Support cross origin embedding

2024-11-14 01:51:22 +01:00 · 2020-11-30 05:20:49 -08:00 · 2020-11-30 05:20:49 -08:00 · cba4014bde
commit cba4014bde
parent 1e9d443756
7 changed files with 101 additions and 12 deletions
--- a/webapp/titanembeds/blueprints/api/api.py
+++ b/webapp/titanembeds/blueprints/api/api.py
@ -1,6 +1,6 @@
 from titanembeds.database import db, Guilds, UnauthenticatedUsers, UnauthenticatedBans, AuthenticatedUsers, get_administrators_list, get_badges, DiscordBotsOrgTransactions
 from titanembeds.decorators import valid_session_required, discord_users_only, abort_if_guild_disabled
-from titanembeds.utils import check_guild_existance, guild_accepts_visitors, guild_query_unauth_users_bool, get_client_ipaddr, discord_api, rate_limiter, channel_ratelimit_key, guild_ratelimit_key, user_unauthenticated, checkUserRevoke, checkUserBanned, update_user_status, check_user_in_guild, get_guild_channels, guild_webhooks_enabled, guild_unauthcaptcha_enabled, get_member_roles, get_online_embed_user_keys, redis_store, redisqueue, get_forced_role
+from titanembeds.utils import serializer, check_guild_existance, guild_accepts_visitors, guild_query_unauth_users_bool, get_client_ipaddr, discord_api, rate_limiter, channel_ratelimit_key, guild_ratelimit_key, user_unauthenticated, checkUserRevoke, checkUserBanned, update_user_status, check_user_in_guild, get_guild_channels, guild_webhooks_enabled, guild_unauthcaptcha_enabled, get_member_roles, get_online_embed_user_keys, redis_store, redisqueue, get_forced_role
 from titanembeds.oauth import user_has_permission, generate_avatar_url, check_user_can_administrate_guild
 import titanembeds.constants as constants
 from flask import Blueprint, abort, jsonify, session, request, url_for
@ -14,9 +14,29 @@ import datetime
 import re
 import requests
 from config import config
 import copy
 api = Blueprint("api", __name__)
@api.after_request
 def after_request(response):
    if response.is_json:
        session_copy = copy.deepcopy(dict(session))
        data = response.get_json()
        data["session"] = serializer.dumps(json.dumps(session_copy))
        response.set_data(json.dumps(data))
    return response
@api.before_request
 def before_request():
    authorization = request.headers.get("authorization", None)
    if authorization:
        try:
            data = json.loads(serializer.loads(authorization))
            session.update(data)
        except:
            pass
 def parse_emoji(textToParse, guild_id):
    guild_emojis = get_guild_emojis(guild_id)
    for gemoji in guild_emojis:
--- a/webapp/titanembeds/blueprints/embed/embed.py
+++ b/webapp/titanembeds/blueprints/embed/embed.py
@ -1,11 +1,12 @@
 from flask import Blueprint, render_template, abort, redirect, url_for, session, request, make_response
 from flask_babel import gettext
-from titanembeds.utils import check_guild_existance, guild_query_unauth_users_bool, guild_accepts_visitors, guild_unauthcaptcha_enabled, is_int, redisqueue, get_online_embed_user_keys
+from titanembeds.utils import serializer, check_guild_existance, guild_query_unauth_users_bool, guild_accepts_visitors, guild_unauthcaptcha_enabled, is_int, redisqueue, get_online_embed_user_keys
 from titanembeds.oauth import generate_guild_icon_url, generate_avatar_url
 from titanembeds.database import db, Guilds, UserCSS, list_disabled_guilds
 from config import config
 import random
 import json
 import copy
 from urllib.parse import urlparse
 embed = Blueprint("embed", __name__)
@ -104,7 +105,10 @@ def guild_embed(guild_id):
@embed.route("/signin_complete")
 def signin_complete():
-    return render_template("signin_complete.html.j2")
+    sess = ""
    session_copy = copy.deepcopy(dict(session))
    sess = serializer.dumps(json.dumps(session_copy))
    return render_template("signin_complete.html.j2", session=sess)
@embed.route("/login_discord")
 def login_discord():
--- a/webapp/titanembeds/blueprints/gateway/gateway.py
+++ b/webapp/titanembeds/blueprints/gateway/gateway.py
@ -1,4 +1,4 @@
-from titanembeds.utils import socketio, guild_accepts_visitors, get_client_ipaddr, discord_api, check_user_in_guild, get_guild_channels, update_user_status, guild_webhooks_enabled, redis_store, redisqueue, get_forced_role
+from titanembeds.utils import serializer, socketio, guild_accepts_visitors, get_client_ipaddr, discord_api, check_user_in_guild, get_guild_channels, update_user_status, guild_webhooks_enabled, redis_store, redisqueue, get_forced_role
 from titanembeds.database import db
 from flask_socketio import Namespace, emit, disconnect, join_room, leave_room
 import functools
@ -17,6 +17,13 @@ class Gateway(Namespace):
        emit('hello', {"gateway_identifier": gateway_identifier})
    def on_identify(self, data):
        authorization = data.get("session", None)
        if authorization:
            try:
                data = json.loads(serializer.loads(authorization))
                session.update(data)
            except:
                pass
        guild_id = data["guild_id"]
        if not guild_accepts_visitors(guild_id) and not check_user_in_guild(guild_id):
            disconnect()
--- a/webapp/titanembeds/static/js/embed.js
+++ b/webapp/titanembeds/static/js/embed.js
@ -23,6 +23,8 @@
 /* global is_peak */
 /* global cookie_test_s2_URL */
 var passedCookieTest = true; // If passed cross origin test
 (function () {
    const theme_options = ["DiscordDark", "FireWyvern", "IceWyvern", "MetroEdge", "BetterTitan"]; // All the avaliable theming names
    const badges_options = ["administrator", "partner", "supporter", "discordbotsorgvoted"]; // All badges avaliable
@ -58,6 +60,19 @@
    var localstorage_avaliable = false; // Check if localstorage is avaliable on this browser
    var shouldUtilizeGateway = false; // Don't connect to gateway until page is focused or has interaction.
