chore: Refactor authentication pass between subdomains (#1619)

* fix: Use get request instead of cookie to transfer token between domains * Add domain to database Add redirects to team domain when present * 30s -> 1m * fix: Avoid redirect loop if subdomain and domain set * fix: Create a transfer specific token to prevent replay requests * refactor: Move isCustomDomain out of shared as it won't work on the client
2020-11-04 19:54:04 -08:00
parent 3d09c8f655
commit 1b6a986986
11 changed files with 136 additions and 32 deletions
--- a/server/utils/domains.js
+++ b/server/utils/domains.js
@@ -1,8 +1,16 @@
 // @flow
-import { stripSubdomain } from "../../shared/utils/domains";
+import { parseDomain, stripSubdomain } from "../../shared/utils/domains";

 export function getCookieDomain(domain: string) {
  return process.env.SUBDOMAINS_ENABLED === "true"
    ? stripSubdomain(domain)
    : domain;
 }
+
+export function isCustomDomain(hostname: string) {
+  const parsed = parseDomain(hostname);
+  const main = parseDomain(process.env.URL);
+  return (
+    parsed && main && (main.domain !== parsed.domain || main.tld !== parsed.tld)
+  );
+}
--- a/server/utils/jwt.js
+++ b/server/utils/jwt.js
@@ -20,8 +20,24 @@ function getJWTPayload(token) {

 export async function getUserForJWT(token: string): Promise<User> {
  const payload = getJWTPayload(token);
+
+  // check the token is within it's expiration time
+  if (payload.expiresAt) {
+    if (new Date(payload.expiresAt) < new Date()) {
+      throw new AuthenticationError("Expired token");
+    }
+  }
+
  const user = await User.findByPk(payload.id);

+  if (payload.type === "transfer") {
+    // If the user has made a single API request since the transfer token was
+    // created then it's no longer valid, they'll need to sign in again.
+    if (user.lastActiveAt > new Date(payload.createdAt)) {
+      throw new AuthenticationError("Token has already been used");
+    }
+  }
+
  try {
    JWT.verify(token, user.jwtSecret);
  } catch (err) {
@@ -34,6 +50,10 @@ export async function getUserForJWT(token: string): Promise<User> {
 export async function getUserForEmailSigninToken(token: string): Promise<User> {
  const payload = getJWTPayload(token);

+  if (payload.type !== "email-signin") {
+    throw new AuthenticationError("Invalid token");
+  }
+
  // check the token is within it's expiration time
  if (payload.createdAt) {
    if (new Date(payload.createdAt) < subMinutes(new Date(), 10)) {