Commit Graph

113 Commits (1cbba4ea3a246ee4eb6d99d8665b21978b55066a)

Author SHA1 Message Date
Richard Hansen ba6bdf35be Make the aceAttribClasses hook harder to misuse 2020-10-07 10:37:56 +01:00
Richard Hansen bf9d613e95
feature: New user-specific `readOnly` and `canCreate` settings (#4370)
Also:
  * Group the tests for readability.
  * Factor out some common test setup.
2020-09-28 11:22:06 +01:00
Richard Hansen 180983736d security: Enable authorize plugins to grant read-only access 2020-09-27 22:55:49 +01:00
Richard Hansen 304318b618 webaccess: Move pre-authn authz check to a separate hook
Before this change, the authorize hook was invoked twice: once before
authentication and again after (if settings.requireAuthorization is
true). Now pre-authentication authorization is instead handled by a
new preAuthorize hook, and the authorize hook is only invoked after
the user has authenticated.

Rationale: Without this change it is too easy to write an
authorization plugin that is too permissive. Specifically:

  * If the plugin does not check the path for /admin then a non-admin
    user might be able to access /admin pages.
  * If the plugin assumes that the user has already been authenticated
    by the time the authorize function is called then unauthenticated
    users might be able to gain access to restricted resources.

This change also avoids calling the plugin's authorize function twice
per access, which makes it easier for plugin authors to write an
authorization plugin that is easy to understand.

This change may break existing authorization plugins: After this
change, the authorize hook will no longer be able to authorize
non-admin access to /admin pages. This is intentional. Access to admin
pages should instead be controlled via the `is_admin` user setting,
which can be set in the config file or by an authentication plugin.

Also:
  * Add tests for the authenticate and authorize hooks.
  * Disable the authentication failure delay when testing.
2020-09-27 21:19:58 +01:00
Richard Hansen ab5934cbda webaccess: Split authFailure hook into authnFailure and authzFailure
This makes it possible for plugins to return different pages to the
user depending on whether the auth failure was authn or authz.
2020-09-26 19:37:11 +01:00
Richard Hansen 02757079c0 security: Enable authorize plugins to grant modify-only access 2020-09-26 18:36:36 +01:00
Richard Hansen 53fd0b4f98 webaccess: Return 401 for authn failure, 403 for authz failure
This makes it possible for reverse proxies to transform 403 errors
into something like "upgrade to a premium account to access this
pad".

Also add some webaccess tests.
2020-09-24 10:41:58 +01:00
Richard Hansen 1bb44098df PadMessageHandler: Move handleMessage hooks after access check
Move the handleMessageSecurity and handleMessage hooks after the call
to securityManager.checkAccess.

Benefits:

  * A handleMessage plugin can safely assume the message will be
    handled unless the plugin itself drops the message, so it doesn't
    need to repeat the access checks done by the `handleMessage`
    function.
  * This paves the way for a future enhancement: pass the author ID to
    the hooks.

Note: The handleMessageSecurity hook is broken in several ways:

  * The hook result is ignored for `CLIENT_READY` and `SWITCH_TO_PAD`
    messages because the `handleClientReady` function overwrites the
    hook result. This causes the client to receive client vars with
    `readonly` set to true, which causes the client to display an
    immutable pad even though the pad is technically writable.
  * The formatting toolbar buttons are removed for read-only pads
    before the handleMessageSecurity hook even runs.
  * It is awkwardly named: Without reading the documentation, how is
    one supposed to know that "handle message security" actually means
    "grant one-time write access to a read-only pad"?
  * It is called for every message even though calls after a
    `CLIENT_READY` or `SWITCH_TO_PAD` are mostly pointless.
  * Why would anyone want to grant write access when the user visits a
    read-only pad URL? The user should just visit the writable pad URL
    instead.
  * Why would anyone want to grant write access that only lasts for a
    single socket.io connection?
  * There are better ways to temporarily grant write access (e.g., the
    authorize hook).
  * This hook is inviting bugs because it breaks a core assumption
    about `/p/r.*` URLs.

