From e9f0d509e1408743048e29d9c099d36e0e1f6ae7 Mon Sep 17 00:00:00 2001 From: Jan Ahrens Date: Thu, 20 Nov 2014 11:32:57 +0100 Subject: [PATCH] Regenerate session after XING login to fix "session fixation" vulnerability --- app/controllers/oauth.js | 96 +++++++++++++++++++++------------------- 1 file changed, 51 insertions(+), 45 deletions(-) diff --git a/app/controllers/oauth.js b/app/controllers/oauth.js index 1835101..44d755e 100644 --- a/app/controllers/oauth.js +++ b/app/controllers/oauth.js @@ -35,52 +35,58 @@ module.exports = function (app, io) { xingApi.getAccessToken(requestToken.token, requestToken.secret, req.query.oauth_verifier, function (error, oauthToken, oauthTokenSecret) { - res.cookie('requestToken', null); // delete cookie - - var client = xingApi.client(oauthToken, oauthTokenSecret); - - client.get('/v1/users/me', function (error, response) { - var user = JSON.parse(response).users[0]; - - Wall.findOne({ _id: req.query.wall_id }).exec() - .then(function (wall) { - - var profile = new Profile({ - userId: user.id, - displayName: user.display_name, - photoUrls: { - size_128x128: user.photo_urls.size_128x128, - size_256x256: user.photo_urls.size_256x256 - } - }).toObject(); - - delete profile._id; // make sure that we don't overwrite the internal _id on an update - - Profile.findOneAndUpdate({ userId: user.id }, profile, { upsert: true }).exec() - .then(function (profile) { - wall.profiles.pull(profile._id); - wall.profiles.push(profile._id); - - wall.save(function (err) { - if (err) { - console.error(err); - res.render('error'); - } else { - req.session.user = { - id: profile._id, - oauthToken: oauthToken, - oauthTokenSecret: oauthTokenSecret - }; - - io.emit('profiles:updated'); - res.render('oauth/callback', { url: "/walls/" + req.query.wall_id }); - } + if (error) { + console.log(error); + res.render('error'); + return; + } + req.session.regenerate(function (err) { + res.cookie('requestToken', null); // delete cookie + + var client = xingApi.client(oauthToken, oauthTokenSecret); + + client.get('/v1/users/me', function (error, response) { + var user = JSON.parse(response).users[0]; + + Wall.findOne({ _id: req.query.wall_id }).exec() + .then(function (wall) { + + var profile = new Profile({ + userId: user.id, + displayName: user.display_name, + photoUrls: { + size_128x128: user.photo_urls.size_128x128, + size_256x256: user.photo_urls.size_256x256 + } + }).toObject(); + + delete profile._id; // make sure that we don't overwrite the internal _id on an update + + Profile.findOneAndUpdate({ userId: user.id }, profile, { upsert: true }).exec() + .then(function (profile) { + wall.profiles.pull(profile._id); + wall.profiles.push(profile._id); + + wall.save(function (err) { + if (err) { + console.error(err); + res.render('error'); + } else { + req.session.user = { + id: profile._id, + oauthToken: oauthToken, + oauthTokenSecret: oauthTokenSecret + }; + + io.emit('profiles:updated'); + res.render('oauth/callback', { url: "/walls/" + req.query.wall_id }); + } + }); }); - }); - - }, function (err) { - console.log(err); - }); + }, function (err) { + console.log(err); + }); + }); }); }); });