feat: fix session mismatch errors by clearing cookie on logout (#8338)

* feat: fix session mismatch errors by clearing cookie on logout

* feat: remove app.upateHeader

ported from 2.0

* feat: handle if user doesn't click button and just refreshes page
This commit is contained in:
Barış Soner Uşaklı
2020-05-27 12:15:02 -04:00
committed by GitHub
parent 938c232377
commit 5781a2dc65
9 changed files with 54 additions and 195 deletions

View File

@@ -37,7 +37,9 @@
});
}
$('[component="logout"]').on('click', app.logout);
$('[component="logout"]').on('click', function () {
app.logout();
});
configureSlidemenu();
setupNProgress();

View File

@@ -57,7 +57,9 @@ app.cacheBuster = null;
app.newTopic();
});
$('#header-menu .container').on('click', '[component="user/logout"]', app.logout);
$('#header-menu .container').on('click', '[component="user/logout"]', function () {
app.logout();
});
Visibility.change(function (event, state) {
if (state === 'visible') {
@@ -105,111 +107,27 @@ app.cacheBuster = null;
});
};
app.updateHeader = function (data, callback) {
/**
* data:
* header (obj)
* config (obj)
* next (string)
*/
require([
'benchpress',
'translator',
'forum/unread',
'forum/header/notifications',
'forum/header/chat',
], function (Benchpress, translator, Unread, Notifications, Chat) {
app.user = data.header.user;
data.header.config = data.config;
config = data.config;
Benchpress.setGlobal('config', config);
var htmlEl = $('html');
htmlEl.attr('data-dir', data.header.languageDirection);
htmlEl.css('direction', data.header.languageDirection);
// Manually reconnect socket.io
socket.close();
socket.open();
// Re-render top bar menu
var toRender = {
'slideout-menu': $('.slideout-menu'),
menu: $('#header-menu .container'),
'chats-menu': $('#chats-menu'),
};
Promise.all(Object.keys(toRender).map(function (tpl) {
return Benchpress.render('partials/' + tpl, data.header).then(function (render) {
return translator.Translator.create().translate(render);
});
})).then(function (html) {
Object.keys(toRender)
.map(function (k) { return toRender[k]; })
.forEach(function (element, idx) {
element.html(html[idx]);
});
Unread.initUnreadTopics();
Notifications.prepareDOM();
Chat.prepareDOM();
app.reskin(data.header.bootswatchSkin);
translator.switchTimeagoLanguage(callback);
bootbox.setLocale(config.userLang);
if (config.searchEnabled) {
app.handleSearch();
}
handleStatusChange();
$(window).trigger('action:app.updateHeader');
});
});
};
app.logout = function (e) {
if (e) {
e.preventDefault();
}
app.logout = function (redirect) {
redirect = redirect === undefined ? true : redirect;
$(window).trigger('action:app.logout');
/*
Set session refresh flag (otherwise the session check will trip and throw invalid session modal)
We know the session is/will be invalid (uid mismatch) because the user is logging out
*/
app.flags = app.flags || {};
app.flags._sessionRefresh = true;
$.ajax(config.relative_path + '/logout', {
type: 'POST',
headers: {
'x-csrf-token': config.csrf_token,
},
success: function (data) {
// ACP logouts go to frontend via page load, not ajaxify
if (ajaxify.data.template.name.startsWith('admin/')) {
$(window).trigger('action:app.loggedOut', data);
window.location.href = config.relative_path + (data.next || '/');
return;
}
app.updateHeader(data, function () {
// Overwrite in hook (below) to redirect elsewhere
data.next = data.next || undefined;
$(window).trigger('action:app.loggedOut', data);
if (redirect) {
if (data.next) {
if (data.next.startsWith('http')) {
window.location.href = data.next;
return;
}
ajaxify.go(data.next);
} else {
ajaxify.refresh();
window.location.reload();
}
}
});
},
});
return false;
};
app.alert = function (params) {
@@ -249,27 +167,16 @@ app.cacheBuster = null;
};
app.handleInvalidSession = function () {
if (app.flags && app.flags._sessionRefresh) {
return;
}
app.flags = app.flags || {};
app.flags._sessionRefresh = true;
socket.disconnect();
require(['translator'], function (translator) {
translator.translate('[[error:invalid-session-text]]', function (translated) {
app.logout(false);
bootbox.alert({
title: '[[error:invalid-session]]',
message: translated,
message: '[[error:invalid-session-text]]',
closeButton: false,
callback: function () {
window.location.reload();
},
});
});
});
};
app.enterRoom = function (room, callback) {

