mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-21 07:56:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

express: Move preAuthorize hook after express-session

Browse source 
The `ep_openid_connect` plugin needs access to session state before
authorization checks are made (to securely redirect the user back to
the start page when authentication completes). Now that the
`expressPreSession` hook exists, the rationale for moving
`preAuthorize` before the `express-session` middleware is gone.

This change undoes the following commits:
  * bf35dcfc50
  * 0b1ec20c5c
  * 30544b564e
This commit is contained in:
Richard Hansen 2022-01-12 18:59:10 -05:00
parent 75637708c0
commit d3984aa621
3 changed files with 19 additions and 56 deletions
Download patch file Download diff file Expand all files Collapse all files

17
src/node/hooks/express.js
View file

@ -204,18 +204,13 @@ exports.restartServer = async () => {
},
});
app.use(webaccess.preAuthorize);
// Give plugins an opportunity to install handlers/middleware after the preAuthorize middleware
// but before the express-session middleware. This allows plugins to avoid creating an
// express-session record in the database when it is not needed (e.g., public static content).
// Give plugins an opportunity to install handlers/middleware before the express-session
// middleware. This allows plugins to avoid creating an express-session record in the database
// when it is not needed (e.g., public static content).
await hooks.aCallAll('expressPreSession', {app});
app.use([
// If webaccess.preAuthorize explicitly granted access, webaccess.nextRouteIfPreAuthorized will
// call `next('route')` which will skip the remaining middlewares in this list.
webaccess.nextRouteIfPreAuthorized,
exports.sessionMiddleware,
webaccess.checkAccess,
]);
app.use(exports.sessionMiddleware);
app.use(webaccess.checkAccess);
await Promise.all([
hooks.aCallAll('expressConfigure', {app}),