I think the hook should be deprecated and eventually removed.
2020-09-23 08:26:47 +01:00
Richard Hansen a000a93dc6 Refactor startup/shutdown for tests
* `src/node/server.js` can now be run as a script (for normal
    operation) or imported as a module (for tests).
  * Move shutdown actions to `src/node/server.js` to be close to the
    startup actions.
  * Put startup and shutdown in functions so that tests can call them.
  * Use `await` instead of callbacks.
  * Block until the HTTP server is listening to avoid races during
    test startup.
  * Add a new `shutdown` hook.
  * Use the `shutdown` hook to:
      * close the HTTP server
      * call `end()` on the stats collection to cancel its timers
      * call `terminate()` on the Threads.Pool to stop the workers
  * Exit with exit code 0 (instead of 1) on SIGTERM.
  * Export the HTTP server so that tests can get the HTTP server's
    port via `server.address().port` when `settings.port` is 0.
2020-09-22 11:07:21 +01:00
Richard Hansen b80a37173e security: Fix authorization bypass vulnerability
Before, a malicious user could bypass authorization restrictions
imposed by the authorize hook:

 * Step 1: Fetch any resource that the malicious user is authorized to
   access (e.g., static content).
 * Step 2: Use the signed express_sid cookie generated in step 1 to
   create a socket.io connection.
 * Step 3: Perform the CLIENT_READY handshake for the desired pad.
 * Step 4: Profit!

Now the authorization decision made by the authorize hook is
propagated to SecurityManager so that it can approve or reject
socket.io messages as appropriate.

This also sets up future support for per-user read-only and
modify-only (no create) authorization levels.
2020-09-15 21:40:25 +01:00
Richard Hansen 80639fdc6a webaccess: Pass `settings.users` to the authenticate hook
Authentication plugins almost always want to read and modify
`settings.users`. The settings can already be accessed in a few other
ways, but this is much more convenient.
2020-09-15 19:26:24 +01:00
Richard Hansen 362b567276 docs: Revise documentation for handleMessage and handleMessageSecurity 2020-09-15 19:25:04 +01:00
Richard Hansen 55f201a2aa docs: Document the authFailure hook 2020-09-05 12:37:46 +01:00
Richard Hansen f0b7dc7c53
pluginfw: PadMessageHandler: Pass socket.io Socket object to clientVars hook (#4245)
Also revise the clientVars hook documentation.
2020-09-05 10:51:39 +01:00
Richard Hansen 4c0ab8a14e
docs: Document the authorize hook (#4233) 2020-09-04 18:52:25 +01:00
Richard Hansen aee1c3e7c5
docs: Document the authenticate hook (#4232) 2020-08-27 12:57:38 +01:00
b_b 66a56234fa
docs: index hooks / ref #3978 (#4077) 2020-06-03 10:55:44 +01:00
b_b 35f0217056
typo on index.html hooks (#3982)
just a typo, maybe the smallest commit in this repo :p
2020-05-13 11:25:57 +01:00
John McLear 2765a95774
Merge pull request #3218 from klausweiss/develop
Feature: New server-side hook: onAccessCheck
2018-04-03 13:38:47 +01:00
HairyFotr c7548450c0
Typos and minor fixes in bin, doc, and root 2017-09-14 13:33:27 +02:00
Mikołaj Biel 5c8a15c3d7 fix `sessionCookie` number in onAccessCheck 2017-07-12 00:28:51 +02:00
Mikołaj Biel 35702a0589 [feat] New server-side hook: onAccessCheck 2017-07-10 20:54:32 +02:00
Luiza Pagliari fc89034a55 [feat] New server-side hook: padCopy
Let plugins know when a pad is copied.
2017-05-18 18:52:14 -03:00
Adam Niederer 6d279f0ee1 Spelling fix
Also removes an extra space
2017-03-11 21:34:34 -05:00
Sjoerd Langkemper d48395089c Update called from for two hooks
`expressCreateServer` and `expressConfigure` are called from `express.js`, not
from `server.js`.
2017-01-17 14:59:24 +01:00
Mikk Andresen 4ad759dd25 Add postToolbarInit documentation and usage examples 2015-12-18 13:33:49 +02:00
Luiza Pagliari 92a8253449 Create hook exportHtmlAdditionalTagsWithData
The new hook does the same as exportHtmlAdditionalTags, but is declared
in another hook to avoid confusion about how to export tags when they
are stored as ['tag', 'value'] on attribute pool.