    var discord_users_list_enabled = false; // Allow automatic population of discord users list
    var session = ""; // stores the session if cross origin requests are not honored
    function ajax_before_send(jqXHR, settings) {
        if (session && !passedCookieTest) {
            jqXHR.setRequestHeader('Authorization', session);
        }
    }
    function ajax_always(data, textStatus, jqXHR) {
        if (!passedCookieTest) {
            session = data.session;
        }
    }
    function element_in_view(element, fullyInView) {
        var pageTop = $(window).scrollTop();
@ -103,8 +118,10 @@
        var funct = $.ajax({
            dataType: "json",
            url: url,
-            data: {"guild_id": guild_id}
+            beforeSend: ajax_before_send,
            data: {"guild_id": guild_id},
        });
        funct.always(ajax_always);
        return funct.promise();
    }
@ -113,8 +130,10 @@
            method: "POST",
            dataType: "json",
            url: "/api/create_authenticated_user",
            beforeSend: ajax_before_send,
            data: {"guild_id": guild_id}
        });
        funct.always(ajax_always);
        return funct.promise();
    }
@ -123,8 +142,10 @@
            method: "POST",
            dataType: "json",
            url: "/api/create_unauthenticated_user",
            beforeSend: ajax_before_send,
            data: {"username": username, "guild_id": guild_id, "captcha_response": captchaResponse}
        });
        funct.always(ajax_always);
        return funct.promise();
    }
@ -133,8 +154,10 @@
            method: "POST",
            dataType: "json",
            url: "/api/change_unauthenticated_username",
            beforeSend: ajax_before_send,
            data: {"username": username, "guild_id": guild_id}
        });
        funct.always(ajax_always);
        return funct.promise();
    }
@ -150,8 +173,10 @@
            method: "GET",
            dataType: "json",
            url: url,
            beforeSend: ajax_before_send,
            data: {"guild_id": guild_id,"channel_id": channel_id, "after": after}
        });
        funct.always(ajax_always);
        return funct.promise();
    }
@ -163,6 +188,7 @@
        var ajaxobj = {
            method: "POST",
            dataType: "json",
            beforeSend: ajax_before_send,
            url: "/api/post"
        }
        if (file) {
@ -198,6 +224,7 @@
        }
        ajaxobj.data = data;
        var funct = $.ajax(ajaxobj);
        funct.always(ajax_always);
        return funct.promise();
    }
@ -212,16 +239,20 @@
    function api_user(user_id) {
        var funct = $.ajax({
            dataType: "json",
            beforeSend: ajax_before_send,
            url: "/api/user/" + guild_id + "/" + user_id,
        });
        funct.always(ajax_always);
        return funct.promise();
    }
    function list_users() {
        var funct = $.ajax({
            dataType: "json",
            beforeSend: ajax_before_send,
            url: "/api/user/" + guild_id,
        });
        funct.always(ajax_always);
        return funct.promise();
    }
@ -233,8 +264,10 @@
        var funct = $.ajax({
            dataType: "json",
            url: url,
            beforeSend: ajax_before_send,
            data: {"guild_id": guild_id}
        });
        funct.always(ajax_always);
        return funct.promise();
    }
@ -1999,7 +2032,14 @@
        }
    }
-    $("#discordlogin_btn").click(function() {
+    $("#discordlogin_btn").click(function(e) {
        e.preventDefault();
        var wid = window.open($("#discordlogin_btn").attr("href"), "_blank");
        postRobot.on("setSession", { window: wid }, function(event) {
            if (!passedCookieTest) {
                session = event.data.session;
            }
        });
        lock_login_fields();
        wait_for_discord_login();
    });
@ -2374,7 +2414,11 @@
        socket = io.connect(location.protocol + '//' + document.domain + ':' + location.port + "/gateway", {path: '/gateway', transports: ['websocket'], query: "v=1"});
