mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-23 00:46:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

express: Move preAuthorize hook after express-session

Browse source 
The `ep_openid_connect` plugin needs access to session state before
authorization checks are made (to securely redirect the user back to
the start page when authentication completes). Now that the
`expressPreSession` hook exists, the rationale for moving
`preAuthorize` before the `express-session` middleware is gone.

This change undoes the following commits:
  * bf35dcfc50
  * 0b1ec20c5c
  * 30544b564e
This commit is contained in:
Richard Hansen 2022-01-12 18:59:10 -05:00
parent 75637708c0
commit d3984aa621
3 changed files with 19 additions and 56 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/tests/backend/specs/webaccess.js
View file

@ -191,11 +191,11 @@ describe(__filename, function () {
await agent.get('/').expect(200);
assert.deepEqual(callOrder, ['preAuthorize_0']);
});
it('bypasses authenticate and authorize hooks for static content, defers', async function () {
it('static content (expressPreSession) bypasses all auth checks', async function () {
settings.requireAuthentication = true;
settings.requireAuthorization = true;
await agent.get('/static/robots.txt').expect(200);
assert.deepEqual(callOrder, ['preAuthorize_0', 'preAuthorize_1']);
assert.deepEqual(callOrder, []);
});
it('cannot grant access to /admin', async function () {
handlers.preAuthorize[0].innerHandle = () => [true];