Feature/dhv3

CHANGELOG.md

@@ -1,5 +1,8 @@
 # Changelog
 
+## UNRELEASED
+* Add CIDR-based blocker (configurable per client) to prevent e-mail filters (e.g. Cisco Umbrella) from invalidating a login link
+
 ## 1.0.0
 * Add env MYSQL_CA_CERT for MySQL SSL connection
 * Upgrade to node 16

README.md

@@ -128,3 +128,18 @@ By default the required fields have labels as defined in `config/user.js`. These
 
 ## MySQL with SSL
 When you want to connect to a MySQL server using SSL, a Certificate Authority certificate is required. The contents of this CA certificate can be passed into the `MYSQL_CA_CERT` environment variable.
+
+## Block CIDRs from invalidating the login e-mail link
+In some cases, e-mail filters (such as Cisco Umbrella) will invalidate the login e-mail link, because all links are visited by the filter.
+To combat this, the Cisco Umbrella CIDRs are blocked by default from visiting the `/auth/url/authenticate` route.
+
+If you need to add other CIDRs to this block, this can be done on a per client basis through the `clients` table under the `config` column:
+
+```
+"blockCidrs": [
+    "1.2.3.4/16",
+    "4.4.4.4/16"
+]
+```
+
+Note: When adding your own `blockCidrs` like this, the default Cisco umbrella CIDRs will be overwritten.

app-init.js

@@ -116,15 +116,14 @@ app.use(passport.initialize());
 app.use(passport.session());
 app.use(expressValidator());
 
-/*
 app.use((req, res, next) => {
   console.log('=====> REQUEST: ', req.originalUrl);
   console.log('=====> query: ', req.query);
+  console.log('=====> ip: ', req.headers['x-forwarded-for'] || req.socket.remoteAddress, req.ip);
   console.log('=====> body: ', req.body);
   console.log('=====> session: ', req.session);
   next();
 });
-*/
 
 // Passport configuration
 require('./auth');

controllers/auth/local.js

@@ -128,8 +128,12 @@ exports.logout = async (req, res) => {
   const config = req.client.config;
   const allowedDomains = req.client.allowedDomains ? req.client.allowedDomains : false;
   let redirectURL = req.query.redirectUrl;
-  const redirectUrlHost = redirectURL ? new URL(redirectURL).hostname : false;
-  redirectURL = redirectUrlHost && allowedDomains && allowedDomains.indexOf(redirectUrlHost) !== -1 ? redirectURL : false;
+  try {
+    const redirectUrlHost = redirectURL ? new URL(redirectURL).hostname : false;
+    redirectURL           = redirectUrlHost && allowedDomains && allowedDomains.indexOf(redirectUrlHost) !== -1 ? redirectURL : false;
+  } catch (e) {
+    //
+  }
 
   if (!redirectURL) {
     redirectURL =  config && config.logoutUrl ? config.logoutUrl : req.client.siteUrl

middleware/blocker.js

@@ -0,0 +1,29 @@
+const Netmask = require('netmask').Netmask;
+
+exports.preventCiscoRequest = (req, res, next) => {
+
+  // Fix for local IP
+  if (req.ip == '::1') {
+    return next();
+  }
+
+  // Get CIDRs from client config. If the `blockCidrs` key doesn't exist fall back to Cisco Umbrella CIDRs
+  // See https://support.umbrella.com/hc/en-us/articles/360059292052-Additional-Egress-IP-Address-Range
+  const blockCidrs = req && req.client && req.client.config && req.client.config.blockCidrs ? req.client.config.blockCidrs : ['146.112.0.0/16', '155.190.0.0/16', '151.186.0.0/16'];
+
+  // Check if IP is in cidr
+  const isIpInCidr = blockCidrs.some(cidr => {
+    const block = new Netmask(cidr);
+    return block.contains(req.ip);
+  });
+
+  if (!isIpInCidr) {
+    return next();
+  }
+
+  console.log('IP is in CIDRs to block', req.ip, blockCidrs, isIpInCidr);
+
+  req.flash('error', {msg: 'De url is geen geldige login url, wellicht is deze verlopen'});
+  return res.redirect(`/auth/url/login?clientId=${req.query.clientId}`);
+
+}