ec4ea46 100644
--- a/services/email/password-reset.html.ejs
+++ b/services/email/password-reset.html.ejs
@@ -1,2 +1,2 @@
<%= t('email.password_reset.we_received_a_request') %>
-<%= t('email.password_reset.if_you_did') %> <%= t('email.password_reset.please_click') %>.
+<%= t('email.password_reset.if_you_did') %> <%= t('email.password_reset.please_click') %>.
diff --git a/services/email/password-reset.txt.ejs b/services/email/password-reset.txt.ejs
index a8387925d..e8db4bab2 100644
--- a/services/email/password-reset.txt.ejs
+++ b/services/email/password-reset.txt.ejs
@@ -1,3 +1,3 @@
<%= t('email.password_reset.we_received_a_request') %>. <%= t('email.password_reset.if_you_did') %> <%= t('email.password_reset.please_click') %>:
-<%= rootURL %>/admin/password-reset#<%= token %>
+<%= BASE_URL %>admin/password-reset#<%= token %>
diff --git a/services/locals.js b/services/locals.js
new file mode 100644
index 000000000..9a6a6bec8
--- /dev/null
+++ b/services/locals.js
@@ -0,0 +1,20 @@
+const {
+ BASE_URL,
+ BASE_PATH,
+ MOUNT_PATH,
+ STATIC_URL,
+} = require('../url');
+
+const applyLocals = (locals) => {
+
+ // Apply the BASE_PATH, BASE_URL, and MOUNT_PATH on the app.locals, which will
+ // make them available on the templates and the routers.
+ locals.BASE_URL = BASE_URL;
+ locals.BASE_PATH = BASE_PATH;
+ locals.MOUNT_PATH = MOUNT_PATH;
+ locals.STATIC_URL = STATIC_URL;
+};
+
+module.exports = {
+ applyLocals,
+};
diff --git a/services/mailer.js b/services/mailer.js
index 68252bea3..8d650726d 100644
--- a/services/mailer.js
+++ b/services/mailer.js
@@ -4,6 +4,7 @@ const kue = require('./kue');
const path = require('path');
const fs = require('fs');
const _ = require('lodash');
+const {applyLocals} = require('./locals');
const i18n = require('./i18n');
@@ -92,6 +93,9 @@ const mailer = module.exports = {
// Prefix the subject with `[Talk]`.
subject = `[Talk] ${subject}`;
+ applyLocals(locals);
+
+ // Attach the templating function.
locals['t'] = i18n.t;
return Promise.all([
diff --git a/services/users.js b/services/users.js
index faea67d75..1dc9bceb6 100644
--- a/services/users.js
+++ b/services/users.js
@@ -610,12 +610,16 @@ module.exports = class UsersService {
* @param {String} token the JSON Web Token to verify
*/
static async verifyPasswordResetToken(token) {
- const {userId, loc} = await UsersService.verifyToken(token, {
+ const {userId, loc, version} = await UsersService.verifyToken(token, {
subject: PASSWORD_RESET_JWT_SUBJECT
});
const user = await UsersService.findById(userId);
+ if (version !== user.__v) {
+ throw new Error('password reset token has expired');
+ }
+
return [user, loc];
}
diff --git a/views/admin/password-reset.ejs b/views/admin/password-reset.ejs
index f02e5b6f8..6725409d1 100644
--- a/views/admin/password-reset.ejs
+++ b/views/admin/password-reset.ejs
@@ -15,11 +15,13 @@
background: #fff;
}
- #root form {
+ .container {
max-width: 300px;
- border: 1px solid lightgrey;
- box-shadow: 0px 10px 24px 2px rgba(0,0,0,0.2);
margin: 50px auto;
+ }
+
+ #root form {
+ display: none;
padding: 15px;
}
@@ -81,7 +83,8 @@
From 9ae59ef9985886b5768e843e21c5cc5061013f3b Mon Sep 17 00:00:00 2001
From: Wyatt Johnson
Date: Tue, 26 Sep 2017 09:34:37 -0600
Subject: [PATCH 4/4] added parent url to the login popup
---
client/coral-embed-stream/src/components/Embed.js | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/client/coral-embed-stream/src/components/Embed.js b/client/coral-embed-stream/src/components/Embed.js
index 86d36d47e..7fc6d1474 100644
--- a/client/coral-embed-stream/src/components/Embed.js
+++ b/client/coral-embed-stream/src/components/Embed.js
@@ -29,7 +29,7 @@ export default class Embed extends React.Component {
};
render() {
- const {activeTab, commentId, root, data, auth: {showSignInDialog, signInDialogFocus}, blurSignInDialog, focusSignInDialog, hideSignInDialog} = this.props;
+ const {activeTab, commentId, root, data, auth: {showSignInDialog, signInDialogFocus}, blurSignInDialog, focusSignInDialog, hideSignInDialog, router: {location: {query: {parentUrl}}}} = this.props;
const {user} = this.props.auth;
const hasHighlightedComment = !!commentId;
@@ -37,7 +37,7 @@ export default class Embed extends React.Component {