Merge pull request #1140 from michielbdejong/redo-1118

Redo #1118

Author: kjetilk

lib/acl-checker.js

@@ -16,11 +16,10 @@ class ACLChecker {
   constructor (resource, options = {}) {
     this.resource = resource
     this.resourceUrl = new URL(resource)
-    this.agentOrigin = options.agentOrigin
+    this.agentOrigin = options.strictOrigin && options.agentOrigin ? rdf.sym(options.agentOrigin) : null
     this.fetch = options.fetch
     this.fetchGraph = options.fetchGraph
-    this.strictOrigin = options.strictOrigin
-    this.trustedOrigins = options.trustedOrigins
+    this.trustedOrigins = options.strictOrigin && options.trustedOrigins ? options.trustedOrigins.map(trustedOrigin => rdf.sym(trustedOrigin)) : null
     this.suffix = options.suffix || DEFAULT_ACL_SUFFIX
     this.aclCached = {}
     this.messagesCached = {}
@@ -56,17 +55,14 @@ class ACLChecker {
     const aclFile = rdf.sym(acl.acl)
     const agent = user ? rdf.sym(user) : null
     const modes = [ACL(mode)]
-    const agentOrigin = this.agentOrigin ? rdf.sym(this.agentOrigin) : null
-    const trustedOrigins = this.trustedOrigins ? this.trustedOrigins.map(trustedOrigin => rdf.sym(trustedOrigin)) : null
+    const agentOrigin = this.agentOrigin
+    const trustedOrigins = this.trustedOrigins
     const accessDenied = aclCheck.accessDenied(acl.graph, resource, directory, aclFile, agent, modes, agentOrigin, trustedOrigins)
-    if (accessDenied && this.agentOrigin && this.resourceUrl.origin !== this.agentOrigin) {
-      this.messagesCached[cacheKey].push(HTTPError(403, accessDenied))
-    } else if (accessDenied && user) {
+
+    if (accessDenied && user) {
       this.messagesCached[cacheKey].push(HTTPError(403, accessDenied))
-    } else if (accessDenied && !user) {
-      this.messagesCached[cacheKey].push(HTTPError(401, 'Unauthenticated'))
     } else if (accessDenied) {
-      this.messagesCached[cacheKey].push(HTTPError(401, accessDenied))
+      this.messagesCached[cacheKey].push(HTTPError(401, 'Unauthenticated'))
     }
     this.aclCached[cacheKey] = Promise.resolve(!accessDenied)
     return this.aclCached[cacheKey]

lib/create-app.js

@@ -212,14 +212,27 @@ function initWebId (argv, app, ldp) {
   // without permission by including the credentials set by the Solid server.
   app.use((req, res, next) => {
     const origin = req.get('origin')
-    const trustedOrigins = argv.trustedOrigins
+    const trustedOrigins = ldp.getTrustedOrigins(req)
     const userId = req.session.userId
     // Exception: allow logout requests from all third-party apps
     // such that OIDC client can log out via cookie auth
     // TODO: remove this exception when OIDC clients
     // use Bearer token to authenticate instead of cookie
     // (https://github.com/solid/node-solid-server/pull/835#issuecomment-426429003)
-    if (!argv.host.allowsSessionFor(userId, origin, trustedOrigins) && !isLogoutRequest(req)) {
+    //
+    // Authentication cookies are an optimization:
+    // instead of going through the process of
+    // fully validating authentication on every request,
+    // we go through this process once,
+    // and store its successful result in a cookie
+    // that will be reused upon the next request.
+    // However, that cookie can then be sent by any server,
+    // even servers that have not gone through the proper authentication mechanism.
+    // However, if trusted origins are enabled,
+    // then any origin is allowed to take the shortcut route,
+    // since malicious origins will be banned at the ACL checking phase.
+    // https://github.com/solid/node-solid-server/issues/1117
+    if (!argv.strictOrigin && !argv.host.allowsSessionFor(userId, origin, trustedOrigins) && !isLogoutRequest(req)) {
       debug.authentication(`Rejecting session for ${userId} from ${origin}`)
       // Destroy session data
       delete req.session.userId

package-lock.json

@@ -1,7 +1,7 @@
 {
   "name": "solid-server",
   "description": "Solid server on top of the file-system",
-  "version": "5.0.0-beta.9",
+  "version": "5.0.0-beta.8",
   "author": {
     "name": "Tim Berners-Lee",
     "email": "[email protected]"