From 959de37ecb89237a80ecfbb9c1800a5fb47940ea Mon Sep 17 00:00:00 2001 From: syuilo Date: Sun, 10 Dec 2017 18:08:28 +0900 Subject: [PATCH] =?UTF-8?q?=E4=BB=96=E3=81=AE=E3=82=A6=E3=82=A7=E3=83=96?= =?UTF-8?q?=E3=82=B5=E3=82=A4=E3=83=88=E3=81=8B=E3=82=89=E7=9B=B4=E6=8E=A5?= =?UTF-8?q?MisskeyAPI=E3=82=92=E5=88=A9=E7=94=A8=E3=81=A7=E3=81=8D?= =?UTF-8?q?=E3=82=8B=E3=82=88=E3=81=86=E3=81=AB?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/api/server.ts | 4 +--- src/api/service/twitter.ts | 39 ++++++++++++++++++++++++++++++++++---- 2 files changed, 36 insertions(+), 7 deletions(-) diff --git a/src/api/server.ts b/src/api/server.ts index 463b3f017..e89d19609 100644 --- a/src/api/server.ts +++ b/src/api/server.ts @@ -26,9 +26,7 @@ app.use(bodyParser.json({ } } })); -app.use(cors({ - origin: true -})); +app.use(cors()); app.get('/', (req, res) => { res.send('YEE HAW'); diff --git a/src/api/service/twitter.ts b/src/api/service/twitter.ts index e03cd5acc..573895e8f 100644 --- a/src/api/service/twitter.ts +++ b/src/api/service/twitter.ts @@ -12,15 +12,31 @@ import config from '../../conf'; import signin from '../common/signin'; module.exports = (app: express.Application) => { - function getUserToken(req) { + function getUserToken(req: express.Request) { // req.headers['cookie'] は常に string ですが、型定義の都合上 // string | string[] になっているので string を明示しています return ((req.headers['cookie'] as string || '').match(/i=(!\w+)/) || [null, null])[1]; } - app.get('/disconnect/twitter', async (req, res): Promise => { - const userToken = getUserToken(req); + function compareOrigin(req: express.Request) { + function normalizeUrl(url: string) { + return url[url.length - 1] === '/' ? url.substr(0, url.length - 1) : url; + } + // req.headers['cookie'] は常に string ですが、型定義の都合上 + // string | string[] になっているので string を明示しています + const referer = req.headers['referer'] as string; + + return (normalizeUrl(referer) == normalizeUrl(config.url)); + } + + app.get('/disconnect/twitter', async (req, res): Promise => { + if (!compareOrigin(req)) { + res.status(400).send('invalid origin'); + return; + } + + const userToken = getUserToken(req); if (userToken == null) return res.send('plz signin'); const user = await User.findOneAndUpdate({ @@ -59,8 +75,14 @@ module.exports = (app: express.Application) => { }); app.get('/connect/twitter', async (req, res): Promise => { + if (!compareOrigin(req)) { + res.status(400).send('invalid origin'); + return; + } + const userToken = getUserToken(req); if (userToken == null) return res.send('plz signin'); + const ctx = await twAuth.begin(); redis.set(userToken, JSON.stringify(ctx)); res.redirect(ctx.url); @@ -98,6 +120,7 @@ module.exports = (app: express.Application) => { if (sessid == undefined) { res.status(400).send('invalid session'); + return; } redis.get(sessid, async (_, ctx) => { @@ -109,13 +132,21 @@ module.exports = (app: express.Application) => { if (user == null) { res.status(404).send(`@${result.screenName}と連携しているMisskeyアカウントはありませんでした...`); + return; } signin(res, user, true); }); } else { + const verifier = req.query.oauth_verifier; + + if (verifier == null) { + res.status(400).send('invalid session'); + return; + } + redis.get(userToken, async (_, ctx) => { - const result = await twAuth.done(JSON.parse(ctx), req.query.oauth_verifier); + const result = await twAuth.done(JSON.parse(ctx), verifier); const user = await User.findOneAndUpdate({ token: userToken