Kick the user if has already successfully authenticated but his session became invalid later

2013-04-03 11:19:26 +02:00 · 2013-04-03 11:19:26 +02:00 · c5b4e4934d
parent f503f28b08
commit c5b4e4934d
2 changed files with 29 additions and 9 deletions
--- a/src/node/handler/PadMessageHandler.js
+++ b/src/node/handler/PadMessageHandler.js
@ -203,17 +203,29 @@ exports.handleMessage = function(client, message)
      //check permissions
      function(callback)
      {
-        
-        // If the message has a padId we assume the client is already known to the server and needs no re-authorization
-        if(!message.padId)
-          return callback();
+        // client tried to auth for the first time (first msg from the client)
+        if(message.type == "CLIENT_READY") {
+          // Remember this information since we won't
+          // have the cookie in further socket.io messages.
+          // This information will be used to check if
+          // the sessionId of this connection is still valid
+          // since it could have been deleted by the API.
+          sessioninfos[client.id].auth =
+          {
+            sessionID: message.sessionID,
+            padID: message.padId,
+            token : message.token,
+            password: message.password
+          };
+        }

        // Note: message.sessionID is an entirely different kind of
-        // session from the sessions we use here! Beware! FIXME: Call
-        // our "sessions" "connections".
+        // session from the sessions we use here! Beware!
+        // FIXME: Call our "sessions" "connections".
        // FIXME: Use a hook instead
        // FIXME: Allow to override readwrite access with readonly
-        securityManager.checkAccess(message.padId, message.sessionID, message.token, message.password, function(err, statusObject)
+        var auth = sessioninfos[client.id].auth;
+        securityManager.checkAccess(auth.padID, auth.sessionID, auth.token, auth.password, function(err, statusObject)
        {
          if(ERR(err, callback)) return;

--- a/src/static/js/pad.js
+++ b/src/static/js/pad.js
@ -252,14 +252,22 @@ function handshake()
  socket.on('message', function(obj)
  {
    //the access was not granted, give the user a message
-    if(!receivedClientVars && obj.accessStatus)
+    if(obj.accessStatus)
    {
-      $('.passForm').submit(require(module.id).savePassword);
+      if(!receivedClientVars)
+        $('.passForm').submit(require(module.id).savePassword);

      if(obj.accessStatus == "deny")
      {
        $('#loading').hide();
        $("#permissionDenied").show();
+
+        if(receivedClientVars)
+        {
+          // got kicked
+          $("#editorcontainer").hide();
+          $("#editorloadingbox").show();
+        }
      }
      else if(obj.accessStatus == "needPassword")
      {