        socket.on('connect', function () {
-            socket.emit('identify', {"guild_id": guild_id, "visitor_mode": visitor_mode});
+            var sen = {"guild_id": guild_id, "visitor_mode": visitor_mode};
            if (!passedCookieTest && session) {
                sen["session"] = session;
            }
            socket.emit('identify', sen);
        });
        socket.on('hello', function (msg) {
@ -2720,12 +2764,16 @@ window._3rd_party_test_step1_loaded = function () {
 window._3rd_party_test_step2_loaded = function (cookieSuccess) {
    if (!cookieSuccess) {
-        $("#third-party-cookies-notice").show().addClass("done");
+        //$("#third-party-cookies-notice").show().addClass("done");
-        $("#login-greeting-msg, #loginmodal-maincontent").hide();
+        //$("#login-greeting-msg, #loginmodal-maincontent").hide();
        passedCookieTest = false;
    } else {
-        $("#third-party-cookies-notice").hide().addClass("done");
+        //$("#third-party-cookies-notice").hide().addClass("done");
-        $("#login-greeting-msg, #loginmodal-maincontent").show();
+        //$("#login-greeting-msg, #loginmodal-maincontent").show();
        passedCookieTest = true;
    }
    $("#third-party-cookies-notice").hide().addClass("done");
    $("#login-greeting-msg, #loginmodal-maincontent").show();
 };
 window.setTimeout(function(){
--- a/webapp/titanembeds/templates/embed.html.j2
+++ b/webapp/titanembeds/templates/embed.html.j2
@ -449,6 +449,7 @@
    <script src="https://cdnjs.cloudflare.com/ajax/libs/soundmanager2/2.97a.20150601/script/soundmanager2-nodebug-jsmin.js" integrity="sha256-5KBL+8gS3BkWOs22YOrezN3Djl4pwodgZaPQY9hgu4Y=" crossorigin="anonymous"></script>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/es6-shim/0.35.3/es6-shim.min.js" integrity="sha256-THlgZSjqt7idNSdnUvGypTuXB5C4hV9kSuPYrbiq19o=" crossorigin="anonymous"></script>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/caret/1.0.0/jquery.caret.min.js" integrity="sha256-NfP6KWI/oETcPbLcLXVAamn8K2wJrYH8ZIRrOf1XNUE=" crossorigin="anonymous"></script>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/post-robot/10.0.42/post-robot.min.js" integrity="sha512-8rkatbA3uOONyiRqBiT5dvzaE7hWX6m0SpVr/4rpAxxuZX+Vjuvqp+DSmF1sQX3268hMk8BZxHVRdgHmuoDhXQ==" crossorigin="anonymous"></script>
    <script src="{{ url_for("static", filename="js/vendor/highlight.pack.js") }}"></script>
    <script src="{{ url_for("static", filename="js/vendor/jquery.balloon.min.js") }}"></script>
--- a/webapp/titanembeds/templates/signin_complete.html.j2
+++ b/webapp/titanembeds/templates/signin_complete.html.j2
@ -5,8 +5,14 @@
    </head>
    <body>
        <p>Sign in complete! You may now close the window.</p>
        <script src="https://cdnjs.cloudflare.com/ajax/libs/post-robot/10.0.42/post-robot.min.js" integrity="sha512-8rkatbA3uOONyiRqBiT5dvzaE7hWX6m0SpVr/4rpAxxuZX+Vjuvqp+DSmF1sQX3268hMk8BZxHVRdgHmuoDhXQ==" crossorigin="anonymous"></script>
        <script>
-            window.close()
+            const session = {{ session|tojson|safe }};
            postRobot
                .send(window.opener, 'setSession', { session: session })
                .then(function () {
                    window.close();
                });
        </script>
    </body>
 </html>
--- a/webapp/titanembeds/utils.py
+++ b/webapp/titanembeds/utils.py
@ -7,6 +7,7 @@ from flask_babel import Babel
 from flask_redis import FlaskRedis
 from config import config
 from sqlalchemy import and_
 from itsdangerous import URLSafeSerializer
 #from raven.contrib.flask import Sentry
 import random
 import string
@ -22,6 +23,8 @@ from titanembeds.redisqueue import RedisQueue
 discord_api = DiscordREST(config['bot-token'])
 redisqueue = RedisQueue()
 serializer = URLSafeSerializer(config["app-secret"])
 def get_client_ipaddr():
    if request.headers.getlist("X-Forwarded-For"):
       ip = request.headers.getlist("X-Forwarded-For")[0]