Fix security issues & update dependencies

chinook25 · Aug 23, 2018 · be3c8e1 · be3c8e1
1 parent 255c812
commit be3c8e1
Show file tree

Hide file tree

Showing 25 changed files with 771 additions and 1,052 deletions.
diff --git a/app/drugis-css b/app/drugis-css
diff --git a/app/js/app.js b/app/js/app.js
@@ -5,6 +5,7 @@ define(
   'angular-patavi-client',
   'angular-touch',
   'angular-ui-router',
+  'angular-cookies',
   'angular-animate',
   './constants',
   './controllers',
@@ -22,11 +23,10 @@ define(
   './util/util'
 ],
 function(angular) {
-
-  //@require "../views/*.html"
     var dependencies = [
       'ui.router',
       'ngTouch',
+      'ngCookies',
       'ngSanitize',
       'mm.foundation',
       'gemtc.controllers',

diff --git a/app/js/util/navbarDirective.html b/app/js/util/navbarDirective.html
@@ -17,7 +17,7 @@
         </li>
         <li>
           <a href="#">
-            <img class="user-image" ng-src="{{user.imageUrl}}">
+            <img class="user-image" ng-src="{{user.userPicture}}">
             <span ng-show="!navSettings.isHidden">{{user.name}}</span>
           </a>
           <ul class="menu vertical">
@@ -33,4 +33,4 @@
   <section>
     <div class="color-stripe"></div>
   </section>
-</div>
+</div>
diff --git a/app/js/util/navbarDirective.js b/app/js/util/navbarDirective.js
@@ -1,15 +1,14 @@
 'use strict';
 define([], function() {
-  var dependencies = ['UserResource'];
-  var NavbarDirective = function(UserResource) {
+  var dependencies = ['$cookies'];
+  var NavbarDirective = function($cookies) {
     return {
       restrict: 'E',
       templateUrl: 'js/util/navbarDirective.html',
       transclude: true,
       link: function(scope) {
-        scope.user = UserResource.get(function(userResult) {
-          scope.user.imageUrl = 'https://secure.gravatar.com/avatar/' + userResult.md5Hash + '?s=43&d=mm';
-        });
+        scope.user = JSON.parse($cookies.get('LOGGED-IN-USER'));
+        scope.user.name = scope.user.firstname + ' ' + scope.user.lastname;
       }
     };
   };

diff --git a/app/js/util/util.js b/app/js/util/util.js
@@ -1,10 +1,8 @@
 'use strict';
 
-define(function (require) {
-  var angular = require('angular');
-  var dependencies = ['ngResource'];
+define(['angular', 'angular-resource'], function (angular) {
 
-  return angular.module('gemtc.util', dependencies)
+  return angular.module('gemtc.util', ['ngResource'])
 
     //resources
     .factory('UserResource', require('./userResource'))

diff --git a/gemtc.js b/gemtc.js
@@ -1,11 +1,13 @@
 'use strict';
 var express = require('express'),
   session = require('express-session'),
+  helmet = require('helmet'),
   bodyparser = require('body-parser'),
-  csrf = require('csurf'),
-  everyauth = require('everyauth'),
+  csurf = require('csurf'),
+  dbUtil = require('./standalone-app/dbUtil'),
+  db = require('./standalone-app/db')(dbUtil.connectionConfig),
   loginUtils = require('./standalone-app/loginUtils'),
-  userRepository = require('./standalone-app/userRepository'),
+  userManagement = require('./standalone-app/userManagement')(db),
   analysisRouter = require('./standalone-app/analysisRouter'),
   modelRouter = require('./standalone-app/modelRouter'),
   mcdaPataviTaskRouter = require('./standalone-app/mcdaPataviTaskRouter'),
@@ -14,69 +16,65 @@ var express = require('express'),
 
 
 var sessionOpts = {
-  secret: 'keyboard cat',
-  resave: false,
-  saveUninitialized: true
+  store: new (require('connect-pg-simple')(session))({
+    conString: dbUtil.gemtcDBUrl,
+  }),
+  secret: process.env.GEMTC_COOKIE_SECRET,
+  resave: true,
+  proxy: process.env.GEMTC_USE_PROXY,
+  rolling: true,
+  saveUninitialized: true,
+  cookie: {
+    maxAge: 60 * 60 * 1000, // 1 hour
+    secure: false
+  }
 };
 
