Use mountPath for all log in and log out redirects (#605)

* Use mountPath for all log in and log out redirects

Fixes #604

* Fix e2e tests

* Revert "Fix e2e tests"

This reverts commit 7f37275.

* Add more e2e tests to check handling of different mount paths

* Wait for dashboard to mount in order to get proper/reliable mountpath

* Remove commented out old getMount code

Author: JeremyPlease

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ### NEXT RELEASE
 
+* Fix: Use mountPath for all log in and log out redirects
 * _Contributing to this repo? Add info about your change here to be included in next release_
 
 ### 1.0.20

Parse-Dashboard/Authentication.js

@@ -6,14 +6,15 @@ var LocalStrategy = require('passport-local').Strategy;
 
 /**
  * Constructor for Authentication class
- * 
+ *
  * @class Authentication
  * @param {Object[]} validUsers
  * @param {boolean} useEncryptedPasswords
  */
-function Authentication(validUsers, useEncryptedPasswords) {
+function Authentication(validUsers, useEncryptedPasswords, mountPath) {
   this.validUsers = validUsers;
   this.useEncryptedPasswords = useEncryptedPasswords || false;
+  this.mountPath = mountPath;
 }
 
 function initialize(app) {
@@ -57,21 +58,21 @@ function initialize(app) {
   app.post('/login',
     csrf(),
     passport.authenticate('local', {
-      successRedirect: '/apps',
-      failureRedirect: '/login',
+      successRedirect: `${self.mountPath}apps`,
+      failureRedirect: `${self.mountPath}login`,
       failureFlash : true
     })
   );
 
   app.get('/logout', function(req, res){
     req.logout();
-    res.redirect('/login');
+    res.redirect(`${self.mountPath}login`);
   });
 }
 
 /**
  * Authenticates the `userToTest`
- * 
+ *
  * @param {Object} userToTest
  * @returns {Object} Object with `isAuthenticated` and `appsUserHasAccessTo` properties
  */
@@ -97,7 +98,7 @@ function authenticate(userToTest, usernameOnly) {
 
       return isAuthenticated;
     }) ? true : false;
-  
+
   return {
     isAuthenticated,
     matchingUsername,

Parse-Dashboard/app.js

@@ -17,11 +17,8 @@ packageJson('parse-dashboard', 'latest').then(latestPackage => {
   }
 });
 
-function getMount(req) {
-  let url = req.url;
-  let originalUrl = req.originalUrl;
-  var mountPathLength = req.originalUrl.length - req.url.length;
-  var mountPath = req.originalUrl.slice(0, mountPathLength);
+function getMount(mountPath) {
+  mountPath = mountPath || '';
   if (!mountPath.endsWith('/')) {
     mountPath += '/';
   }
@@ -59,149 +56,152 @@ module.exports = function(config, allowInsecureHTTP) {
     app.enable('trust proxy');
   }
 
-  const users = config.users;
-  const useEncryptedPasswords = config.useEncryptedPasswords ? true : false;
-  const authInstance = new Authentication(users, useEncryptedPasswords);
-  authInstance.initialize(app);
-
-  // CSRF error handler 
-  app.use(function (err, req, res, next) {
-    if (err.code !== 'EBADCSRFTOKEN') return next(err)
-
-    // handle CSRF token errors here 
-    res.status(403)
-    res.send('form tampered with')
-  });
-
-  // Serve the configuration.
-  app.get('/parse-dashboard-config.json', function(req, res) {
-    let response = {
-      apps: config.apps,
-      newFeaturesInLatestVersion: newFeaturesInLatestVersion,
-    };
-
-    //Based on advice from Doug Wilson here:
-    //https://github.com/expressjs/express/issues/2518
-    const requestIsLocal =
-      req.connection.remoteAddress === '127.0.0.1' ||
-      req.connection.remoteAddress === '::ffff:127.0.0.1' ||
-      req.connection.remoteAddress === '::1';
-    if (!requestIsLocal && !req.secure && !allowInsecureHTTP) {
-      //Disallow HTTP requests except on localhost, to prevent the master key from being transmitted in cleartext
-      return res.send({ success: false, error: 'Parse Dashboard can only be remotely accessed via HTTPS' });
-    }
+  // wait for app to mount in order to get mountpath
+  app.on('mount', function() {
+    const mountPath = getMount(app.mountpath);
+    const users = config.users;
+    const useEncryptedPasswords = config.useEncryptedPasswords ? true : false;
+    const authInstance = new Authentication(users, useEncryptedPasswords, mountPath);
+    authInstance.initialize(app);
+
+    // CSRF error handler
+    app.use(function (err, req, res, next) {
+      if (err.code !== 'EBADCSRFTOKEN') return next(err)
+
+      // handle CSRF token errors here
+      res.status(403)
+      res.send('form tampered with')
+    });
 
