Fixed so that capability discovery points to valid APIs

megoth · kjetilk · commit 1bc05b1dfdf8 · 2019-03-15T16:06:44.000+01:00
Login and logout should be accessible on subdomains

Restricting access to API endpoints to top domain
diff --git a/lib/capability-discovery.js b/lib/capability-discovery.js
@@ -3,23 +3,7 @@
  * @module capability-discovery
  */
 const express = require('express')
-const restrictToTopDomain = require('./handlers/restrict-to-top-domain')
-
-const serviceConfigDefaults = {
-  'api': {
-    'accounts': {
-      // 'changePassword': '/api/account/changePassword',
-      // 'delete': '/api/accounts/delete',
-
-      // Create new user (see IdentityProvider.post() in identity-provider.js)
-      'new': '/api/accounts/new',
-      'recover': '/api/accounts/recover',
-      'signin': '/login',
-      'signout': '/logout',
-      'validateToken': '/api/accounts/validateToken'
-    }
-  }
-}
+const { URL } = require('url')
 
 module.exports = capabilityDiscovery
 
@@ -32,7 +16,7 @@ function capabilityDiscovery () {
   const router = express.Router('/')
 
   // Advertise the server capability discover endpoint
-  router.get('/.well-known/solid', restrictToTopDomain, serviceCapabilityDocument(serviceConfigDefaults))
+  router.get('/.well-known/solid', serviceCapabilityDocument())
   return router
 }
 
@@ -44,12 +28,27 @@ function capabilityDiscovery () {
  * @param res
  * @param next
  */
-function serviceCapabilityDocument (serviceConfig) {
+function serviceCapabilityDocument () {
   return (req, res) => {
-    // Add the server root url
-    serviceConfig.root = req.app.locals.ldp.resourceMapper.resolveUrl(req.hostname, req.path)
-    // Add the 'apps' urls section
-    serviceConfig.apps = req.app.locals.appUrls
-    res.json(serviceConfig)
+    const ldp = req.app.locals.ldp
+    res.json({
+      // Add the server root url
+      root: req.app.locals.ldp.resourceMapper.resolveUrl(req.hostname, req.path),
+      // Add the 'apps' urls section
+      apps: req.app.locals.appUrls,
+      api: {
+        accounts: {
+          // 'changePassword': '/api/account/changePassword',
+          // 'delete': '/api/accounts/delete',
+
+          // Create new user (see IdentityProvider.post() in identity-provider.js)
+          new: new URL('/api/accounts/new', ldp.serverUri),
+          recover: new URL('/api/accounts/recover', ldp.serverUri),
+          signin: req.app.locals.ldp.resourceMapper.resolveUrl(req.hostname, '/login'),
+          signout: req.app.locals.ldp.resourceMapper.resolveUrl(req.hostname, '/logout'),
+          validateToken: new URL('/api/accounts/validateToken', ldp.serverUri)
+        }
+      }
+    })
   }
 }
diff --git a/lib/handlers/restrict-to-top-domain.js b/lib/handlers/restrict-to-top-domain.js
@@ -8,5 +8,6 @@ module.exports = function (req, res, next) {
   if (hostname === serverUri) {
     return next()
   }
-  return next(new HTTPError(403, 'Not allowed to access top-level APIs on accounts'))
+  const isLoggedIn = !!(req.session && req.session.userId)
+  return next(new HTTPError(isLoggedIn ? 403 : 401, 'Not allowed to access top-level APIs on accounts'))
 }

Original file line number	Diff line number	Diff line change
`@@ -8,5 +8,6 @@ module.exports = function (req, res, next) {`
`8`	`8`	`if (hostname === serverUri) {`
`9`	`9`	`return next()`
`10`	`10`	`}`
`11`		`- return next(new HTTPError(403, 'Not allowed to access top-level APIs on accounts'))`
	`11`	`+ const isLoggedIn = !!(req.session && req.session.userId)`
	`12`	`+ return next(new HTTPError(isLoggedIn ? 403 : 401, 'Not allowed to access top-level APIs on accounts'))`
`12`	`13`	`}`