Support cross origin embedding

This commit is contained in:
Jeremy Zhang 2020-11-30 05:20:49 -08:00
parent 1e9d443756
commit cba4014bde
7 changed files with 101 additions and 12 deletions

View File

@ -1,6 +1,6 @@
from titanembeds.database import db, Guilds, UnauthenticatedUsers, UnauthenticatedBans, AuthenticatedUsers, get_administrators_list, get_badges, DiscordBotsOrgTransactions from titanembeds.database import db, Guilds, UnauthenticatedUsers, UnauthenticatedBans, AuthenticatedUsers, get_administrators_list, get_badges, DiscordBotsOrgTransactions
from titanembeds.decorators import valid_session_required, discord_users_only, abort_if_guild_disabled from titanembeds.decorators import valid_session_required, discord_users_only, abort_if_guild_disabled
from titanembeds.utils import check_guild_existance, guild_accepts_visitors, guild_query_unauth_users_bool, get_client_ipaddr, discord_api, rate_limiter, channel_ratelimit_key, guild_ratelimit_key, user_unauthenticated, checkUserRevoke, checkUserBanned, update_user_status, check_user_in_guild, get_guild_channels, guild_webhooks_enabled, guild_unauthcaptcha_enabled, get_member_roles, get_online_embed_user_keys, redis_store, redisqueue, get_forced_role from titanembeds.utils import serializer, check_guild_existance, guild_accepts_visitors, guild_query_unauth_users_bool, get_client_ipaddr, discord_api, rate_limiter, channel_ratelimit_key, guild_ratelimit_key, user_unauthenticated, checkUserRevoke, checkUserBanned, update_user_status, check_user_in_guild, get_guild_channels, guild_webhooks_enabled, guild_unauthcaptcha_enabled, get_member_roles, get_online_embed_user_keys, redis_store, redisqueue, get_forced_role
from titanembeds.oauth import user_has_permission, generate_avatar_url, check_user_can_administrate_guild from titanembeds.oauth import user_has_permission, generate_avatar_url, check_user_can_administrate_guild
import titanembeds.constants as constants import titanembeds.constants as constants
from flask import Blueprint, abort, jsonify, session, request, url_for from flask import Blueprint, abort, jsonify, session, request, url_for
@ -14,9 +14,29 @@ import datetime
import re import re
import requests import requests
from config import config from config import config
import copy
api = Blueprint("api", __name__) api = Blueprint("api", __name__)
@api.after_request
def after_request(response):
if response.is_json:
session_copy = copy.deepcopy(dict(session))
data = response.get_json()
data["session"] = serializer.dumps(json.dumps(session_copy))
response.set_data(json.dumps(data))
return response
@api.before_request
def before_request():
authorization = request.headers.get("authorization", None)
if authorization:
try:
data = json.loads(serializer.loads(authorization))
session.update(data)
except:
pass
def parse_emoji(textToParse, guild_id): def parse_emoji(textToParse, guild_id):
guild_emojis = get_guild_emojis(guild_id) guild_emojis = get_guild_emojis(guild_id)
for gemoji in guild_emojis: for gemoji in guild_emojis:

View File

@ -1,11 +1,12 @@
from flask import Blueprint, render_template, abort, redirect, url_for, session, request, make_response from flask import Blueprint, render_template, abort, redirect, url_for, session, request, make_response
from flask_babel import gettext from flask_babel import gettext
from titanembeds.utils import check_guild_existance, guild_query_unauth_users_bool, guild_accepts_visitors, guild_unauthcaptcha_enabled, is_int, redisqueue, get_online_embed_user_keys from titanembeds.utils import serializer, check_guild_existance, guild_query_unauth_users_bool, guild_accepts_visitors, guild_unauthcaptcha_enabled, is_int, redisqueue, get_online_embed_user_keys
from titanembeds.oauth import generate_guild_icon_url, generate_avatar_url from titanembeds.oauth import generate_guild_icon_url, generate_avatar_url
from titanembeds.database import db, Guilds, UserCSS, list_disabled_guilds from titanembeds.database import db, Guilds, UserCSS, list_disabled_guilds
from config import config from config import config
import random import random
import json import json
import copy
from urllib.parse import urlparse from urllib.parse import urlparse
embed = Blueprint("embed", __name__) embed = Blueprint("embed", __name__)
@ -104,7 +105,10 @@ def guild_embed(guild_id):
@embed.route("/signin_complete") @embed.route("/signin_complete")
def signin_complete(): def signin_complete():
return render_template("signin_complete.html.j2") sess = ""
session_copy = copy.deepcopy(dict(session))
sess = serializer.dumps(json.dumps(session_copy))
return render_template("signin_complete.html.j2", session=sess)
@embed.route("/login_discord") @embed.route("/login_discord")
def login_discord(): def login_discord():

