From a7289af25703fe00f001525137c48728c7672970 Mon Sep 17 00:00:00 2001 From: Evert Prants Date: Thu, 8 Aug 2019 15:33:58 +0300 Subject: [PATCH] Disable third-party registrations --- config.example.toml | 32 +++++++++++++++------------ server/api/external.js | 11 +++++----- server/routes/index.js | 44 +++++++++++++++++++++++-------------- views/includes/external.pug | 8 +++---- views/user/login.pug | 5 +++-- 5 files changed, 58 insertions(+), 42 deletions(-) diff --git a/config.example.toml b/config.example.toml index 936450b..6054b6f 100644 --- a/config.example.toml +++ b/config.example.toml @@ -43,23 +43,27 @@ [redis] port=6379 -# Uncomment if you want to be using Twitter authentication -[twitter] -# api="" -# api_secret="" +[external] + # Set to true if you allow registrations from the following services + registrations=false -# Uncomment if you want to be using Facebook authentication -[facebook] -# client="" + # Uncomment if you want to be using Twitter authentication + [external.twitter] + # api="" + # api_secret="" -# Uncomment if you want to be using Discord authentication -[discord] -# api="" -# api_secret="" + # Uncomment if you want to be using Facebook authentication + [external.facebook] + # client="" -[google] -# api="" -# api_secret="" + # Uncomment if you want to be using Discord authentication + [external.discord] + # api="" + # api_secret="" + + [external.google] + # api="" + # api_secret="" # reCAPTCHA configuration [security] diff --git a/server/api/external.js b/server/api/external.js index 74c44dd..194f1ca 100644 --- a/server/api/external.js +++ b/server/api/external.js @@ -56,6 +56,7 @@ const API = { }, // Create a new user newUser: async (service, identifier, data) => { + if (config.external.registrations !== true) throw new Error('Registrations from third-party websites are not allowed.') let udataLimited = Object.assign({ activated: 1, created_at: new Date(), @@ -239,8 +240,8 @@ const API = { twitterApp = new oauth.PromiseOAuth( 'https://api.twitter.com/oauth/request_token', 'https://api.twitter.com/oauth/access_token', - config.twitter.api, - config.twitter.api_secret, + config.external.twitter.api, + config.external.twitter.api_secret, '1.0A', redirectUri, 'HMAC-SHA1' @@ -360,8 +361,8 @@ const API = { oauth2App: function () { if (discordApp) return discordApp = new oauth.PromiseOAuth2( - config.discord.api, - config.discord.api_secret, + config.external.discord.api, + config.external.discord.api_secret, 'https://discordapp.com/api/', 'oauth2/authorize', 'oauth2/token' @@ -375,7 +376,7 @@ const API = { let redirectUri = config.server.domain + '/api/external/discord/callback' const params = { - 'client_id': config.discord.api, + 'client_id': config.external.discord.api, 'redirect_uri': redirectUri, 'scope': 'identify email', 'response_type': 'code', diff --git a/server/routes/index.js b/server/routes/index.js index 6f03103..bff4b6a 100644 --- a/server/routes/index.js +++ b/server/routes/index.js @@ -102,24 +102,34 @@ router.get('/', (req, res) => { }) // Add social media login buttons -function extraButtons (req, res, next) { - if (config.twitter && config.twitter.api) { - res.locals.twitter_auth = true - } +function extraButtons (recheck) { + let et = config.external + return function (req, res, next) { + if (!et) return next() + res.locals.auth = { + registrations: et.registrations + } - if (config.discord && config.discord.api) { - res.locals.discord_auth = true - } + if (recheck && et.registrations !== true) return next() - if (config.facebook && config.facebook.client) { - res.locals.facebook_auth = config.facebook.client - } + if (et.twitter && et.twitter.api) { + res.locals.auth.twitter = true + } - if (config.google && config.google.api) { - res.locals.google_auth = config.google.api - } + if (et.discord && et.discord.api) { + res.locals.auth.discord = true + } - next() + if (et.facebook && et.facebook.client) { + res.locals.auth.facebook = et.facebook.client + } + + if (et.google && et.google.api) { + res.locals.auth.google = et.google.api + } + + next() + } } // Retrieve form data if formError was called @@ -136,7 +146,7 @@ function formKeep (req, res, next) { } // Password reset request endpoint -router.get('/login/reset', extraButtons, (req, res) => { +router.get('/login/reset', extraButtons(false), (req, res) => { if (req.session.user) return redirectLogin(req, res) res.render('user/reset_password', {sent: req.query.success != null}) @@ -157,7 +167,7 @@ router.get('/reset/:token', wrap(async (req, res) => { res.render('user/password_new', {token: true}) })) -router.get('/login', extraButtons, (req, res) => { +router.get('/login', extraButtons(false), (req, res) => { if (req.session.user) return redirectLogin(req, res) if (req.query.returnTo) { @@ -167,7 +177,7 @@ router.get('/login', extraButtons, (req, res) => { res.render('user/login') }) -router.get('/register', extraButtons, formKeep, (req, res) => { +router.get('/register', extraButtons(true), formKeep, (req, res) => { if (req.session.user) return redirectLogin(req, res) if (config.security.recaptcha && config.security.recaptcha.site_key) { diff --git a/views/includes/external.pug b/views/includes/external.pug index 0107f1a..f1be21e 100644 --- a/views/includes/external.pug +++ b/views/includes/external.pug @@ -1,5 +1,5 @@ .external-login - if facebook_auth + if auth.facebook div#fb-root script. window.fbAsyncInit = function() { @@ -20,7 +20,7 @@ fjs.parentNode.insertBefore(js, fjs); }(document, 'script', 'facebook-jssdk')); fb:login-button(scope="public_profile,email", onlogin="checkLoginState();" data-max-rows="1", data-size="large", data-button-type="login_with", data-show-faces="false", data-auto-logout-link="false", data-use-continue-as="false") - if google_auth + if auth.google script(src="https://apis.google.com/js/api:client.js") a.login-btn.google-login.float-lg-right i.fa.fa-fw.fa-google @@ -59,11 +59,11 @@ } startApp() - if twitter_auth + if auth.twitter a.login-btn.twitter-login.login-dialog-pop.float-lg-right(href="/api/external/twitter/login") i.fa.fa-fw.fa-twitter span Log in With Twitter - if discord_auth + if auth.discord a.login-btn.discord-login.login-dialog-pop.float-lg-right(href="/api/external/discord/login") img(src="/static/image/discord.svg") span Log in With Discord diff --git a/views/user/login.pug b/views/user/login.pug index 052d068..f13ed7e 100644 --- a/views/user/login.pug +++ b/views/user/login.pug @@ -26,5 +26,6 @@ block body a(href="/register") Create an account | ยท a(href="/login/reset") Forgot password? - aside.col-sm-4 - include ../includes/external.pug + if auth + aside.col-sm-4 + include ../includes/external.pug