-
-everyauth.everymodule.findUserById(function(userId, callback) {
-  logger.debug("gemtc.findUserById");
-  callback(null);
+var passport = require('passport');
+var GoogleStrategy = require('passport-google-oauth20').Strategy;
+passport.use(
+  new GoogleStrategy({
+    clientID: process.env.GEMTC_GOOGLE_KEY,
+    clientSecret: process.env.GEMTC_GOOGLE_SECRET,
+    callbackURL: process.env.GEMTC_HOST + "/auth/google/callback"
+  },
+    userManagement.findOrCreateUser
+  ));
+passport.serializeUser(function(user, cb) {
+  cb(null, user);
+});
+passport.deserializeUser(function(obj, cb) {
+  cb(null, obj);
 });
-
-everyauth.google
-  .myHostname(process.env.GEMTC_HOST)
-  .authQueryParam({
-    approval_prompt: 'auto'
-  })
-  .appId(process.env.GEMTC_GOOGLE_KEY)
-  .appSecret(process.env.GEMTC_GOOGLE_SECRET)
-  .scope('https://www.googleapis.com/auth/userinfo.profile email')
-  .handleAuthCallbackError(function() {
-    logger.debug('gemtc.handleAuthCallbackError');
-    //todo redirect to error page
-  })
-  .redirectPath('/')
-  .findOrCreateUser(function(session, accessToken, accessTokenExtra, googleUserMetadata) {
-
-    logger.debug("gemtc.findOrCreateUser");
-    var promise = this.Promise();
-    userRepository.findUserByGoogleId(googleUserMetadata.id, function(error, result) {
-      var user = result;
-      if (!user) {
-        userRepository.createUserAndConnection(accessToken, accessTokenExtra, googleUserMetadata, function(error, result) {
-          user = {
-            id: result,
-            username: googleUserMetadata.name,
-            firstName: googleUserMetadata.given_name,
-            lastName: googleUserMetadata.family_name
-          };
-          session.userId = user.id;
-          promise.fulfill(user);
-        });
-      } else {
-        session.userId = user.id;
-        promise.fulfill(user);
-      }
-    });
-    return promise;
-  });
 
 var app = express();
 
 logger.info('Start Gemtc stand-alone app');
 
 module.exports = app
+  .use(helmet())
   .use(session(sessionOpts))
-
-  .use(csrf({
-    value: loginUtils.csrfValue
-  }))
-  .use(bodyparser.json())
+  .get('/signin', function(req, res) {
+    res.sendFile(__dirname + '/dist/signin.html');
+  })
+  .use(passport.initialize())
+  .use(passport.session())
+  .get('/auth/google/', passport.authenticate('google', { scope: ['profile', 'email'] }))
+  .get('/auth/google/callback', passport.authenticate('google', { failureRedirect: '/signin' }),
+    function(req, res) {
+      res.redirect('/');
+    })
+  .get('/logout', function(req, res) {
+    req.logout();
+    res.redirect('/');
+  })
+  // .use(csurf({  // ?????
+  //   value: loginUtils.csrfValue
+  // }))
+  .use(csurf())
+  .use(bodyparser.json({ limit: '5mb' }))
   .use(loginUtils.setXSRFTokenMiddleware)
   .all('*', loginUtils.securityMiddleware)
-  .get('/user', loginUtils.emailHashMiddleware)
   .use('/patavi', mcdaPataviTaskRouter)
   .use('/analyses', analysisRouter)
   .use('/analyses/:analysisId/models', modelRouter)
@@ -86,6 +84,5 @@ module.exports = app
   .use(express.static('dist'))
   .use(express.static('fonts'))
   .use(express.static('../manual'))
-  .use(everyauth.middleware())
   .use(errorHandler)
-  .listen(3001);
+  .listen(3001);
diff --git a/karma.conf.js b/karma.conf.js
@@ -18,7 +18,6 @@ module.exports = function(config) {
     plugins: [
       'karma-chrome-launcher',
       'karma-firefox-launcher',
-      'karma-phantomjs-launcher',
       'karma-junit-reporter',
       'karma-jasmine',
       'karma-coverage',

