Restricting access to API endpoints to top domain

Author: megoth

lib/api/accounts/user-accounts.js

@@ -4,6 +4,8 @@ const express = require('express')
 const bodyParser = require('body-parser').urlencoded({ extended: false })
 const debug = require('../../debug').accounts
 
+const restrictToTopDomain = require('../../handlers/restrict-to-top-domain')
+
 const CreateAccountRequest = require('../../requests/create-account-request')
 const AddCertificateRequest = require('../../requests/add-cert-request')
 const DeleteAccountRequest = require('../../requests/delete-account-request')
@@ -65,16 +67,16 @@ function middleware (accountManager) {
 
   router.get('/', checkAccountExists(accountManager))
 
-  router.post('/api/accounts/new', bodyParser, CreateAccountRequest.post)
-  router.get(['/register', '/api/accounts/new'], CreateAccountRequest.get)
+  router.post('/api/accounts/new', restrictToTopDomain, bodyParser, CreateAccountRequest.post)
+  router.get(['/register', '/api/accounts/new'], restrictToTopDomain, CreateAccountRequest.get)
 
-  router.post('/api/accounts/cert', bodyParser, newCertificate(accountManager))
+  router.post('/api/accounts/cert', restrictToTopDomain, bodyParser, newCertificate(accountManager))
 
-  router.get('/account/delete', DeleteAccountRequest.get)
-  router.post('/account/delete', bodyParser, DeleteAccountRequest.post)
+  router.get('/account/delete', restrictToTopDomain, DeleteAccountRequest.get)
+  router.post('/account/delete', restrictToTopDomain, bodyParser, DeleteAccountRequest.post)
 
-  router.get('/account/delete/confirm', DeleteAccountConfirmRequest.get)
-  router.post('/account/delete/confirm', bodyParser, DeleteAccountConfirmRequest.post)
+  router.get('/account/delete/confirm', restrictToTopDomain, DeleteAccountConfirmRequest.get)
+  router.post('/account/delete/confirm', restrictToTopDomain, bodyParser, DeleteAccountConfirmRequest.post)
 
   return router
 }

lib/api/authn/webid-oidc.js

@@ -9,6 +9,8 @@ const bodyParser = require('body-parser').urlencoded({ extended: false })
 const OidcManager = require('../../models/oidc-manager')
 const { LoginRequest } = require('../../requests/login-request')
 
+const restrictToTopDomain = require('../../handlers/restrict-to-top-domain')
+
 const PasswordResetEmailRequest = require('../../requests/password-reset-email-request')
 const PasswordChangeRequest = require('../../requests/password-change-request')
 
@@ -65,29 +67,29 @@ function middleware (oidc) {
   const router = express.Router('/')
 
   // User-facing Authentication API
-  router.get(['/login', '/signin'], LoginRequest.get)
+  router.get(['/login', '/signin'], restrictToTopDomain, LoginRequest.get)
 
-  router.post('/login/password', bodyParser, LoginRequest.loginPassword)
+  router.post('/login/password', restrictToTopDomain, bodyParser, LoginRequest.loginPassword)
 
-  router.post('/login/tls', bodyParser, LoginRequest.loginTls)
+  router.post('/login/tls', restrictToTopDomain, bodyParser, LoginRequest.loginTls)
 
-  router.get('/account/password/reset', PasswordResetEmailRequest.get)
-  router.post('/account/password/reset', bodyParser, PasswordResetEmailRequest.post)
+  router.get('/account/password/reset', restrictToTopDomain, PasswordResetEmailRequest.get)
+  router.post('/account/password/reset', restrictToTopDomain, bodyParser, PasswordResetEmailRequest.post)
 
-  router.get('/account/password/change', PasswordChangeRequest.get)
-  router.post('/account/password/change', bodyParser, PasswordChangeRequest.post)
+  router.get('/account/password/change', restrictToTopDomain, PasswordChangeRequest.get)
+  router.post('/account/password/change', restrictToTopDomain, bodyParser, PasswordChangeRequest.post)
 
-  router.get('/.well-known/solid/logout/', (req, res) => res.redirect('/logout'))
+  router.get('/.well-known/solid/logout/', restrictToTopDomain, (req, res) => res.redirect('/logout'))
 
-  router.get('/goodbye', (req, res) => { res.render('auth/goodbye') })
+  router.get('/goodbye', restrictToTopDomain, (req, res) => { res.render('auth/goodbye') })
 
   // The relying party callback is called at the end of the OIDC signin process
-  router.get('/api/oidc/rp/:issuer_id', AuthCallbackRequest.get)
+  router.get('/api/oidc/rp/:issuer_id', restrictToTopDomain, AuthCallbackRequest.get)
 
   // Static assets related to authentication
   const authAssets = [
-    ['/.well-known/solid/login/', '../static/popup-redirect.html', false],
-    ['/common/', 'solid-auth-client/dist-popup/popup.html']
+    ['/.well-known/solid/login/', '../static/popup-redirect.html', false, true],
+    ['/common/', 'solid-auth-client/dist-popup/popup.html', true, true]
   ]
   authAssets.map(args => routeResolvedFile(router, ...args))
 

lib/capability-discovery.js

@@ -3,6 +3,7 @@
  * @module capability-discovery
  */
 const express = require('express')
+const restrictToTopDomain = require('./handlers/restrict-to-top-domain')
 
 const serviceConfigDefaults = {
   'api': {
@@ -31,7 +32,7 @@ function capabilityDiscovery () {
   const router = express.Router('/')
 
