reg,login, smslogin 跳转问题修复

陈轩
Commit 8a79f159a3d1ecc7e00a7037bfda154bce78b3b1 1 parent 8b67ccf2
Showing 4 changed files with 45 additions and 23 deletions
apps/passport/controllers/login.js
apps/passport/controllers/reg.js
apps/passport/controllers/sms.js
utils/index.js
--- a/apps/passport/controllers/login.js
View file @8a79f15
+++ b/apps/passport/controllers/login.js
View file @8a79f15
@@ -14,7 +14,7 @@ const cookie = global.yoho.cookie;
 const helpers = global.yoho.helpers;
 const log = global.yoho.logger;
 const config = global.yoho.config;
- const url = require('url');
+ const utils = require(global.utils);
 const RegService = require('../models/reg-service');
 const AuthHelper = require('../models/auth-helper');
 
@@ -33,6 +33,9 @@ function doPassportCallback(openId, nickname, sourceType, req, res) {
     if (/signin|login/.test(refer)) {
         refer = `${config.siteUrl}/home`;
     }
+ 
+     refer = utils.refererLimit(refer);
+ 
     if (openId && nickname) {
         return AuthHelper.signinByOpenID(nickname, openId, sourceType, shoppingKey).then((result) => {
             if (result.code !== 200) {
@@ -65,13 +68,7 @@ const common = {
             refer = req.get('Referer');
         }
 
-         refer = decodeURI(refer);
- 
-         let urlObj = url.parse(refer, false, true);
- 
-         if (urlObj.hostname && !/(?:yohobuy\.com$)|(?:yoho\.cn$)/.test(urlObj.hostname)) {
-             refer = '/home';
-         }
+         refer = utils.refererLimit(refer);
 
 
         refer && !/signin|login|passport/.test(refer) && res.cookie('refer', encodeURI(refer), {
@@ -170,6 +167,9 @@ const local = {
                 if (/sign|login/.test(refer)) {
                     refer = `${config.siteUrl}/home`;
                 }
+ 
+                 refer = utils.refererLimit(refer);
+ 
                 user.session = refer;
                 user.href = refer;
                 AuthHelper.syncUserSession(user.uid, req, res, user.session_key).then(() => {
@@ -193,6 +193,8 @@ const local = {
         res.clearCookie('_SPK');
         let refer = req.get('Referer') || config.siteUrl;
 
+         refer = utils.refererLimit(refer);
+ 
         res.redirect(refer);
     }
 };
--- a/apps/passport/controllers/reg.js
View file @8a79f15
+++ b/apps/passport/controllers/reg.js
View file @8a79f15
@@ -8,7 +8,7 @@
 'use strict';
 
 const _ = require('lodash');
- const url = require('url');
+ const utils = require(global.utils);
 const helpers = global.yoho.helpers;
 const sign = global.yoho.sign;
 const cookie = global.yoho.cookie;
@@ -62,11 +62,7 @@ let index = (req, res) => {
     // req.session.REG_EXPIRE = Date.now() + 1800000;
     let refer = req.query.refer;
 
-     let urlObj = url.parse(refer, false, true);
- 
-     if (urlObj.hostname && !/(?:yohobuy\.com$)|(?:yoho\.cn$)/.test(urlObj.hostname)) {
-         refer = '/home';
-     }
+     refer = utils.refererLimit(refer);
 
     refer && res.cookie('refer', encodeURI(refer), {
         domain: 'yohobuy.com'
@@ -409,12 +405,7 @@ let setPassword = (req, res, next) => {
             refer = '/home';
         }
 
-         // fix: http://redmine.yoho.cn/issues/14282 跳转安全
-         let urlObj = url.parse(refer, false, true);
- 
-         if (urlObj.hostname && !/(?:yohobuy\.com$)|(?:yoho\.cn$)/.test(urlObj.hostname)) {
-             refer = '/home';
-         }
+         refer = utils.refererLimit(refer);
 
         delete req.session.phoneNum;
 
--- a/apps/passport/controllers/sms.js
View file @8a79f15
+++ b/apps/passport/controllers/sms.js
View file @8a79f15
@@ -3,6 +3,7 @@
 const _ = require('lodash');
 const helpers = global.yoho.helpers;
 const cookie = global.yoho.cookie;
+ const utils = require(global.utils);
 const RegService = require('../models/reg-service');
 const PhoneService = require('../models/phone-service');
 const AuthHelper = require('../models/auth-helper');
@@ -24,8 +25,10 @@ exports.beforeIn = (req, res, next) => {
         Expires: 0
     });
 
+     let refer = utils.refererLimit(req.cookies.refer);
+ 
     if (!req.xhr && req.user.uid) {
-         return res.redirect(req.cookies.refer || '/');
+         return res.redirect(refer);
     }
 
     next();
@@ -300,7 +303,7 @@ exports.check = (req, res, next) => {
                     res.json({
                         code: 200,
                         message: LOGIN_SUCCSS,
-                         redirect: req.cookies.refer
+                         redirect: utils.refererLimit(req.cookies.refer)
                     });
 
                     delete req.session.smsLogin;
@@ -363,7 +366,7 @@ exports.password = (req, res, next) => {
         res.json({
             code: 200,
             message: LOGIN_SUCCSS,
-             redirect: req.cookies.refer || '/'
+             redirect: utils.refererLimit(req.cookies.refer)
         });
         delete req.session.smsLogin;
     }).catch(next);
--- a/utils/index.js 0 → 100644
View file @8a79f15
+++ b/utils/index.js 0 → 100644
View file @8a79f15
+ 'use strict';
+ 
+ const url = require('url');
+ 
+ /**
+  *   refer限制
+  *  @param referer string
+  *  @param blacklist [array|function] refer黑名单  TODO: 未实现
+  *      1. array: ['/login', '/signin'] 如果referer 在array中，将返回 /home
+  *      2. function: 如果返回true, 返回/home
+  *  @return referer
+  */
+ exports.refererLimit = (referer, blacklist) => {  // eslint-disable-line
+     let result = decodeURI(referer | '/home');
+ 
+     let urlObj = url.parse(referer, false, true);
+ 
+ 
+     if (urlObj.hostname && !/(?:yohobuy\.com$)|(?:yoho\.cn$)/.test(urlObj.hostname)) {
+         result = '/home';
+     }
+ 
+     // TODO: blacklist;
+ 
+     return result;
+ };