Commit 96f48b01 authored by Johannes Zellner's avatar Johannes Zellner

basic auth through superagent has issues with special character

Testable with "password¤"
parent 6fab47fe
......@@ -4,7 +4,6 @@ var assert = require('assert'),
path = require('path'),
fs = require('fs'),
ldapjs = require('ldapjs'),
basicAuth = require('basic-auth'),
database = require('./database.js'),
github = require('./github.js'),
tasks = require('./tasks.js'),
......@@ -55,9 +54,9 @@ function status(req, res, next) {
}
function auth(req, res, next) {
var credentials = basicAuth(req);
var credentials = req.query;
if (!credentials) return next(new HttpError(400, 'Basic auth required'));
if (!credentials.username || !credentials.password) return next(new HttpError(400, 'username and password required'));
function returnOrCreateUser(user) {
database.users.get(user.username, function (error, result) {
......@@ -91,7 +90,7 @@ function auth(req, res, next) {
ldapClient.bind(process.env.CLOUDRON_LDAP_BIND_DN, process.env.CLOUDRON_LDAP_BIND_PASSWORD, function (error) {
if (error) return next(new HttpError(500, error));
var filter = `(|(uid=${credentials.name})(mail=${credentials.name})(username=${credentials.name})(sAMAccountName=${credentials.name}))`;
var filter = `(|(uid=${credentials.username})(mail=${credentials.username})(username=${credentials.username})(sAMAccountName=${credentials.username}))`;
ldapClient.search(process.env.CLOUDRON_LDAP_USERS_BASE_DN, { filter: filter }, function (error, result) {
if (error) return next(new HttpError(500, error));
......@@ -106,7 +105,7 @@ function auth(req, res, next) {
// pick the first found
var user = items[0];
ldapClient.bind(user.dn, credentials.pass, function (error) {
ldapClient.bind(user.dn, credentials.password, function (error) {
if (error) return next(new HttpError(401, 'Invalid credentials'));
returnOrCreateUser({ username: user.username, email: user.mail });
......@@ -115,7 +114,7 @@ function auth(req, res, next) {
});
});
} else {
let user = users.find(function (u) { return (u.username === credentials.name || u.email === credentials.name) && u.password === credentials.pass; });
let user = users.find(function (u) { return (u.username === credentials.username || u.email === credentials.username) && u.password === credentials.password; });
if (!user) return next(new HttpError(401, 'Invalid credentials'));
returnOrCreateUser(user);
......
......@@ -29,7 +29,7 @@ new Vue({
var that = this;
that.loginSubmitBusy = true;
superagent.get('/api/v1/profile').auth(this.login.username, this.login.password).end(function (error, result) {
superagent.get('/api/v1/profile').query({ username: that.login.username, password: that.login.password }).end(function (error, result) {
that.loginSubmitBusy = false;
if (error && error.status === 401) {
......@@ -62,7 +62,7 @@ new Vue({
var that = this;
that.profileSubmitBusy = true;
superagent.post('/api/v1/profile').auth(this.login.username, this.login.password).send({ email: this.profile.email, githubToken: this.profile.githubToken }).end(function (error, result) {
superagent.post('/api/v1/profile').query({ username: that.login.username, password: that.login.password }).send({ email: this.profile.email, githubToken: this.profile.githubToken }).end(function (error, result) {
that.profileSubmitBusy = false;
if (error && error.status === 402) {
......@@ -89,7 +89,7 @@ new Vue({
if (this.activeView === 'projects' || this.activeView === 'welcome') {
this.projects = null;
superagent.get('/api/v1/projects').auth(this.login.username, this.login.password).end(function (error, result) {
superagent.get('/api/v1/projects').query({ username: that.login.username, password: that.login.password }).end(function (error, result) {
if (error) return that.onError(error);
if (result.statusCode !== 200) return that.onError('Unexpected response: ' + result.statusCode + ' ' + result.text);
......@@ -127,7 +127,7 @@ new Vue({
scope.row.busy = true;
superagent.post('/api/v1/projects/' + projectId).auth(this.login.username, this.login.password).send({ enabled: state }).end(function (error, result) {
superagent.post('/api/v1/projects/' + projectId).query({ username: that.login.username, password: that.login.password }).send({ enabled: state }).end(function (error, result) {
scope.row.busy = false;
if (error) return that.onError(error);
......@@ -154,7 +154,7 @@ new Vue({
return;
}
superagent.get('/api/v1/profile').auth(that.login.username, that.login.password).end(function (error, result) {
superagent.get('/api/v1/profile').query({ username: that.login.username, password: that.login.password }).end(function (error, result) {
if (error && error.status === 401) {
// clear the local storage on wrong credentials
delete window.localStorage.username;
......
This diff is collapsed.
......@@ -10,7 +10,6 @@
"license": "ISC",
"dependencies": {
"async": "^2.6.0",
"basic-auth": "^2.0.0",
"connect-lastmile": "^1.0.2",
"connect-timeout": "^1.9.0",
"db-migrate": "^0.11.1",
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment