Support cross origin embedding

This commit is contained in:
Jeremy Zhang 2020-11-30 05:20:49 -08:00
parent 1e9d443756
commit cba4014bde
7 changed files with 101 additions and 12 deletions

View File

@ -1,6 +1,6 @@
from titanembeds.database import db, Guilds, UnauthenticatedUsers, UnauthenticatedBans, AuthenticatedUsers, get_administrators_list, get_badges, DiscordBotsOrgTransactions
from titanembeds.decorators import valid_session_required, discord_users_only, abort_if_guild_disabled
from titanembeds.utils import check_guild_existance, guild_accepts_visitors, guild_query_unauth_users_bool, get_client_ipaddr, discord_api, rate_limiter, channel_ratelimit_key, guild_ratelimit_key, user_unauthenticated, checkUserRevoke, checkUserBanned, update_user_status, check_user_in_guild, get_guild_channels, guild_webhooks_enabled, guild_unauthcaptcha_enabled, get_member_roles, get_online_embed_user_keys, redis_store, redisqueue, get_forced_role
from titanembeds.utils import serializer, check_guild_existance, guild_accepts_visitors, guild_query_unauth_users_bool, get_client_ipaddr, discord_api, rate_limiter, channel_ratelimit_key, guild_ratelimit_key, user_unauthenticated, checkUserRevoke, checkUserBanned, update_user_status, check_user_in_guild, get_guild_channels, guild_webhooks_enabled, guild_unauthcaptcha_enabled, get_member_roles, get_online_embed_user_keys, redis_store, redisqueue, get_forced_role
from titanembeds.oauth import user_has_permission, generate_avatar_url, check_user_can_administrate_guild
import titanembeds.constants as constants
from flask import Blueprint, abort, jsonify, session, request, url_for
@ -14,9 +14,29 @@ import datetime
import re
import requests
from config import config
import copy
api = Blueprint("api", __name__)
@api.after_request
def after_request(response):
if response.is_json:
session_copy = copy.deepcopy(dict(session))
data = response.get_json()
data["session"] = serializer.dumps(json.dumps(session_copy))
response.set_data(json.dumps(data))
return response
@api.before_request
def before_request():
authorization = request.headers.get("authorization", None)
if authorization:
try:
data = json.loads(serializer.loads(authorization))
session.update(data)
except:
pass
def parse_emoji(textToParse, guild_id):
guild_emojis = get_guild_emojis(guild_id)
for gemoji in guild_emojis:

View File

@ -1,11 +1,12 @@
from flask import Blueprint, render_template, abort, redirect, url_for, session, request, make_response
from flask_babel import gettext
from titanembeds.utils import check_guild_existance, guild_query_unauth_users_bool, guild_accepts_visitors, guild_unauthcaptcha_enabled, is_int, redisqueue, get_online_embed_user_keys
from titanembeds.utils import serializer, check_guild_existance, guild_query_unauth_users_bool, guild_accepts_visitors, guild_unauthcaptcha_enabled, is_int, redisqueue, get_online_embed_user_keys
from titanembeds.oauth import generate_guild_icon_url, generate_avatar_url
from titanembeds.database import db, Guilds, UserCSS, list_disabled_guilds
from config import config
import random
import json
import copy
from urllib.parse import urlparse
embed = Blueprint("embed", __name__)
@ -104,7 +105,10 @@ def guild_embed(guild_id):
@embed.route("/signin_complete")
def signin_complete():
return render_template("signin_complete.html.j2")
sess = ""
session_copy = copy.deepcopy(dict(session))
sess = serializer.dumps(json.dumps(session_copy))
return render_template("signin_complete.html.j2", session=sess)
@embed.route("/login_discord")
def login_discord():

View File

@ -1,4 +1,4 @@
from titanembeds.utils import socketio, guild_accepts_visitors, get_client_ipaddr, discord_api, check_user_in_guild, get_guild_channels, update_user_status, guild_webhooks_enabled, redis_store, redisqueue, get_forced_role
from titanembeds.utils import serializer, socketio, guild_accepts_visitors, get_client_ipaddr, discord_api, check_user_in_guild, get_guild_channels, update_user_status, guild_webhooks_enabled, redis_store, redisqueue, get_forced_role
from titanembeds.database import db
from flask_socketio import Namespace, emit, disconnect, join_room, leave_room
import functools
@ -17,6 +17,13 @@ class Gateway(Namespace):
emit('hello', {"gateway_identifier": gateway_identifier})
def on_identify(self, data):
authorization = data.get("session", None)
if authorization:
try:
data = json.loads(serializer.loads(authorization))
session.update(data)
except:
pass
guild_id = data["guild_id"]
if not guild_accepts_visitors(guild_id) and not check_user_in_guild(guild_id):
disconnect()