diff --git a/package.json b/package.json
@@ -8,7 +8,7 @@
     "test": "mocha && karma",
     "build-dev": "webpack --config webpack.dev.js",
     "build-prod": "webpack --config webpack.prod.js",
-    "dev": "webpack --config webpack.dev.js watch"
+    "dev": "webpack --config webpack.dev.js --watch"
   },
   "repository": {
     "type": "git",
@@ -20,88 +20,82 @@
     "url": "https://github.com/drugis/gemtc-web/issues"
   },
   "homepage": "https://github.com/drugis/gemtc-web",
-  "dependencies": {},
+  "dependencies": {
+    "async": "~1.2.1",
+    "body-parser": "^1.18.3",
+    "connect-pg-simple": "^5.0.0",
+    "cookie-parser": "~1.4.2",
+    "csurf": "~1.8.2",
+    "express": "^4.16.3",
+    "express-session": "^1.15.6",
+    "helmet": "^3.13.0",
+    "http-status-codes": "~1.0.5",
+    "lodash": "^4.17.10",
+    "passport": "^0.4.0",
+    "passport-google-oauth20": "^1.0.0",
+    "pg": "~7.4.3"
+  },
   "devDependencies": {
     "angular": "~1.6.6",
     "angular-animate": "~1.6.6",
+    "angular-cookies": "^1.7.3",
     "angular-foundation-6": "drugis/angular-foundation-6#master",
     "angular-mocks": "~1.6.6",
-    "angular-patavi-client": "drugis/angular-patavi-client#~2.0.4",
+    "angular-patavi-client": "github:drugis/angular-patavi-client#unbower",
     "angular-resource": "~1.6.6",
     "angular-sanitize": "~1.6.0",
     "angular-touch": "~1.6.6",
     "angular-ui-router": "~1.0.5",
     "angular1-templateurl-loader": "^1.0.0",
-    "assert": "~1.4.0",
-    "async": "~1.2.1",
-    "body-parser": "~1.15.1",
     "bowser": "~0.7.3",
     "chai": "~2.3.0",
     "chai-spies": "~0.6.0",
     "clean-webpack-plugin": "^0.1.19",
     "clipboard": "~1.6.0",
-    "connect": "~3.3.5",
-    "cookie-parser": "~1.4.2",
-    "core-js": "^2.5.3",
     "css-loader": "^1.0.0",
-    "csurf": "~1.8.2",
     "d3": "~3.5.6",
-    "error-reporting": "drugis/error-reporting#~1.2.1",
-    "everyauth": "~0.4.9",
-    "export-directive": "drugis/export-directive#1.0.2",
+    "error-reporting": "drugis/error-reporting#1.3.0",
+    "export-directive": "drugis/export-directive#unbower",
     "exports-loader": "^0.7.0",
     "expose-loader": "^0.7.5",
-    "express": "~4.12.4",
-    "express-session": "~1.11.2",
     "file-loader": "^1.1.11",
     "font-awesome": "~4.3.0",
     "foundation-sites": "~6",
-    "help-popup": "drugis/help-popup#~0.3.0",
+    "help-popup": "github:danielreid/help-popup#unbower",
     "html-webpack-plugin": "^3.2.0",
-    "http-status-codes": "~1.0.5",
     "imports-loader": "^0.8.0",
     "jasmine-core": "~3.2.1",
     "jquery": "~3.2.1",
-    "jshint": "~2.8.0",
+    "jshint": "^2.9.6",
     "json-loader": "^0.5.7",
     "karma": "3.0.0",
     "karma-chrome-launcher": "~2.2.0",
     "karma-coverage": "~1.1.2",
     "karma-firefox-launcher": "~1.1.0",
     "karma-jasmine": "~1.1.2",
     "karma-junit-reporter": "~1.2.0",
-    "karma-phantomjs-launcher": "1.0.4",
     "karma-webpack": "^3.0.0",
     "katex": "~0.6.0",
-    "lodash": "~4.2.0",
     "mini-css-extract-plugin": "^0.4.1",
     "mocha": "^5.2.0",
     "modernizr": "~3.6.0",
-    "moment": "~2.10.0",
+    "moment": "^2.22.2",
     "nvd3": "~1.8.5",
     "papaparse": "~4.1.1",
-    "pg": "~4.5.5",
-    "phantomjs-polyfill-find": "ptim/phantomjs-polyfill-find",
-    "phantomjs-prebuilt": "^2.1.16",
     "proxyquire": "~1.5.0",
     "raw-loader": "^0.5.1",
-    "requirejs": "~2.1.18",
-    "scrollup": "markgoodyear/scrollup#2.4.1",
-    "should": "~7.1.0",
+    "scrollup": "markgoodyear/scrollup#v2.4.1",
     "sinon": "~1.17.0",
     "smooth-scroller": "firstandthird/smooth-scroller#0.1.0",
     "style-loader": "^0.22.1",
-    "superagent": "~1.2.0",
-    "supertest": "~1.0.1",
+    "superagent": "~3.8.3",
     "toc": "jgallen23/toc#0.3.2",
-    "uglifyjs-webpack-plugin": "^1.3.0",
     "url-loader": "^1.1.1",
-    "webpack": "^4.16.5",
+    "webpack": "^4.17.1",
     "webpack-cli": "^3.1.0",
-    "webpack-manifest-plugin": "^2.0.3",
     "webpack-merge": "^4.1.4",
     "what-input": "~4.1.3",
-    "winston": "~1.0.0"
+    "winston": "~3.0.0"
   },
   "engines": {
     "yarn": ">= 1.0.0"