-    if (!requestIsLocal && !users) {
-      //Accessing the dashboard over the internet can only be done with username and password
-      return res.send({ success: false, error: 'Configure a user to access Parse Dashboard remotely' });
-    }
+    // Serve the configuration.
+    app.get('/parse-dashboard-config.json', function(req, res) {
+      let response = {
+        apps: config.apps,
+        newFeaturesInLatestVersion: newFeaturesInLatestVersion,
+      };
+
+      //Based on advice from Doug Wilson here:
+      //https://github.com/expressjs/express/issues/2518
+      const requestIsLocal =
+        req.connection.remoteAddress === '127.0.0.1' ||
+        req.connection.remoteAddress === '::ffff:127.0.0.1' ||
+        req.connection.remoteAddress === '::1';
+      if (!requestIsLocal && !req.secure && !allowInsecureHTTP) {
+        //Disallow HTTP requests except on localhost, to prevent the master key from being transmitted in cleartext
+        return res.send({ success: false, error: 'Parse Dashboard can only be remotely accessed via HTTPS' });
+      }
 
-    const authentication = req.user;
+      if (!requestIsLocal && !users) {
+        //Accessing the dashboard over the internet can only be done with username and password
+        return res.send({ success: false, error: 'Configure a user to access Parse Dashboard remotely' });
+      }
 
-    const successfulAuth = authentication && authentication.isAuthenticated;
-    const appsUserHasAccess = authentication && authentication.appsUserHasAccessTo;
+      const authentication = req.user;
+
+      const successfulAuth = authentication && authentication.isAuthenticated;
+      const appsUserHasAccess = authentication && authentication.appsUserHasAccessTo;
+
+      if (successfulAuth) {
+        if (appsUserHasAccess) {
+          // Restric access to apps defined in user dictionary
+          // If they didn't supply any app id, user will access all apps
+          response.apps = response.apps.filter(function (app) {
+            return appsUserHasAccess.find(appUserHasAccess => {
+              return app.appId == appUserHasAccess.appId
+            })
+          });
+        }
+        // They provided correct auth
+        return res.json(response);
+      }
 
-    if (successfulAuth) {
-      if (appsUserHasAccess) {
-        // Restric access to apps defined in user dictionary
-        // If they didn't supply any app id, user will access all apps
-        response.apps = response.apps.filter(function (app) {
-          return appsUserHasAccess.find(appUserHasAccess => {
-            return app.appId == appUserHasAccess.appId
-          })
-        });
+      if (users) {
+        //They provided incorrect auth
+        return res.sendStatus(401);
       }
-      // They provided correct auth
-      return res.json(response);
-    }
 
-    if (users) {
-      //They provided incorrect auth
-      return res.sendStatus(401);
-    }
+      //They didn't provide auth, and have configured the dashboard to not need auth
+      //(ie. didn't supply usernames and passwords)
+      if (requestIsLocal) {
+        //Allow no-auth access on localhost only, if they have configured the dashboard to not need auth
+        return res.json(response);
+      }
+      //We shouldn't get here. Fail closed.
+      res.send({ success: false, error: 'Something went wrong.' });
+    });
 
-    //They didn't provide auth, and have configured the dashboard to not need auth
-    //(ie. didn't supply usernames and passwords)
-    if (requestIsLocal) {
-      //Allow no-auth access on localhost only, if they have configured the dashboard to not need auth
-      return res.json(response);
+    // Serve the app icons. Uses the optional `iconsFolder` parameter as
+    // directory name, that was setup in the config file.
+    // We are explicitly not using `__dirpath` here because one may be
+    // running parse-dashboard from globally installed npm.
+    if (config.iconsFolder) {
+      try {
+        var stat = fs.statSync(config.iconsFolder);
+        if (stat.isDirectory()) {
+          app.use('/appicons', express.static(config.iconsFolder));
+          //Check also if the icons really exist
+          checkIfIconsExistForApps(config.apps, config.iconsFolder);
+        }
+      } catch (e) {
+        // Directory doesn't exist or something.
+        console.warn("Iconsfolder at path: " + config.iconsFolder +
+          " not found!");
+      }
     }
-    //We shouldn't get here. Fail closed.
-    res.send({ success: false, error: 'Something went wrong.' });
-  });
 
-  // Serve the app icons. Uses the optional `iconsFolder` parameter as
-  // directory name, that was setup in the config file.
-  // We are explicitly not using `__dirpath` here because one may be
-  // running parse-dashboard from globally installed npm.
-  if (config.iconsFolder) {
-    try {
-      var stat = fs.statSync(config.iconsFolder);
-      if (stat.isDirectory()) {
-        app.use('/appicons', express.static(config.iconsFolder));
-        //Check also if the icons really exist
-        checkIfIconsExistForApps(config.apps, config.iconsFolder);
+    app.get('/login', csrf(), function(req, res) {
+      if (!users || (req.user && req.user.isAuthenticated)) {
+        return res.redirect(`${mountPath}apps`);
       }
-    } catch (e) {
-      // Directory doesn't exist or something.
-      console.warn("Iconsfolder at path: " + config.iconsFolder +
-        " not found!");
-    }
-  }
 