View File

@ -23,6 +23,8 @@
/* global is_peak */
/* global cookie_test_s2_URL */
var passedCookieTest = true; // If passed cross origin test
(function () {
const theme_options = ["DiscordDark", "FireWyvern", "IceWyvern", "MetroEdge", "BetterTitan"]; // All the avaliable theming names
const badges_options = ["administrator", "partner", "supporter", "discordbotsorgvoted"]; // All badges avaliable
@ -58,6 +60,19 @@
var localstorage_avaliable = false; // Check if localstorage is avaliable on this browser
var shouldUtilizeGateway = false; // Don't connect to gateway until page is focused or has interaction.
var discord_users_list_enabled = false; // Allow automatic population of discord users list
var session = ""; // stores the session if cross origin requests are not honored
function ajax_before_send(jqXHR, settings) {
if (session && !passedCookieTest) {
jqXHR.setRequestHeader('Authorization', session);
}
}
function ajax_always(data, textStatus, jqXHR) {
if (!passedCookieTest) {
session = data.session;
}
}
function element_in_view(element, fullyInView) {
var pageTop = $(window).scrollTop();
@ -103,8 +118,10 @@
var funct = $.ajax({
dataType: "json",
url: url,
data: {"guild_id": guild_id}
beforeSend: ajax_before_send,
data: {"guild_id": guild_id},
});
funct.always(ajax_always);
return funct.promise();
}
@ -113,8 +130,10 @@
method: "POST",
dataType: "json",
url: "/api/create_authenticated_user",
beforeSend: ajax_before_send,
data: {"guild_id": guild_id}
});
funct.always(ajax_always);
return funct.promise();
}
@ -123,8 +142,10 @@
method: "POST",
dataType: "json",
url: "/api/create_unauthenticated_user",
beforeSend: ajax_before_send,
data: {"username": username, "guild_id": guild_id, "captcha_response": captchaResponse}
});
funct.always(ajax_always);
return funct.promise();
}
@ -133,8 +154,10 @@
method: "POST",
dataType: "json",
url: "/api/change_unauthenticated_username",
beforeSend: ajax_before_send,
data: {"username": username, "guild_id": guild_id}
});
funct.always(ajax_always);
return funct.promise();
}
@ -150,8 +173,10 @@
method: "GET",
dataType: "json",
url: url,
beforeSend: ajax_before_send,
data: {"guild_id": guild_id,"channel_id": channel_id, "after": after}
});
funct.always(ajax_always);
return funct.promise();
}
@ -163,6 +188,7 @@
var ajaxobj = {
method: "POST",
dataType: "json",
beforeSend: ajax_before_send,
url: "/api/post"
}
if (file) {
@ -198,6 +224,7 @@
}
ajaxobj.data = data;
var funct = $.ajax(ajaxobj);
funct.always(ajax_always);
return funct.promise();
}
@ -212,16 +239,20 @@
function api_user(user_id) {
var funct = $.ajax({
dataType: "json",
beforeSend: ajax_before_send,
url: "/api/user/" + guild_id + "/" + user_id,
});
funct.always(ajax_always);
return funct.promise();
}
function list_users() {
var funct = $.ajax({
dataType: "json",
beforeSend: ajax_before_send,
url: "/api/user/" + guild_id,
});
funct.always(ajax_always);
return funct.promise();
}
@ -233,8 +264,10 @@
var funct = $.ajax({
dataType: "json",
url: url,
beforeSend: ajax_before_send,
data: {"guild_id": guild_id}
});
funct.always(ajax_always);
return funct.promise();
}
@ -1999,7 +2032,14 @@
}
}
$("#discordlogin_btn").click(function() {
$("#discordlogin_btn").click(function(e) {
e.preventDefault();
var wid = window.open($("#discordlogin_btn").attr("href"), "_blank");
postRobot.on("setSession", { window: wid }, function(event) {
if (!passedCookieTest) {
session = event.data.session;
}
});
lock_login_fields();
wait_for_discord_login();
});
@ -2374,7 +2414,11 @@
socket = io.connect(location.protocol + '//' + document.domain + ':' + location.port + "/gateway", {path: '/gateway', transports: ['websocket'], query: "v=1"});
socket.on('connect', function () {
socket.emit('identify', {"guild_id": guild_id, "visitor_mode": visitor_mode});
var sen = {"guild_id": guild_id, "visitor_mode": visitor_mode};
if (!passedCookieTest && session) {
sen["session"] = session;
}
socket.emit('identify', sen);
});
socket.on('hello', function (msg) {
@ -2720,12 +2764,16 @@ window._3rd_party_test_step1_loaded = function () {
window._3rd_party_test_step2_loaded = function (cookieSuccess) {
if (!cookieSuccess) {
$("#third-party-cookies-notice").show().addClass("done");
$("#login-greeting-msg, #loginmodal-maincontent").hide();
//$("#third-party-cookies-notice").show().addClass("done");
//$("#login-greeting-msg, #loginmodal-maincontent").hide();
passedCookieTest = false;
} else {
//$("#third-party-cookies-notice").hide().addClass("done");
//$("#login-greeting-msg, #loginmodal-maincontent").show();
passedCookieTest = true;
}
$("#third-party-cookies-notice").hide().addClass("done");
$("#login-greeting-msg, #loginmodal-maincontent").show();
}
};
window.setTimeout(function(){

