545ba4ec95
HTTPS redirection rebuilds the full URL using req.originalUrl, which includes query parameters (see https://expressjs.com/en/api.html#req.originalUrl). Prior to this patch, appending the stringified query params to req.originalUrl resulted in duplicate parameters, e.g. wiki.js/callback?session=123&code=abc?session=123&code=abc which caused errors when being redirected from an insecure (http://) callback URL to a secure version when using OIDC (e.g. with keycloak). This issue is probably rare, but in cases where HTTPS redirection is enabled and a user tries to hit an insecure URL with query parameters, it could cause problems.
38 lines
1.1 KiB
JavaScript
38 lines
1.1 KiB
JavaScript
const express = require('express')
|
|
const router = express.Router()
|
|
const _ = require('lodash')
|
|
const qs = require('querystring')
|
|
|
|
/* global WIKI */
|
|
|
|
/**
|
|
* Let's Encrypt Challenge
|
|
*/
|
|
router.get('/.well-known/acme-challenge/:token', (req, res, next) => {
|
|
res.type('text/plain')
|
|
if (_.get(WIKI.config, 'letsencrypt.challenge', false)) {
|
|
if (WIKI.config.letsencrypt.challenge.token === req.params.token) {
|
|
res.send(WIKI.config.letsencrypt.challenge.keyAuthorization)
|
|
WIKI.logger.info(`(LETSENCRYPT) Received valid challenge request. [ ACCEPTED ]`)
|
|
} else {
|
|
res.status(406).send('Invalid Challenge Token!')
|
|
WIKI.logger.warn(`(LETSENCRYPT) Received invalid challenge request. [ REJECTED ]`)
|
|
}
|
|
} else {
|
|
res.status(418).end()
|
|
}
|
|
})
|
|
|
|
/**
|
|
* Redirect to HTTPS if HTTP Redirection is enabled
|
|
*/
|
|
router.all('/*', (req, res, next) => {
|
|
if (WIKI.config.server.sslRedir && !req.secure && WIKI.servers.servers.https) {
|
|
return res.redirect(`https://${req.hostname}${req.originalUrl}`)
|
|
} else {
|
|
next()
|
|
}
|
|
})
|
|
|
|
module.exports = router
|