Skip to content
This repository was archived by the owner on Apr 19, 2025. It is now read-only.

Commit e781e88

Browse files
devksingh4devksingh4
committed
add validation
1 parent e6d3c2e commit e781e88

File tree

2 files changed

+32
-21
lines changed

2 files changed

+32
-21
lines changed

config.js

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,9 @@ exports.branding = {
1212
orgHome: process.env.brandOrgHome || "https://acm.illinois.edu",
1313
statusURL: process.env.brandStatusURL || "https://status.acm.illinois.edu",
1414
copyrightOwner: process.env.brandCopyrightOwner || "ACM @ UIUC",
15-
domainHint: process.env.brandDomainHint || "acm.illinois.edu" // primary azure AD domain for tenant.
15+
domainHint: process.env.brandDomainHint || "acm.illinois.edu", // primary azure AD domain for tenant.
16+
externalDomain: process.env.externalDomain || "https://go.acm.illinois.edu"
17+
1618
}
1719

1820
exports.creds = {

index.js

Lines changed: 29 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,17 @@ app.use(session({
6363
secret: secret,
6464
}));
6565

66+
67+
function isDefinedRoute(name) {
68+
// prevent the user from using well-defined routes as a short URL
69+
app._router.stack.forEach(function(r){
70+
if (r.route && r.route.path && r.route.path == `/${name}`){
71+
return true
72+
}
73+
})
74+
return false;
75+
}
76+
6677
//-----------------------------------------------------------------------------
6778
// To support persistent login sessions, Passport needs to be able to
6879
// serialize users into and deserialize users out of the session. Typically,
@@ -146,10 +157,18 @@ app.use(passport.initialize());
146157
app.use(passport.session());
147158
app.use(favicon(__dirname + '/public/img/favicon.ico'));
148159
app.use('/static', express.static('public'))
149-
function ensureAuthenticated(req, res, next) {
150-
if (req.isAuthenticated()) { return next(); }
151-
res.redirect('/#');
160+
161+
async function ensureAuthenticated(req, res, next) {
162+
if (!req.user) { return res.redirect('/#'); }
163+
req.user._json.groups = await getUserGroups(req.user.oid, gat);
164+
const intserect = validateArray(config.groups_permitted, req.user._json.groups);
165+
const intersect2 = validateArray(config.admin_groups, req.user._json.groups)
166+
if (!intserect && !intersect2) {
167+
return res.status(401).redirect("/unauthorized");
168+
}
169+
next();
152170
};
171+
153172
function checkIfAdmin(req) {
154173
const userGroups = new Set(req.user._json.groups !== undefined ? req.user._json.groups : []);
155174
const adminGroups = new Set(config.admin_groups);
@@ -358,23 +377,9 @@ function validateArray(userGroups, accessGroups) {
358377
return false;
359378
}
360379

361-
// group access check
362-
app.use(async (req, res, next) => {
363-
if (!req.user) { return next(); }
364-
req.user._json.groups = await getUserGroups(req.user.oid, gat);
365-
const intserect = validateArray(config.groups_permitted, req.user._json.groups);
366-
const intersect2 = validateArray(config.admin_groups, req.user._json.groups)
367-
if (!intserect && !intersect2) {
368-
return res.status(401).redirect("/unauthorized");
369-
}
370-
next();
371-
})
372-
373380
app.use('/admin/', ensureAdmin)
374-
// begin business logic
375381

376382
app.get('/', async function (req, res) {
377-
378383
if (req.isAuthenticated()) { return res.redirect('/create') }
379384
res.render('home.html', { partials, productName: config.branding.title, logoPath: config.branding.logoPath, copyrightOwner: config.branding.copyrightOwner, statusURL: config.branding.statusURL, orgHome: config.branding.orgHome, loginProvider: config.branding.loginProvider });
380385
return
@@ -402,11 +407,15 @@ app.post('/addURL', ensureAuthenticated, async function (req, res) {
402407
const url = req.query.url;
403408
const name = req.query.name;
404409
const groups = req.body.groups
410+
if (isDefinedRoute(name)) {
411+
return res.status(409).json({
412+
message: "This short URL is reserved by the system. Please try another."
413+
})
414+
}
405415
if (url.indexOf(baseURL) > -1) {
406-
res.json({
416+
return res.json({
407417
message: `The origin URL cannot be a path of ${baseURL}`
408418
})
409-
return
410419
}
411420
if (url === undefined || name === undefined) {
412421
res.status(400).json({
@@ -417,7 +426,7 @@ app.post('/addURL', ensureAuthenticated, async function (req, res) {
417426
addURLToDB(name, url, email, groups).then((obj) => {
418427
res.json({
419428
url: obj.url,
420-
shortURL: `https://go.epochml.org/${obj.name}`,
429+
shortURL: `${config.branding.externalDomain}/${obj.name}`,
421430
email: obj.email,
422431
groups: groups
423432
});

0 commit comments

Comments
 (0)