View File

@@ -24,26 +24,18 @@ define('forum/login', [], function () {
submitEl.addClass('disabled');
/*
Set session refresh flag (otherwise the session check will trip and throw invalid session modal)
We know the session is/will be invalid (uid mismatch) because the user is attempting a login
*/
app.flags = app.flags || {};
app.flags._sessionRefresh = true;
formEl.ajaxSubmit({
headers: {
'x-csrf-token': config.csrf_token,
},
success: function (data) {
var pathname = utils.urlToLocation(data.next).pathname;
var params = utils.params({ url: data.next });
params.loggedin = true;
var qs = decodeURIComponent($.param(params));
app.updateHeader(data, function () {
ajaxify.go(data.next);
app.flags._sessionRefresh = false;
$(window).trigger('action:app.loggedIn', data);
});
window.location.href = pathname + '?' + qs;
},
error: function (data) {
if (data.status === 403 && data.responseText === 'Forbidden') {
@@ -52,7 +44,6 @@ define('forum/login', [], function () {
errorEl.find('p').translateText(data.responseText);
errorEl.show();
submitEl.removeClass('disabled');
app.flags._sessionRefresh = false;
// Select the entire password if that field has focus
if ($('#password:focus').length) {

View File

@@ -93,7 +93,6 @@ apiController.loadConfig = async function (req) {
config.topicSearchEnabled = settings.topicSearchEnabled || false;
config.bootswatchSkin = (meta.config.disableCustomUserSkins !== 1 && settings.bootswatchSkin && settings.bootswatchSkin !== '') ? settings.bootswatchSkin : '';
config = await plugins.fireHook('filter:config.get', config);
req.res.locals.config = config;
return config;
};

