hackmdio
diff --git a/‎.buildpacks
Lines changed: 1 addition & 1 deletion b/‎.buildpacks
Lines changed: 1 addition & 1 deletion
diff --git a/‎.nvmrc
Lines changed: 1 addition & 1 deletion b/‎.nvmrc
Lines changed: 1 addition & 1 deletion
diff --git a/‎Aptfile
Lines changed: 1 addition & 0 deletions b/‎Aptfile
Lines changed: 1 addition & 0 deletions
diff --git a/‎README.md
Lines changed: 1 addition & 1 deletion b/‎README.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎app.json
Lines changed: 8 additions & 0 deletions b/‎app.json
Lines changed: 8 additions & 0 deletions
diff --git a/‎config.json.example
Lines changed: 2 additions & 0 deletions b/‎config.json.example
Lines changed: 2 additions & 0 deletions
diff --git a/‎lib/auth/github/index.js
Lines changed: 34 additions & 2 deletions b/‎lib/auth/github/index.js
Lines changed: 34 additions & 2 deletions
diff --git a/‎lib/config/default.js
Lines changed: 3 additions & 1 deletion b/‎lib/config/default.js
Lines changed: 3 additions & 1 deletion
diff --git a/‎lib/config/environment.js
Lines changed: 3 additions & 1 deletion b/‎lib/config/environment.js
Lines changed: 3 additions & 1 deletion
diff --git a/‎lib/imageRouter/index.js
Lines changed: 11 additions & 6 deletions b/‎lib/imageRouter/index.js
Lines changed: 11 additions & 6 deletions
@@ -1,2 +1,2 @@
-https://github.com/alex88/heroku-buildpack-vips
+https://github.com/Scalingo/apt-buildpack
 https://github.com/Scalingo/nodejs-buildpack
@@ -1 +1 @@
-v10.20.1
+v12.22.12
@@ -0,0 +1 @@
+libvips-dev
@@ -81,7 +81,7 @@ CodiMD is a service that runs on Node.js, while users use the service through br
 - <img src="https://raw.githubusercontent.com/alrra/browser-logos/master/src/chrome/chrome_48x48.png" alt="Chrome" width="24px" height="24px" /> Chrome >= 47, Chrome for Android >= 47
 - <img src="https://raw.githubusercontent.com/alrra/browser-logos/master/src/safari/safari_48x48.png" alt="Safari" width="24px" height="24px" /> Safari >= 9, iOS Safari >= 8.4
 - <img src="https://raw.githubusercontent.com/alrra/browser-logos/master/src/firefox/firefox_48x48.png" alt="Firefox" width="24px" height="24px" /> Firefox >= 44
-- <img src="https://raw.githubusercontent.com/alrra/browser-logos/master/src/edge/edge_48x48.png" alt="IE / Edge" width="24px" height="24px" /> IE >= 9, Edge >= 12
+- <img src="https://raw.githubusercontent.com/alrra/browser-logos/master/src/edge/edge_48x48.png" alt="Edge" width="24px" height="24px" /> Edge >= 12
 - <img src="https://raw.githubusercontent.com/alrra/browser-logos/master/src/opera/opera_48x48.png" alt="Opera" width="24px" height="24px" /> Opera >= 34, Opera Mini not supported
 - Android Browser >= 4.4
 
 
@@ -80,6 +80,14 @@
             "description": "GitHub API client secret",
             "required": false
         },
+        "CMD_GITHUB_ORGANIZATIONS": {
+            "description": "GitHub whitelist of orgs",
+            "required": false
+        },
+        "CMD_GITHUB_SCOPES": {
+            "description": "GitHub OAuth API scopes",
+            "required": false
+        },
         "CMD_BITBUCKET_CLIENTID": {
             "description": "Bitbucket API client id",
             "required": false
 
@@ -54,6 +54,8 @@
         "github": {
             "clientID": "change this",
             "clientSecret": "change this"
+            "organizations": ["names of github organizations allowed, optional"],
+            "scopes": ["defaults to 'read:user' scope for auth user"],
         },
         "gitlab": {
             "baseURL": "change this",
 
@@ -1,12 +1,17 @@
 'use strict'
 
 const Router = require('express').Router
+const request = require('request')
 const passport = require('passport')
 const GithubStrategy = require('passport-github').Strategy
+const { InternalOAuthError } = require('passport-oauth2')
 const config = require('../../config')
 const response = require('../../response')
 const { setReturnToFromReferer, passportGeneralCallback } = require('../utils')
 const { URL } = require('url')
+const { promisify } = require('util')
+
+const rp = promisify(request)
 
 const githubAuth = module.exports = Router()
 
