Make app work with login.

2025-10-05 10:39:25 +02:00 · 2014-01-27 15:38:40 +09:00 · 2014-01-27 15:38:40 +09:00 · f2066b35fa
commit f2066b35fa
parent d8ca15d002
15 changed files with 237 additions and 26 deletions
--- a/lib/roles/auth/mock.js
+++ b/lib/roles/auth/mock.js
@ -7,6 +7,7 @@ var logger = require('../../util/logger')
 var requtil = require('../../util/requtil')
 var jwtutil = require('../../util/jwtutil')
 var pathutil = require('../../util/pathutil')
+var urlutil = require('../../util/urlutil')

 module.exports = function(options) {
  var log = logger.createLogger('auth-mock')
@ -59,12 +60,6 @@ module.exports = function(options) {
        requtil.validate(req, function() {
            req.checkBody('name').notEmpty()
            req.checkBody('email').isEmail()
-
-            // This is a security risk. Someone might forward the user
-            // to the login page with their own redirect set, and they'd
-            // then be able to steal the token. Some kind of a whitelist
-            // or a fixed redirect URL is needed.
-            req.checkBody('redirect').isUrl()
          })
          .then(function() {
            log.info('Authenticated "%s"', req.body.email)
@ -75,14 +70,12 @@ module.exports = function(options) {
              }
            , secret: options.secret
            })
-            var target = url.parse(req.body.redirect)
-            target.query = {
-              jwt: token
-            }
            res.status(200)
              .json({
                success: true
-              , redirect: url.format(target)
+              , redirect: urlutil.addParams(options.appUrl, {
+                  jwt: token
+                })
              })
          })
          .catch(requtil.ValidationError, function(err) {