feat: add support for x-forwarded-host

dinoboff · dinoboff · commit 4e31b364129f · 2017-08-04T00:58:46.000+01:00
Adds `trustProxy` option to HMAC_SHA1 and Provider constructor.

It overloads the Provider constructor with the third argument being either a nonceStore or an options object (for a nonceStore, a signer and the trustProxy flag):

    new Provider(key: string, secret: string, options: NonceStore|Options, signer: Algo)
diff --git a/src/hmac-sha1.coffee b/src/hmac-sha1.coffee
@@ -40,6 +40,9 @@ _clean_request_body = (body, query) ->
 
 class HMAC_SHA1
 
+  constructor: (options) ->
+    @trustProxy = options and options.trustProxy
+
   toString: () ->
     'HMAC_SHA1'
 
@@ -52,24 +55,37 @@ class HMAC_SHA1
 
     @sign_string sig.join('&'), consumer_secret, token
 
+  host: (req) ->
+    if not @trustProxy
+      return req.headers.host
+
+    req.headers['x-forwarded-host'] or req.headers.host
+
+  protocol: (req) ->
+    xprotocol = req.headers['x-forwarded-proto']
+    if @trustProxy and xproto
+      return xproto
+
+    if req.protocol
+      return req.protocol
+
+    if req.connection.encrypted then 'https' else 'http'
+
   build_signature: (req, body, consumer_secret, token) ->
     hapiRawReq = req.raw and req.raw.req
     if hapiRawReq
       req = hapiRawReq
 
     originalUrl = req.originalUrl or req.url
-    protocol = req.protocol
+    host = @host req
+    protocol = @protocol req
 
     # Since canvas includes query parameters in the body we can omit the query string
     if body.tool_consumer_info_product_family_code == 'canvas'
       originalUrl = url.parse(originalUrl).pathname
 
-    if protocol is undefined
-      encrypted = req.connection.encrypted
-      protocol = (encrypted and 'https') or 'http'
-    
     parsedUrl  = url.parse originalUrl, true
-    hitUrl     = protocol + '://' + req.headers.host + parsedUrl.pathname
+    hitUrl     = protocol + '://' + host + parsedUrl.pathname
 
     @build_signature_raw hitUrl, parsedUrl, req.method, body, consumer_secret, token
 
diff --git a/src/provider.coffee b/src/provider.coffee
@@ -6,19 +6,25 @@ extensions        = require './extensions'
 
 
 class Provider
-  constructor: (consumer_key, consumer_secret, nonceStore, signature_method=(new HMAC_SHA1()) ) ->
+  constructor: (consumer_key, consumer_secret, optionsOrNonceStore, signature_method) ->
 
     if typeof consumer_key is 'undefined' or consumer_key is null
       throw new errors.ConsumerError 'Must specify consumer_key'
 
     if typeof consumer_secret is 'undefined' or consumer_secret is null
       throw new errors.ConsumerError 'Must specify consumer_secret'
 
-    if not nonceStore
+    if optionsOrNonceStore and optionsOrNonceStore.isNonceStore?()
+      nonceStore = optionsOrNonceStore
+      options = {
+        trustProxy: false
+      }
+    else
       nonceStore = new MemoryNonceStore()
+      options = optionsOrNonceStore or {}
 
-    if not nonceStore.isNonceStore?()
-      throw new errors.ParameterError 'Fourth argument must be a nonceStore object'
+    if not signature_method
+      signature_method = options.signer or new HMAC_SHA1(options)
 
     @consumer_key     = consumer_key
     @consumer_secret  = consumer_secret