View File

@ -449,6 +449,7 @@
<script src="https://cdnjs.cloudflare.com/ajax/libs/soundmanager2/2.97a.20150601/script/soundmanager2-nodebug-jsmin.js" integrity="sha256-5KBL+8gS3BkWOs22YOrezN3Djl4pwodgZaPQY9hgu4Y=" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/es6-shim/0.35.3/es6-shim.min.js" integrity="sha256-THlgZSjqt7idNSdnUvGypTuXB5C4hV9kSuPYrbiq19o=" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/caret/1.0.0/jquery.caret.min.js" integrity="sha256-NfP6KWI/oETcPbLcLXVAamn8K2wJrYH8ZIRrOf1XNUE=" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/post-robot/10.0.42/post-robot.min.js" integrity="sha512-8rkatbA3uOONyiRqBiT5dvzaE7hWX6m0SpVr/4rpAxxuZX+Vjuvqp+DSmF1sQX3268hMk8BZxHVRdgHmuoDhXQ==" crossorigin="anonymous"></script>
<script src="{{ url_for("static", filename="js/vendor/highlight.pack.js") }}"></script>
<script src="{{ url_for("static", filename="js/vendor/jquery.balloon.min.js") }}"></script>

View File

@ -5,8 +5,14 @@
</head>
<body>
<p>Sign in complete! You may now close the window.</p>
<script src="https://cdnjs.cloudflare.com/ajax/libs/post-robot/10.0.42/post-robot.min.js" integrity="sha512-8rkatbA3uOONyiRqBiT5dvzaE7hWX6m0SpVr/4rpAxxuZX+Vjuvqp+DSmF1sQX3268hMk8BZxHVRdgHmuoDhXQ==" crossorigin="anonymous"></script>
<script>
window.close()
const session = {{ session|tojson|safe }};
postRobot
.send(window.opener, 'setSession', { session: session })
.then(function () {
window.close();
});
</script>
</body>
</html>

View File

@ -7,6 +7,7 @@ from flask_babel import Babel
from flask_redis import FlaskRedis
from config import config
from sqlalchemy import and_
from itsdangerous import URLSafeSerializer
#from raven.contrib.flask import Sentry
import random
import string
@ -22,6 +23,8 @@ from titanembeds.redisqueue import RedisQueue
discord_api = DiscordREST(config['bot-token'])
redisqueue = RedisQueue()
serializer = URLSafeSerializer(config["app-secret"])
def get_client_ipaddr():
if request.headers.getlist("X-Forwarded-For"):
ip = request.headers.getlist("X-Forwarded-For")[0]