View File

@@ -15,7 +15,6 @@ const plugins = require('../plugins');
const utils = require('../utils');
const translator = require('../translator');
const helpers = require('./helpers');
const middleware = require('../middleware');
const privileges = require('../privileges');
const sockets = require('../socket.io');
@@ -159,9 +158,7 @@ authenticationController.registerComplete = function (req, res, next) {
async.parallel(callbacks, async function (_blank, err) {
if (err.length) {
err = err.filter(Boolean).map(function (err) {
return err.message;
});
err = err.filter(Boolean).map(err => err.message);
}
if (err.length) {
@@ -232,7 +229,7 @@ authenticationController.login = function (req, res, next) {
};
function continueLogin(req, res, next) {
passport.authenticate('local', function (err, userData, info) {
passport.authenticate('local', async function (err, userData, info) {
if (err) {
return helpers.noScriptErrors(req, res, err.message, 403);
}
@@ -258,39 +255,19 @@ function continueLogin(req, res, next) {
winston.verbose('[auth] Triggering password reset for uid ' + userData.uid + ' due to password policy');
req.session.passwordExpired = true;
async.series({
code: async.apply(user.reset.generate, userData.uid),
buildHeader: async.apply(middleware.buildHeader, req, res),
header: async.apply(middleware.generateHeader, req, res, {}),
}, function (err, payload) {
if (err) {
return helpers.noScriptErrors(req, res, err.message, 403);
}
const code = await user.reset.generate(userData.uid);
res.status(200).send({
next: nconf.get('relative_path') + '/reset/' + payload.code,
header: payload.header,
config: res.locals.config,
});
next: nconf.get('relative_path') + '/reset/' + code,
});
} else {
delete req.query.lang;
async.series({
doLogin: async.apply(authenticationController.doLogin, req, userData.uid),
buildHeader: async.apply(middleware.buildHeader, req, res),
header: async.apply(middleware.generateHeader, req, res, {}),
}, function (err, payload) {
if (err) {
return helpers.noScriptErrors(req, res, err.message, 403);
}
await authenticationController.doLogin(req, userData.uid);
var destination;
if (!req.session.returnTo) {
destination = nconf.get('relative_path') + '/';
} else {
if (req.session.returnTo) {
destination = req.session.returnTo;
delete req.session.returnTo;
} else {
destination = nconf.get('relative_path') + '/';
}
if (req.body.noscript === 'true') {
@@ -298,11 +275,8 @@ function continueLogin(req, res, next) {
} else {
res.status(200).send({
next: destination,
header: payload.header,
config: res.locals.config,
});
}
});
}
})(req, res, next);
}
@@ -416,6 +390,7 @@ const destroyAsync = util.promisify((req, callback) => req.session.destroy(callb
authenticationController.logout = async function (req, res, next) {
if (!req.loggedIn || !req.sessionID) {
res.clearCookie(nconf.get('sessionKey'), meta.configs.cookie.get());
return res.status(200).send('not-logged-in');
}
const uid = req.uid;
@@ -434,24 +409,16 @@ authenticationController.logout = async function (req, res, next) {
await db.sortedSetAdd('users:online', Date.now() - (meta.config.onlineCutoff * 60000), uid);
await plugins.fireHook('static:user.loggedOut', { req: req, res: res, uid: uid, sessionID: sessionID });
const autoLocaleAsync = util.promisify(middleware.autoLocale);
await autoLocaleAsync(req, res);
// Force session check for all connected socket.io clients with the same session id
sockets.in('sess_' + sessionID).emit('checkSession', 0);
if (req.body.noscript === 'true') {
return res.redirect(nconf.get('relative_path') + '/');
}
const buildHeaderAsync = util.promisify(middleware.buildHeader);
const generateHeaderAsync = util.promisify(middleware.generateHeader);
await buildHeaderAsync(req, res);
const header = await generateHeaderAsync(req, res, {});
const payload = {
header: header,
config: res.locals.config,
next: nconf.get('relative_path') + '/',
};
plugins.fireHook('filter:user.logout', payload);
if (req.body.noscript === 'true') {
return res.redirect(payload.next);
}
res.status(200).send(payload);
} catch (err) {
next(err);

View File

@@ -45,6 +45,7 @@ module.exports = function (middleware) {
}, next);
},
function (results, next) {
res.locals.config = results.config;
// Return no arguments
setImmediate(next);
},

View File

@@ -3,7 +3,6 @@
var os = require('os');
var winston = require('winston');
var _ = require('lodash');
const nconf = require('nconf');
var meta = require('../meta');
var languages = require('../languages');
@@ -55,12 +54,6 @@ module.exports = function (middleware) {
headers['X-Upstream-Hostname'] = os.hostname();
}
// Ensure that the session is valid. This block guards against edge-cases where the server-side session has
// been deleted (but client-side cookie still exists)
if (req.uid > 0 && !req.session.meta && !res.get('Set-Cookie')) {
res.clearCookie(nconf.get('sessionKey'), meta.configs.cookie.get());
}
for (var key in headers) {
if (headers.hasOwnProperty(key) && headers[key]) {
res.setHeader(key, headers[key]);

View File

@@ -87,8 +87,7 @@ Auth.reloadRoutes = async function (params) {
// save returnTo for later usage in /register/complete
// passport seems to remove `req.session.returnTo` after it redirects
req.session.registration.returnTo = req.session.returnTo;
next();
}, function (req, res, next) {
passport.authenticate(strategy.name, function (err, user) {
if (err) {
delete req.session.registration;

View File

@@ -145,7 +145,7 @@ function setupExpressApp(app) {
configureBodyParser(app);
app.use(cookieParser());
app.use(cookieParser(nconf.get('secret')));
const userAgentMiddleware = useragent.express();
app.use(function userAgent(req, res, next) {
userAgentMiddleware(req, res, next);