Make app work with login.

2026-04-22 16:55:14 +02:00 · 2014-01-27 15:38:40 +09:00
parent d8ca15d002
commit f2066b35fa
15 changed files with 237 additions and 26 deletions
--- a/lib/roles/auth/ldap.js
+++ b/lib/roles/auth/ldap.js
@@ -7,6 +7,7 @@ var logger = require('../../util/logger')
 var requtil = require('../../util/requtil')
 var ldaputil = require('../../util/ldaputil')
 var jwtutil = require('../../util/jwtutil')
+var urlutil = require('../../util/urlutil')

 module.exports = function(options) {
  var log = logger.createLogger('auth-ldap')
@@ -33,12 +34,6 @@ module.exports = function(options) {
        requtil.validate(req, function() {
            req.checkBody('username').notEmpty()
            req.checkBody('password').notEmpty()
-
-            // This is a security risk. Someone might forward the user
-            // to the login page with their own redirect set, and they'd
-            // then be able to steal the token. Some kind of a whitelist
-            // or a fixed redirect URL is needed.
-            req.checkBody('redirect').isUrl()
          })
          .then(function() {
            return ldaputil.login(
@@ -56,14 +51,12 @@ module.exports = function(options) {
              }
            , secret: options.secret
            })
-            var target = url.parse(req.body.redirect)
-            target.query = {
-              jwt: token
-            }
            res.status(200)
              .json({
                success: true
-              , redirect: url.format(target)
+              , redirect: urlutil.addParams(options.appUrl, {
+                  jwt: token
+                })
              })
          })
          .catch(requtil.ValidationError, function(err) {