Implemented FxA

2018-08-07 15:40:17 -07:00 · 2018-08-07 15:40:17 -07:00 · 718d74fa50
commit 718d74fa50
parent 70bc2b7656
40 changed files with 1306 additions and 651 deletions
--- a/server/routes/index.js
+++ b/server/routes/index.js
@ -1,11 +1,13 @@
+const crypto = require('crypto');
 const express = require('express');
 const helmet = require('helmet');
 const storage = require('../storage');
 const config = require('../config');
 const auth = require('../middleware/auth');
-const owner = require('../middleware/owner');
 const language = require('../middleware/language');
 const pages = require('./pages');
+const fxa = require('./fxa');
+const filelist = require('./filelist');

 const IS_DEV = config.env === 'development';
 const ID_REGEX = '([0-9a-fA-F]{10})';
@ -18,6 +20,10 @@ module.exports = function(app) {
      force: !IS_DEV
    })
  );
+  app.use(function(req, res, next) {
+    req.cspNonce = crypto.randomBytes(16).toString('hex');
+    next();
+  });
  if (!IS_DEV) {
    app.use(
      helmet.contentSecurityPolicy({
@ -31,8 +37,18 @@ module.exports = function(app) {
            'https://sentry.prod.mozaws.net',
            'https://www.google-analytics.com'
          ],
-          imgSrc: ["'self'", 'https://www.google-analytics.com'],
-          scriptSrc: ["'self'"],
+          imgSrc: [
+            "'self'",
+            'https://www.google-analytics.com',
+            'https://*.dev.lcip.org',
+            'https://firefoxusercontent.com'
+          ],
+          scriptSrc: [
+            "'self'",
+            function(req) {
+              return `'nonce-${req.cspNonce}'`;
+            }
+          ],
          styleSrc: ["'self'", 'https://code.cdn.mozilla.net'],
          fontSrc: ["'self'", 'https://code.cdn.mozilla.net'],
          formAction: ["'none'"],
@ -49,22 +65,30 @@ module.exports = function(app) {
    next();
  });
  app.use(express.json());
-  app.get('/', language, pages.blank);
+  app.get('/', language, pages.index);
  app.get('/legal', language, pages.legal);
  app.get('/jsconfig.js', require('./jsconfig'));
  app.get(`/share/:id${ID_REGEX}`, language, pages.blank);
  app.get(`/download/:id${ID_REGEX}`, language, pages.download);
  app.get('/completed', language, pages.blank);
  app.get('/unsupported/:reason', language, pages.unsupported);
-  app.get(`/api/download/:id${ID_REGEX}`, auth, require('./download'));
-  app.get(`/api/download/blob/:id${ID_REGEX}`, auth, require('./download'));
+  app.get(`/api/download/:id${ID_REGEX}`, auth.hmac, require('./download'));
+  app.get(
+    `/api/download/blob/:id${ID_REGEX}`,
+    auth.hmac,
+    require('./download')
+  );
  app.get(`/api/exists/:id${ID_REGEX}`, require('./exists'));
-  app.get(`/api/metadata/:id${ID_REGEX}`, auth, require('./metadata'));
-  app.post('/api/upload', require('./upload'));
-  app.post(`/api/delete/:id${ID_REGEX}`, owner, require('./delete'));
-  app.post(`/api/password/:id${ID_REGEX}`, owner, require('./password'));
-  app.post(`/api/params/:id${ID_REGEX}`, owner, require('./params'));
-  app.post(`/api/info/:id${ID_REGEX}`, owner, require('./info'));
+  app.get(`/api/metadata/:id${ID_REGEX}`, auth.hmac, require('./metadata'));
+  app.get('/api/fxa/login', fxa.login);
+  app.get('/api/fxa/oauth', fxa.oauth);
+  app.get('/api/filelist', auth.fxa, filelist.get);
+  app.post('/api/filelist', auth.fxa, filelist.post);
+  app.post('/api/upload', auth.fxa, require('./upload'));
+  app.post(`/api/delete/:id${ID_REGEX}`, auth.owner, require('./delete'));
+  app.post(`/api/password/:id${ID_REGEX}`, auth.owner, require('./password'));
+  app.post(`/api/params/:id${ID_REGEX}`, auth.owner, require('./params'));
+  app.post(`/api/info/:id${ID_REGEX}`, auth.owner, require('./info'));

  app.get('/__version__', function(req, res) {
    res.sendFile(require.resolve('../../dist/version.json'));