diff --git a/standalone-app/analysisHandlers.js b/standalone-app/analysisHandlers.js
@@ -5,7 +5,7 @@ var statusCodes = require('http-status-codes');
 
 function queryAnalyses(request, response, next) {
   logger.debug('query analyses');
-  analysisRepository.query(request.session.userId, function(error, result) {
+  analysisRepository.query(request.user.id, function(error, result) {
     if (error) {
       logger.error(error);
       response.sendStatus(statusCodes.INTERNAL_SERVER_ERROR);
@@ -29,7 +29,7 @@ function getAnalysis(request, response, next) {
       response.sendStatus(statusCodes.INTERNAL_SERVER_ERROR);
       response.end();
     } else {
-      if (isAnalysisOwner(analysis, request.session.userId)) {
+      if (isAnalysisOwner(analysis, request.user.id)) {
         response.json(analysis);
       } else {
         response.sendStatus(statusCodes.FORBIDDEN);
@@ -41,8 +41,8 @@ function getAnalysis(request, response, next) {
 
 function createAnalysis(request, response, next) {
   logger.debug('create analysis: ' + JSON.stringify(request.body));
-  logger.debug('request.session.userId: ' + request.session.userId);
-  analysisRepository.create(request.session.userId, request.body, function(error, newAnalysis) {
+  logger.debug('request.user.id: ' + request.user.id);
+  analysisRepository.create(request.user.id, request.body, function(error, newAnalysis) {
     if (error) {
       logger.error(error);
       response.sendStatus(statusCodes.INTERNAL_SERVER_ERROR);

diff --git a/standalone-app/analysisRepository.js b/standalone-app/analysisRepository.js
@@ -1,7 +1,7 @@
 'use strict';
 var logger = require('./logger'),
   dbUtil = require('./dbUtil'),
-  db = require('./db')(dbUtil.gemtcDBUrl);
+  db = require('./db')(dbUtil.connectionConfig);
 
 function rowMapper(row) {
   row.primaryModel = row.primarymodel;

diff --git a/standalone-app/analysisRouter.js b/standalone-app/analysisRouter.js
@@ -1,6 +1,5 @@
 var express = require('express');
 var analysisHandlers = require('./analysisHandlers');
-var modelRouter = require('./modelRouter');
 
 module.exports = express.Router()
   .get('/', analysisHandlers.queryAnalyses)