* Sets up WebID-related functionality (account creation and authentication) * * @param argv {Object} * @param app {Function} * @param ldp {LDP}
(argv, app, ldp)
| 243 | * @param ldp {LDP} |
| 244 | */ |
| 245 | function initWebId (argv, app, ldp) { |
| 246 | config.ensureWelcomePage(argv) |
| 247 | |
| 248 | // Store the user's session key in a cookie |
| 249 | // (for same-domain browsing by people only) |
| 250 | const useSecureCookies = !!argv.sslKey // use secure cookies when over HTTPS |
| 251 | const sessionHandler = session(sessionSettings(useSecureCookies, argv.host)) |
| 252 | app.use(sessionHandler) |
| 253 | // Reject cookies from third-party applications. |
| 254 | // Otherwise, when a user is logged in to their Solid server, |
| 255 | // any third-party application could perform authenticated requests |
| 256 | // without permission by including the credentials set by the Solid server. |
| 257 | app.use((req, res, next) => { |
| 258 | const origin = req.get('origin') |
| 259 | const trustedOrigins = ldp.getTrustedOrigins(req) |
| 260 | const userId = req.session.userId |
| 261 | // Exception: allow logout requests from all third-party apps |
| 262 | // such that OIDC client can log out via cookie auth |
| 263 | // TODO: remove this exception when OIDC clients |
| 264 | // use Bearer token to authenticate instead of cookie |
| 265 | // (https://github.com/solid/node-solid-server/pull/835#issuecomment-426429003) |
| 266 | // |
| 267 | // Authentication cookies are an optimization: |
| 268 | // instead of going through the process of |
| 269 | // fully validating authentication on every request, |
| 270 | // we go through this process once, |
| 271 | // and store its successful result in a cookie |
| 272 | // that will be reused upon the next request. |
| 273 | // However, that cookie can then be sent by any server, |
| 274 | // even servers that have not gone through the proper authentication mechanism. |
| 275 | // However, if trusted origins are enabled, |
| 276 | // then any origin is allowed to take the shortcut route, |
| 277 | // since malicious origins will be banned at the ACL checking phase. |
| 278 | // https://github.com/solid/node-solid-server/issues/1117 |
| 279 | if (!argv.strictOrigin && !argv.host.allowsSessionFor(userId, origin, trustedOrigins) && !isLogoutRequest(req)) { |
| 280 | debug.authentication(`Rejecting session for ${userId} from ${origin}`) |
| 281 | // Destroy session data |
| 282 | delete req.session.userId |
| 283 | // Ensure this modified session is not saved |
| 284 | req.session.save = (done) => done() |
| 285 | } |
| 286 | if (isLogoutRequest(req)) { |
| 287 | delete req.session.userId |
| 288 | } |
| 289 | next() |
| 290 | }) |
| 291 | |
| 292 | const accountManager = AccountManager.from({ |
| 293 | authMethod: argv.auth, |
| 294 | emailService: app.locals.emailService, |
| 295 | tokenService: app.locals.tokenService, |
| 296 | host: argv.host, |
| 297 | accountTemplatePath: argv.templates.account, |
| 298 | store: ldp, |
| 299 | multiuser: argv.multiuser |
| 300 | }) |
| 301 | app.locals.accountManager = accountManager |
| 302 |
no test coverage detected