Fix cross-domain cookie issue

2014-02-26 10:50:59 -06:00 · 2014-02-26 10:50:59 -06:00 · 93d5980f05
parent ced68d9304
commit 93d5980f05
7 changed files with 31 additions and 7 deletions
--- a/config.template.yaml
+++ b/config.template.yaml
@ -15,6 +15,9 @@ http:
  host: ''
  port: 8080
  domain: 'http://localhost'
+  # Specifies the root domain for cookies.  If you have multiple domains
+  # e.g. a.example.com and b.example.com, the root domain is example.com
+  root-domain: 'localhost'
  # Use express-minify to minify CSS and Javascript
  minify: false
  # Static content cache (in seconds)
--- a/lib/config.js
+++ b/lib/config.js
@ -26,6 +26,7 @@ var defaults = {
        host: "",
        port: 8080,
        domain: "http://localhost",
+        "root-domain": "localhost",
        minify: false,
        "cache-ttl": 0
    },
--- a/lib/web/auth.js
+++ b/lib/web/auth.js
@ -106,6 +106,7 @@ function handleLoginPage(req, res) {
 */
 function handleLogout(req, res) {
    res.clearCookie("auth");
+    res.clearCookie("auth", { domain: Config.get("http.root-domain") });
    // Try to find an appropriate redirect
    var ref = req.header("referrer");
    if (!ref) {
--- a/lib/web/jade.js
+++ b/lib/web/jade.js
@ -13,7 +13,9 @@ function merge(locals) {
    var _locals = {
        siteTitle: Config.get("html-template.title"),
        siteDescription: Config.get("html-template.description"),
-        siteAuthor: "Calvin 'calzoneman' 'cyzon' Montgomery"
+        siteAuthor: "Calvin 'calzoneman' 'cyzon' Montgomery",
+        loginDomain: Config.get("https.enabled") ? Config.get("https.domain")+":"+Config.get("https.port")
+                                                 : Config.get("http.domain")+":"+Config.get("http.port")
    };
    if (typeof locals !== "object") {
        return _locals;
--- a/lib/web/webserver.js
+++ b/lib/web/webserver.js
@ -64,12 +64,13 @@ function logRequest(req, status) {

 function cookieall(res, name, val, opts) {
    res.cookie(name, val, opts);
-    opts.domain = Config.get("http.domain");
-    res.cookie(name, val, opts);
-    if (Config.get("https.enabled")) {
-        opts.domain = Config.get("https.domain");
-        res.cookie(name, val, opts);
+
+    opts.domain = Config.get("http.root-domain");
+    if (Config.get("http.domain").indexOf(opts.domain) === -1) {
+        opts.domain = Config.get("http.domain");
    }
+
+    res.cookie(name, val, opts);
 }

 /**
--- a/templates/nav.jade
+++ b/templates/nav.jade
@ -44,7 +44,9 @@ mixin navloginlogout(redirect)

 mixin navloginform(redirect)
  .visible-md.visible-lg
-    form#loginform.navbar-form.navbar-right(action="/login", method="post")
+    if loginDomain == null
+      - loginDomain = ""
+    form#loginform.navbar-form.navbar-right(action="#{loginDomain}/login", method="post")
      input(type="hidden", name="redirect", value=redirect)
      .form-group
        input#username.form-control(type="text", name="name", placeholder="Username")
--- a/www/js/callbacks.js
+++ b/www/js/callbacks.js
@ -445,6 +445,20 @@ Callbacks = {

            if (!CLIENT.guest) {
                socket.emit("initUserPLCallbacks");
+                var logoutform = $("<p/>").attr("id", "logoutform")
+                    .addClass("navbar-text pull-right")
+                    .insertAfter($("#loginform"));
+
+                $("<span/>").attr("id", "welcome").text("Welcome, " + CLIENT.name)
+                    .appendTo(logoutform);
+                $("<span/>").html("&nbsp;&middot;&nbsp;").appendTo(logoutform);
+                var domain = $("#loginform").attr("action").replace("/login", "");
+                $("<a/>").attr("id", "logout")
+                    .attr("href", domain + "/logout?redirect=/r/" + CHANNEL.name)
+                    .text("Logout")
+                    .appendTo(logoutform);
+
+                $("#loginform").remove();
            }
        }
    },