@@ -15,20 +20,47 @@ function githubUrl (path) {
 }
 
 passport.use(new GithubStrategy({
+  scope: (config.github.organizations ?
+    config.github.scopes.concat(['read:org']) : config.github.scope),
   clientID: config.github.clientID,
   clientSecret: config.github.clientSecret,
   callbackURL: config.serverURL + '/auth/github/callback',
   authorizationURL: githubUrl('login/oauth/authorize'),
   tokenURL: githubUrl('login/oauth/access_token'),
   userProfileURL: githubUrl('api/v3/user')
-}, passportGeneralCallback))
+}, async (accessToken, refreshToken, profile, done) => {
+  if (!config.github.organizations) {
+    return passportGeneralCallback(accessToken, refreshToken, profile, done)
+  }
+  const { statusCode, body: data } = await rp({
+    url: `https://api.github.com/user/orgs`,
+    method: 'GET', json: true, timeout: 2000,
+    headers: {
+      'Authorization': `token ${accessToken}`,
+      'User-Agent': 'nodejs-http'
+    }
+  })
+  if (statusCode != 200) {
+    return done(InternalOAuthError(
+      `Failed to query organizations for user: ${profile.username}`
+    ))
+  }
+  const orgs = data.map(({login}) => login)
+  for (const org of orgs) {
+    if (config.github.organizations.includes(org)) {
+      return passportGeneralCallback(accessToken, refreshToken, profile, done)
+    }
+  }
+  return done(InternalOAuthError(
+    `User orgs not whitelisted: ${profile.username} (${orgs.join(',')})`
+  ))
+}))
 
 githubAuth.get('/auth/github', function (req, res, next) {
   setReturnToFromReferer(req)
   passport.authenticate('github')(req, res, next)
 })
 
-// github auth callback
 githubAuth.get('/auth/github/callback',
   passport.authenticate('github', {
     successReturnToOrRedirect: config.serverURL + '/',
 
@@ -115,7 +115,9 @@ module.exports = {
   github: {
     enterpriseURL: undefined, // if you use github.com, not need to specify
     clientID: undefined,
-    clientSecret: undefined
+    clientSecret: undefined,
+    organizations: [],
+    scopes: ['read:user']
   },
   gitlab: {
     baseURL: undefined,
 
@@ -69,7 +69,9 @@ module.exports = {
   github: {
     enterpriseURL: process.env.CMD_GITHUB_ENTERPRISE_URL,
     clientID: process.env.CMD_GITHUB_CLIENTID,
-    clientSecret: process.env.CMD_GITHUB_CLIENTSECRET
+    clientSecret: process.env.CMD_GITHUB_CLIENTSECRET,
+    organizations: toArrayConfig(process.env.CMD_GITHUB_ORGANIZATIONS),
+    scopes: toArrayConfig(process.env.CMD_GITHUB_SCOPES),
   },
   bitbucket: {
     clientID: process.env.CMD_BITBUCKET_CLIENTID,
 
@@ -16,13 +16,18 @@ const response = require('../response')
 const imageRouter = module.exports = Router()
 
 function checkImageValid (filepath) {
-  const buffer = readChunk.sync(filepath, 0, 12)
-  /** @type {{ ext: string, mime: string } | null} */
-  const mimetypeFromBuf = imageType(buffer)
-  const mimeTypeFromExt = mime.lookup(path.extname(filepath))
+  try {
+    const buffer = readChunk.sync(filepath, 0, 12)
+    /** @type {{ ext: string, mime: string } | null} */
+    const mimetypeFromBuf = imageType(buffer)
+    const mimeTypeFromExt = mime.lookup(path.extname(filepath))
 
-  return mimetypeFromBuf && config.allowedUploadMimeTypes.includes(mimetypeFromBuf.mime) &&
-         mimeTypeFromExt && config.allowedUploadMimeTypes.includes(mimeTypeFromExt)
+    return mimetypeFromBuf && config.allowedUploadMimeTypes.includes(mimetypeFromBuf.mime) &&
+          mimeTypeFromExt && config.allowedUploadMimeTypes.includes(mimeTypeFromExt)
+  } catch (err) {
+    logger.error(err)
+    return false
+  }
 }
 
 // upload image
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`		`-https://github.com/alex88/heroku-buildpack-vips`
	`1`	`+https://github.com/Scalingo/apt-buildpack`
`2`	`2`	`https://github.com/Scalingo/nodejs-buildpack`