View File

@ -1,4 +1,4 @@
from titanembeds.utils import socketio, guild_accepts_visitors, get_client_ipaddr, discord_api, check_user_in_guild, get_guild_channels, update_user_status, guild_webhooks_enabled, redis_store, redisqueue, get_forced_role from titanembeds.utils import serializer, socketio, guild_accepts_visitors, get_client_ipaddr, discord_api, check_user_in_guild, get_guild_channels, update_user_status, guild_webhooks_enabled, redis_store, redisqueue, get_forced_role
from titanembeds.database import db from titanembeds.database import db
from flask_socketio import Namespace, emit, disconnect, join_room, leave_room from flask_socketio import Namespace, emit, disconnect, join_room, leave_room
import functools import functools
@ -17,6 +17,13 @@ class Gateway(Namespace):
emit('hello', {"gateway_identifier": gateway_identifier}) emit('hello', {"gateway_identifier": gateway_identifier})
def on_identify(self, data): def on_identify(self, data):
authorization = data.get("session", None)
if authorization:
try:
data = json.loads(serializer.loads(authorization))
session.update(data)
except:
pass
guild_id = data["guild_id"] guild_id = data["guild_id"]
if not guild_accepts_visitors(guild_id) and not check_user_in_guild(guild_id): if not guild_accepts_visitors(guild_id) and not check_user_in_guild(guild_id):
disconnect() disconnect()

