Skip to content

Commit

Permalink
add: logtou & redirect_url validation
Browse files Browse the repository at this point in the history
  • Loading branch information
@SIY1121
SIY1121 committed Mar 30, 2021
1 parent 6c844b8 commit 5b2e4d7
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 3 deletions.
40 changes: 38 additions & 2 deletions src/handlers/auth.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,21 +4,38 @@ import passport from 'passport';
import { sessionService } from '../services/sessionService';
import { userService } from '../services/userService';

const cookieName = process.env.COOKIE_NAME ?? 'twinte_session';

/**
* twinteのドメインにしかリダイレクトを返さないようにする
*/
function validateRedirectUrl(url?: string) {
if (!url) return false;
else if (process.env.NODE_ENV === 'development') return true;
else return /^https:\/\/([a-zA-Z0-9-]+\.)*twinte\.net/.test(url);
}

export async function handleAuth(req: Request, res: Response) {
const provider = req.params['provider'];
if (provider !== 'google' && provider !== 'twitter' && provider !== 'apple') {
res.sendStatus(404);
return;
}

const callbackUrl = req.query['redirect_url'];
const callbackUrl = req.query['redirect_url'] as string;

if (!callbackUrl) {
res.status(400);
res.send('please specify redirect_url');
return;
}

if (!validateRedirectUrl(callbackUrl)) {
res.status(400);
res.send('invalid redirect_url');
return;
}

res.cookie('twinte_auth_callback', callbackUrl, {
maxAge: 3 * 60 * 1000,
httpOnly: true,
Expand Down Expand Up @@ -58,7 +75,7 @@ export async function handleAuthCallback(req: Request, res: Response) {

const callbackUrl = req.cookies['twinte_auth_callback'] || 'https://www.twinte.net';

res.cookie(process.env.COOKIE_NAME!, session.sessionId, {
res.cookie(cookieName, session.sessionId, {
expires: expiredDate,
secure: cookieOptions.secure,
httpOnly: true,
Expand All @@ -73,3 +90,22 @@ export async function handleAuthCallback(req: Request, res: Response) {
res.send();
});
}

export async function handleLogout(req: Request, res: Response) {
const callbackUrl = req.query['redirect_url'] as string;

if (!callbackUrl) {
res.status(400);
res.send('please specify redirect_url');
return;
}

if (!validateRedirectUrl(callbackUrl)) {
res.status(400);
res.send('invalid redirect_url');
return;
}

res.clearCookie(cookieName);
res.redirect(callbackUrl);
}
3 changes: 2 additions & 1 deletion src/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ dotenv.config();

import express from 'express';
import session from 'express-session';
import { handleAuth, handleAuthCallback } from './handlers/auth';
import { handleAuth, handleAuthCallback, handleLogout } from './handlers/auth';
import { configurePassport } from './passport';
import cookieParser from 'cookie-parser';
import passport from 'passport';
Expand All @@ -22,6 +22,7 @@ app.use(
);
app.use(passport.initialize());
app.use(passport.session());
app.get('/logout', handleLogout);
app.get('/:provider', handleAuth);
app.get('/:provider/callback', handleAuthCallback);

Expand Down

0 comments on commit 5b2e4d7

Please sign in to comment.