This complements #2762, as per @Gared suggestions.
2015-11-03 07:16:55 -02:00
Stefan 504cc102a0 Merge pull request #2762 from storytouch/exportTagsAsArrays
Accepting Arrays on 'exportHtmlAdditionalTags'
2015-10-17 18:24:18 +02:00
Luiza Pagliari 1d134f0b13 Fixing ed52626. It was closing the span with </span data-TAG=VALUE>, not </span> 2015-09-17 15:30:09 -03:00
Luiza Pagliari ed5262650a Generating pad HTML with tags like <span data-TAG="VALUE"> instead of <TAG:VALUE> 2015-09-07 03:55:56 -07:00
Luiza Pagliari 1a5985dc75 Accepting Arrays on 'exportHtmlAdditionalTags' to handle attributes stored as ['key', 'value'] (and not only ['key', 'true']) 2015-08-24 07:58:45 -07:00
Emily Xie 21f0d12d31 clientReady hook- pass entire message, updated doc 2015-07-20 11:45:41 -04:00
Xavid bc78e0c68d Update documentation for the updatePad and createPad hooks to include 'author'
in the context.
2015-06-21 11:34:59 -04:00
John McLear 48da5c1ab1 docs for handle message security 2015-05-20 01:09:35 +01:00
John McLear d31523aa08 Update hooks_server-side.md 2015-04-17 15:58:23 +01:00
Stefan 4c64b7a670 Revert 'asyncLineHTMLForExport' hook 2015-01-25 22:08:40 +01:00
John McLear 378ed02269 docs 2015-01-24 13:30:03 +00:00
John McLear 4ecf0dfad2 docs for export HTML 2015-01-24 02:24:10 +00:00
John McLear c878a957b7 fix issue in docs 2015-01-24 02:18:59 +00:00
John McLear fccfc3bd41 docs 2014-12-09 16:16:19 +00:00
John McLear b94a525e07 docs 2014-12-09 01:35:59 +00:00
John McLear ce004f9c59 docs 2014-12-08 19:48:02 +00:00
John McLear 2218cbd252 docs 2014-12-08 19:08:12 +00:00
Simon Gaeremynck 2f8b860e69 Added a `userLeave` hook that gets called when a user leaves a pad 2014-08-08 15:49:15 +01:00
John McLear d09e66e271 use call first and update docs 2014-05-12 15:08:32 +01:00
John McLear a8d9a3868d docs for new hook 2014-05-06 21:22:03 +01:00
Marcel Klehr a69793a203 Add docs for toolbar controller and pad_editbar 2014-03-16 15:43:38 +01:00
mluto 41cb5d8265 Added hook for clientVars and hook-doc 2013-01-14 22:51:26 +01:00
John McLear db1a1a0e3e Merge pull request #1034 from d-a-n/develop
Added hooks for pad events create/edit/load/remove
2012-10-05 17:28:40 -07:00
d-a-n 0fd8490ca6 Changed pad_id to padID to follow projct standards. 2012-10-03 15:49:28 +03:00
d-a-n 754c559d63 Changed pad hook names to follow naming conventions. 2012-10-03 13:35:31 +03:00
Marcel Klehr 2684a1d295 Merge branch 'develop' into express-v3
Conflicts:
	src/node/hooks/express/errorhandling.js
2012-10-03 10:09:00 +02:00
d-a-n 4652751285 Updated docs for new pad hooks (add, edit, remove) 2012-10-02 22:32:30 +03:00
d-a-n c0f2e557d3 Updated docs for new pad hooks (add, edit, remove) 2012-10-02 22:11:54 +03:00
d-a-n 07c33c77c4 Updated docs for new pad hooks (add, edit, remove) 2012-10-02 22:10:18 +03:00
Gedion 3fe3df91ae update docs for new hooks and ace exposures 2012-09-30 17:13:14 -05:00
Marcel Klehr 1c38f5bab9 Update docs 2012-09-22 16:04:30 +02:00
Marcel Klehr 4416210471 Differentiate between http server and express app 2012-09-21 17:12:22 +02:00
Marcel Klehr 40572b13b9 Document, how return values of hooks are handled. 2012-09-12 17:15:38 +02:00
Marcel Klehr 1bb8844f42 Document loadSettings hook. 2012-08-15 10:10:55 +02:00
Mark Holmquist 17375b2eed Fix doc format, add in makefile for docs
OK, first up, SOMEBODY *cough*analphabet*cough* screwed up the docs
by making them all use the wrong heading level. Not cool, guy. I
had to change them so they would compile right.

But anyway, now the docs will build into sexy-looking HTML and will
shortly be hosted on marktraceur.info.

Fixed the makefile to work properly.

Run:
 * `make clean` for removing old doc-build(s)
 * `make docs` for running new doc-build(s)
2012-08-13 21:11:39 -07:00
Marcel Klehr 70fb765118 Restructure headings. 2012-08-07 20:19:37 +02:00
Marcel Klehr 5fac05a395 Add docs. 2012-08-03 22:04:06 +02:00