View File

@ -23,6 +23,8 @@
/* global is_peak */ /* global is_peak */
/* global cookie_test_s2_URL */ /* global cookie_test_s2_URL */
var passedCookieTest = true; // If passed cross origin test
(function () { (function () {
const theme_options = ["DiscordDark", "FireWyvern", "IceWyvern", "MetroEdge", "BetterTitan"]; // All the avaliable theming names const theme_options = ["DiscordDark", "FireWyvern", "IceWyvern", "MetroEdge", "BetterTitan"]; // All the avaliable theming names
const badges_options = ["administrator", "partner", "supporter", "discordbotsorgvoted"]; // All badges avaliable const badges_options = ["administrator", "partner", "supporter", "discordbotsorgvoted"]; // All badges avaliable
@ -58,6 +60,19 @@
var localstorage_avaliable = false; // Check if localstorage is avaliable on this browser var localstorage_avaliable = false; // Check if localstorage is avaliable on this browser
var shouldUtilizeGateway = false; // Don't connect to gateway until page is focused or has interaction. var shouldUtilizeGateway = false; // Don't connect to gateway until page is focused or has interaction.
var discord_users_list_enabled = false; // Allow automatic population of discord users list var discord_users_list_enabled = false; // Allow automatic population of discord users list
var session = ""; // stores the session if cross origin requests are not honored
function ajax_before_send(jqXHR, settings) {
if (session && !passedCookieTest) {
jqXHR.setRequestHeader('Authorization', session);
}
}
function ajax_always(data, textStatus, jqXHR) {
if (!passedCookieTest) {
session = data.session;
}
}
function element_in_view(element, fullyInView) { function element_in_view(element, fullyInView) {
var pageTop = $(window).scrollTop(); var pageTop = $(window).scrollTop();
@ -103,8 +118,10 @@
var funct = $.ajax({ var funct = $.ajax({
dataType: "json", dataType: "json",
url: url, url: url,
data: {"guild_id": guild_id} beforeSend: ajax_before_send,
data: {"guild_id": guild_id},
}); });
funct.always(ajax_always);
return funct.promise(); return funct.promise();
} }
@ -113,8 +130,10 @@
method: "POST", method: "POST",
dataType: "json", dataType: "json",
url: "/api/create_authenticated_user", url: "/api/create_authenticated_user",
beforeSend: ajax_before_send,
data: {"guild_id": guild_id} data: {"guild_id": guild_id}
}); });
funct.always(ajax_always);
return funct.promise(); return funct.promise();
} }
@ -123,8 +142,10 @@
method: "POST", method: "POST",
dataType: "json", dataType: "json",
url: "/api/create_unauthenticated_user", url: "/api/create_unauthenticated_user",
beforeSend: ajax_before_send,
data: {"username": username, "guild_id": guild_id, "captcha_response": captchaResponse} data: {"username": username, "guild_id": guild_id, "captcha_response": captchaResponse}
}); });
funct.always(ajax_always);
return funct.promise(); return funct.promise();
} }
@ -133,8 +154,10 @@
method: "POST", method: "POST",
dataType: "json", dataType: "json",
url: "/api/change_unauthenticated_username", url: "/api/change_unauthenticated_username",
beforeSend: ajax_before_send,
data: {"username": username, "guild_id": guild_id} data: {"username": username, "guild_id": guild_id}
}); });
funct.always(ajax_always);
return funct.promise(); return funct.promise();
} }
@ -150,8 +173,10 @@
method: "GET", method: "GET",
dataType: "json", dataType: "json",
url: url, url: url,
beforeSend: ajax_before_send,
data: {"guild_id": guild_id,"channel_id": channel_id, "after": after} data: {"guild_id": guild_id,"channel_id": channel_id, "after": after}
}); });
funct.always(ajax_always);
return funct.promise(); return funct.promise();
} }
@ -163,6 +188,7 @@
var ajaxobj = { var ajaxobj = {
method: "POST", method: "POST",
dataType: "json", dataType: "json",
beforeSend: ajax_before_send,
url: "/api/post" url: "/api/post"
} }
if (file) { if (file) {
@ -198,6 +224,7 @@
} }
ajaxobj.data = data; ajaxobj.data = data;
var funct = $.ajax(ajaxobj); var funct = $.ajax(ajaxobj);
funct.always(ajax_always);
return funct.promise(); return funct.promise();
} }
@ -212,16 +239,20 @@
function api_user(user_id) { function api_user(user_id) {
var funct = $.ajax({ var funct = $.ajax({
dataType: "json", dataType: "json",
beforeSend: ajax_before_send,
url: "/api/user/" + guild_id + "/" + user_id, url: "/api/user/" + guild_id + "/" + user_id,
}); });
funct.always(ajax_always);
return funct.promise(); return funct.promise();
} }
function list_users() { function list_users() {
var funct = $.ajax({ var funct = $.ajax({
dataType: "json", dataType: "json",
beforeSend: ajax_before_send,
url: "/api/user/" + guild_id, url: "/api/user/" + guild_id,
}); });
funct.always(ajax_always);
return funct.promise(); return funct.promise();
} }
@ -233,8 +264,10 @@
var funct = $.ajax({ var funct = $.ajax({
dataType: "json", dataType: "json",
url: url, url: url,
beforeSend: ajax_before_send,
data: {"guild_id": guild_id} data: {"guild_id": guild_id}
}); });
funct.always(ajax_always);
return funct.promise(); return funct.promise();
} }
@ -1999,7 +2032,14 @@
} }
} }
$("#discordlogin_btn").click(function() { $("#discordlogin_btn").click(function(e) {
e.preventDefault();
var wid = window.open($("#discordlogin_btn").attr("href"), "_blank");
postRobot.on("setSession", { window: wid }, function(event) {
if (!passedCookieTest) {
session = event.data.session;
}
});
lock_login_fields(); lock_login_fields();
wait_for_discord_login(); wait_for_discord_login();
}); });
@ -2374,7 +2414,11 @@
socket = io.connect(location.protocol + '//' + document.domain + ':' + location.port + "/gateway", {path: '/gateway', transports: ['websocket'], query: "v=1"}); socket = io.connect(location.protocol + '//' + document.domain + ':' + location.port + "/gateway", {path: '/gateway', transports: ['websocket'], query: "v=1"});
socket.on('connect', function () { socket.on('connect', function () {
socket.emit('identify', {"guild_id": guild_id, "visitor_mode": visitor_mode}); var sen = {"guild_id": guild_id, "visitor_mode": visitor_mode};
if (!passedCookieTest && session) {
sen["session"] = session;
}
socket.emit('identify', sen);
}); });
socket.on('hello', function (msg) { socket.on('hello', function (msg) {
@ -2720,12 +2764,16 @@ window._3rd_party_test_step1_loaded = function () {
window._3rd_party_test_step2_loaded = function (cookieSuccess) { window._3rd_party_test_step2_loaded = function (cookieSuccess) {
if (!cookieSuccess) { if (!cookieSuccess) {
$("#third-party-cookies-notice").show().addClass("done"); //$("#third-party-cookies-notice").show().addClass("done");
$("#login-greeting-msg, #loginmodal-maincontent").hide(); //$("#login-greeting-msg, #loginmodal-maincontent").hide();
passedCookieTest = false;
} else { } else {
//$("#third-party-cookies-notice").hide().addClass("done");
//$("#login-greeting-msg, #loginmodal-maincontent").show();
passedCookieTest = true;
}
$("#third-party-cookies-notice").hide().addClass("done"); $("#third-party-cookies-notice").hide().addClass("done");
$("#login-greeting-msg, #loginmodal-maincontent").show(); $("#login-greeting-msg, #loginmodal-maincontent").show();
}
}; };
window.setTimeout(function(){ window.setTimeout(function(){