-  app.get('/login', csrf(), function(req, res) {
-    if (!users || (req.user && req.user.isAuthenticated)) {
-      return res.redirect('/apps');
-    }
-    let mountPath = getMount(req);
-    let errors = req.flash('error');
-    if (errors && errors.length) {
-      errors = `<div id="login_errors" style="display: none;">
-        ${errors.join(' ')}
-      </div>`
-    }
-    res.send(`<!DOCTYPE html>
-      <head>
-        <link rel="shortcut icon" type="image/x-icon" href="${mountPath}favicon.ico" />
-        <base href="${mountPath}"/>
-        <script>
-          PARSE_DASHBOARD_PATH = "${mountPath}";
-        </script>
-      </head>
-      <html>
-        <title>Parse Dashboard</title>
-        <body>
-          <div id="login_mount"></div>
-          ${errors}
-          <script id="csrf" type="application/json">"${req.csrfToken()}"</script>
-          <script src="${mountPath}bundles/login.bundle.js"></script>
-        </body>
-      </html>
-    `);
-  });
+      let errors = req.flash('error');
+      if (errors && errors.length) {
+        errors = `<div id="login_errors" style="display: none;">
+          ${errors.join(' ')}
+        </div>`
+      }
+      res.send(`<!DOCTYPE html>
+        <head>
+          <link rel="shortcut icon" type="image/x-icon" href="${mountPath}favicon.ico" />
+          <base href="${mountPath}"/>
+          <script>
+            PARSE_DASHBOARD_PATH = "${mountPath}";
+          </script>
+        </head>
+        <html>
+          <title>Parse Dashboard</title>
+          <body>
+            <div id="login_mount"></div>
+            ${errors}
+            <script id="csrf" type="application/json">"${req.csrfToken()}"</script>
+            <script src="${mountPath}bundles/login.bundle.js"></script>
+          </body>
+        </html>
+      `);
+    });
 
-  // For every other request, go to index.html. Let client-side handle the rest.
-  app.get('/*', function(req, res) {
-    if (users && (!req.user || !req.user.isAuthenticated)) {
-      return res.redirect('/login');
-    }
-    let mountPath = getMount(req);
-    res.send(`<!DOCTYPE html>
-      <head>
-        <link rel="shortcut icon" type="image/x-icon" href="${mountPath}favicon.ico" />
-        <base href="${mountPath}"/>
-        <script>
-          PARSE_DASHBOARD_PATH = "${mountPath}";
-        </script>
-      </head>
-      <html>
-        <title>Parse Dashboard</title>
-        <body>
-          <div id="browser_mount"></div>
-          <script src="${mountPath}bundles/dashboard.bundle.js"></script>
-        </body>
-      </html>
-    `);
+    // For every other request, go to index.html. Let client-side handle the rest.
+    app.get('/*', function(req, res) {
+      if (users && (!req.user || !req.user.isAuthenticated)) {
+        return res.redirect(`${mountPath}login`);
+      }
+      res.send(`<!DOCTYPE html>
+        <head>
+          <link rel="shortcut icon" type="image/x-icon" href="${mountPath}favicon.ico" />
+          <base href="${mountPath}"/>
+          <script>
+            PARSE_DASHBOARD_PATH = "${mountPath}";
+          </script>
+        </head>
+        <html>
+          <title>Parse Dashboard</title>
+          <body>
+            <div id="browser_mount"></div>
+            <script src="${mountPath}bundles/dashboard.bundle.js"></script>
+          </body>
+        </html>
+      `);
+    });
   });
 
   return app;

src/components/Sidebar/FooterMenu.react.js

@@ -12,7 +12,7 @@ import React    from 'react';
 import styles   from 'components/Sidebar/Sidebar.scss';
 
 let host = location.host.split('.');
-let urlRoot = location.protocol + '//' + host.slice(host.length - 2).join('.');
+let mountPath = window.PARSE_DASHBOARD_PATH;
 
 export default class FooterMenu extends React.Component {
   constructor() {
@@ -42,7 +42,7 @@ export default class FooterMenu extends React.Component {
           position={this.state.position}
           onExternalClick={() => this.setState({ show: false })}>
           <div className={styles.popup}>
-            <a href={`${urlRoot}/logout`}>Log Out <span className={styles.emoji}>👋</span></a>
+            <a href={`${mountPath}logout`}>Log Out <span className={styles.emoji}>👋</span></a>
             <a target='_blank' href='https://www.parse.com/docs/server/guide'>Server Guide <span className={styles.emoji}>📚</span></a>
             <a target='_blank' href='https://www.parse.com/help'>Help <span className={styles.emoji}>💊</span></a>
           </div>