Merge pull request #793 from solid/fix/allow-external-logout

RubenVerborgh · web-flow · commit d256943461d5 · 2018-09-28T14:09:45.000+02:00
Do not block third-party cookies from reaching auth handlers
diff --git a/lib/create-app.js b/lib/create-app.js
@@ -167,24 +167,7 @@ function initWebId (argv, app, ldp) {
   // (for same-domain browsing by people only)
   const useSecureCookies = !!argv.sslKey // use secure cookies when over HTTPS
   const sessionHandler = session(sessionSettings(useSecureCookies, argv.host))
-  app.use((req, res, next) => {
-    sessionHandler(req, res, () => {
-      // Reject cookies from third-party applications.
-      // Otherwise, when a user is logged in to their Solid server,
-      // any third-party application could perform authenticated requests
-      // without permission by including the credentials set by the Solid server.
-      const origin = req.headers.origin
-      const userId = req.session.userId
-      if (!argv.host.allowsSessionFor(userId, origin)) {
-        debug(`Rejecting session for ${userId} from ${origin}`)
-        // Destroy session data
-        delete req.session.userId
-        // Ensure this modified session is not saved
-        req.session.save = (done) => done()
-      }
-      next()
-    })
-  })
+  app.use(sessionHandler)
 
   let accountManager = AccountManager.from({
     authMethod: argv.auth,
@@ -203,6 +186,25 @@ function initWebId (argv, app, ldp) {
   // Set up authentication-related API endpoints and app.locals
   initAuthentication(app, argv)
 
+  // Protect against requests from third-party applications
+  app.use((req, res, next) => {
+    // Reject cookies from third-party applications.
+    // Otherwise, when a user is logged in to their Solid server,
+    // any third-party application could perform authenticated requests
+    // without permission by including the credentials set by the Solid server.
+    const origin = req.headers.origin
+    const userId = req.session.userId
+    if (!argv.host.allowsSessionFor(userId, origin)) {
+      debug(`Rejecting session for ${userId} from ${origin}`)
+      // Destroy session data
+      delete req.session.userId
+      // Ensure this modified session is not saved
+      req.session.save = done => done()
+    }
+    next()
+  })
+
+  // Set up per-host LDP middleware
   if (argv.multiuser) {
     app.use(vhost('*', LdpMiddleware(corsSettings)))
   }