View File

@ -449,6 +449,7 @@
<script src="https://cdnjs.cloudflare.com/ajax/libs/soundmanager2/2.97a.20150601/script/soundmanager2-nodebug-jsmin.js" integrity="sha256-5KBL+8gS3BkWOs22YOrezN3Djl4pwodgZaPQY9hgu4Y=" crossorigin="anonymous"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/soundmanager2/2.97a.20150601/script/soundmanager2-nodebug-jsmin.js" integrity="sha256-5KBL+8gS3BkWOs22YOrezN3Djl4pwodgZaPQY9hgu4Y=" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/es6-shim/0.35.3/es6-shim.min.js" integrity="sha256-THlgZSjqt7idNSdnUvGypTuXB5C4hV9kSuPYrbiq19o=" crossorigin="anonymous"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/es6-shim/0.35.3/es6-shim.min.js" integrity="sha256-THlgZSjqt7idNSdnUvGypTuXB5C4hV9kSuPYrbiq19o=" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/caret/1.0.0/jquery.caret.min.js" integrity="sha256-NfP6KWI/oETcPbLcLXVAamn8K2wJrYH8ZIRrOf1XNUE=" crossorigin="anonymous"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/caret/1.0.0/jquery.caret.min.js" integrity="sha256-NfP6KWI/oETcPbLcLXVAamn8K2wJrYH8ZIRrOf1XNUE=" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/post-robot/10.0.42/post-robot.min.js" integrity="sha512-8rkatbA3uOONyiRqBiT5dvzaE7hWX6m0SpVr/4rpAxxuZX+Vjuvqp+DSmF1sQX3268hMk8BZxHVRdgHmuoDhXQ==" crossorigin="anonymous"></script>
<script src="{{ url_for("static", filename="js/vendor/highlight.pack.js") }}"></script> <script src="{{ url_for("static", filename="js/vendor/highlight.pack.js") }}"></script>
<script src="{{ url_for("static", filename="js/vendor/jquery.balloon.min.js") }}"></script> <script src="{{ url_for("static", filename="js/vendor/jquery.balloon.min.js") }}"></script>

View File

@ -5,8 +5,14 @@
</head> </head>
<body> <body>
<p>Sign in complete! You may now close the window.</p> <p>Sign in complete! You may now close the window.</p>
<script src="https://cdnjs.cloudflare.com/ajax/libs/post-robot/10.0.42/post-robot.min.js" integrity="sha512-8rkatbA3uOONyiRqBiT5dvzaE7hWX6m0SpVr/4rpAxxuZX+Vjuvqp+DSmF1sQX3268hMk8BZxHVRdgHmuoDhXQ==" crossorigin="anonymous"></script>
<script> <script>
window.close() const session = {{ session|tojson|safe }};
postRobot
.send(window.opener, 'setSession', { session: session })
.then(function () {
window.close();
});
</script> </script>
</body> </body>
</html> </html>

View File

@ -7,6 +7,7 @@ from flask_babel import Babel
from flask_redis import FlaskRedis from flask_redis import FlaskRedis
from config import config from config import config
from sqlalchemy import and_ from sqlalchemy import and_
from itsdangerous import URLSafeSerializer
#from raven.contrib.flask import Sentry #from raven.contrib.flask import Sentry
import random import random
import string import string
@ -22,6 +23,8 @@ from titanembeds.redisqueue import RedisQueue
discord_api = DiscordREST(config['bot-token']) discord_api = DiscordREST(config['bot-token'])
redisqueue = RedisQueue() redisqueue = RedisQueue()
serializer = URLSafeSerializer(config["app-secret"])
def get_client_ipaddr(): def get_client_ipaddr():
if request.headers.getlist("X-Forwarded-For"): if request.headers.getlist("X-Forwarded-For"):
ip = request.headers.getlist("X-Forwarded-For")[0] ip = request.headers.getlist("X-Forwarded-For")[0]