mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-21 16:06:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 26

security: Don't require express_sid if authn not required

Browse source 
This should make it possible to embed a pad in an iframe from another
site as long as `settings.requireAuthentication` is false.
This commit is contained in:
Richard Hansen 2020-09-23 17:13:07 -04:00 committed by John McLear
parent 53fd0b4f98
commit 94f944160d
2 changed files with 31 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

10
tests/backend/specs/socketio.js
View file

@ -130,13 +130,19 @@ describe('socket.io access checks', () => {
});
// Normal accesses.
it('!authn anonymous /p/pad -> 200, ok', async () => {
it('!authn anonymous cookie /p/pad -> 200, ok', async () => {
const res = await client.get('/p/pad').expect(200);
// Should not throw.
socket = await connect(res);
const clientVars = await handshake(socket, 'pad');
assert.equal(clientVars.type, 'CLIENT_VARS');
});
it('!authn !cookie -> ok', async () => {
// Should not throw.
socket = await connect(null);
const clientVars = await handshake(socket, 'pad');
assert.equal(clientVars.type, 'CLIENT_VARS');
});
it('!authn user /p/pad -> 200, ok', async () => {
const res = await client.get('/p/pad').auth('user', 'user-password').expect(200);
// Should not throw.
@ -160,7 +166,7 @@ describe('socket.io access checks', () => {
// Despite the 401, try to create the pad via a socket.io connection anyway.
await assert.rejects(connect(res), {message: /authentication required/i});
});
it('socket.io connection without express-session cookie -> error', async () => {
it('authn !cookie -> error', async () => {
settings.requireAuthentication = true;
await assert.rejects(connect(null), {message: /signed express_sid cookie is required/i});
});