   // Advertise the server capability discover endpoint
-  router.get('/.well-known/solid', serviceCapabilityDocument(serviceConfigDefaults))
+  router.get('/.well-known/solid', restrictToTopDomain, serviceCapabilityDocument(serviceConfigDefaults))
   return router
 }
 

lib/handlers/restrict-to-top-domain.js

@@ -0,0 +1,12 @@
+const HTTPError = require('../http-error')
+
+module.exports = function (req, res, next) {
+  const locals = req.app.locals
+  const ldp = locals.ldp
+  const serverUri = locals.host.serverUri
+  const hostname = ldp.resourceMapper.resolveUrl(req.hostname)
+  if (hostname === serverUri) {
+    return next()
+  }
+  return next(new HTTPError(403, 'Not allowed to access top-level APIs on accounts'))
+}

lib/utils.js

@@ -21,6 +21,7 @@ const url = require('url')
 const debug = require('./debug').fs
 const getSize = require('get-folder-size')
 var ns = require('solid-namespace')($rdf)
+const restrictToTopDomainHandler = require('./handlers/restrict-to-top-domain')
 
 /**
  * Returns a fully qualified URL from an Express.js Request object.
@@ -178,10 +179,11 @@ function stripLineEndings (obj) {
 /**
  * Adds a route that serves a static file from another Node module
  */
-function routeResolvedFile (router, path, file, appendFileName = true) {
+function routeResolvedFile (router, path, file, appendFileName = true, restrictToTopDomain = false) {
   const fullPath = appendFileName ? path + file.match(/[^/]+$/) : path
   const fullFile = require.resolve(file)
-  router.get(fullPath, (req, res) => res.sendFile(fullFile))
+  const restrictHandler = restrictToTopDomain ? restrictToTopDomainHandler : (req, res, next) => next()
+  router.get(fullPath, restrictHandler, (req, res) => res.sendFile(fullFile))
 }
 
 /**

test/integration/account-creation-oidc-test.js

@@ -80,21 +80,21 @@ describe('AccountManager (OIDC account creation tests)', function () {
     })
 
     it('should not create WebID if no username is given', (done) => {
-      let subdomain = supertest('https://nicola.' + host)
+      let subdomain = supertest('https://' + host)
       subdomain.post('/api/accounts/new')
         .send('username=&password=12345')
         .expect(400, done)
     })
 
     it('should not create WebID if no password is given', (done) => {
-      let subdomain = supertest('https://nicola.' + host)
+      let subdomain = supertest('https://' + host)
       subdomain.post('/api/accounts/new')
         .send('username=nicola&password=')
         .expect(400, done)
     })
 
     it('should not create a WebID if it already exists', function (done) {
-      var subdomain = supertest('https://nicola.' + host)
+      var subdomain = supertest('https://' + host)
       subdomain.post('/api/accounts/new')
         .send('username=nicola&password=12345&acceptToc=true')
         .expect(302)
@@ -112,14 +112,14 @@ describe('AccountManager (OIDC account creation tests)', function () {
     })
 
     it('should not create WebID if T&C is not accepted', (done) => {
-      let subdomain = supertest('https://nicola.' + host)
+      let subdomain = supertest('https://' + host)
       subdomain.post('/api/accounts/new')
         .send('username=nicola&password=12345&acceptToc=')
         .expect(400, done)
     })
 
     it('should create the default folders', function (done) {
-      var subdomain = supertest('https://nicola.' + host)
+      var subdomain = supertest('https://' + host)
       subdomain.post('/api/accounts/new')
         .send('username=nicola&password=12345&acceptToc=true')
         .expect(302)
@@ -150,14 +150,15 @@ describe('AccountManager (OIDC account creation tests)', function () {
     }).timeout(20000)
 
     it('should link WebID to the root account', function (done) {
-      var subdomain = supertest('https://nicola.' + host)
-      subdomain.post('/api/accounts/new')
+      const domain = supertest('https://' + host)
+      domain.post('/api/accounts/new')
         .send('username=nicola&password=12345&acceptToc=true')
         .expect(302)
         .end(function (err) {
           if (err) {
             return done(err)
           }
+          const subdomain = supertest('https://nicola.' + host)
           subdomain.get('/.meta')
             .expect(200)
             .end(function (err, data) {
@@ -185,7 +186,7 @@ describe('AccountManager (OIDC account creation tests)', function () {
 
     describe('after setting up account', () => {
       beforeEach(done => {
-        var subdomain = supertest('https://nicola.' + host)
+        var subdomain = supertest('https://' + host)
         subdomain.post('/api/accounts/new')
           .send('username=nicola&password=12345&acceptToc=true')
           .end(done)
@@ -294,7 +295,7 @@ describe('Signup page where Terms & Conditions are not being enforced', () => {
   })
 
   it('should not enforce T&C upon creating account', function (done) {
-    var subdomain = supertest('https://nicola.' + host)
+    var subdomain = supertest('https://' + host)
     subdomain.post('/api/accounts/new')
       .send('username=nicola&password=12345')
       .expect(302, done)