Use HTTPS for avatar URL if approot in settings is https://

This commit is contained in:
fr33domlover 2018-03-06 00:55:52 +00:00
parent 3398b56931
commit 33af9fb289
7 changed files with 76 additions and 12 deletions

View file

@ -1,6 +1,6 @@
{- This file is part of Vervis. {- This file is part of Vervis.
- -
- Written in 2016 by fr33domlover <fr33domlover@riseup.net>. - Written in 2016, 2018 by fr33domlover <fr33domlover@riseup.net>.
- -
- Copying is an act of love. Please copy, reuse and share. - Copying is an act of love. Please copy, reuse and share.
- -
@ -28,9 +28,8 @@ import Network.Wai (isSecure)
import Yesod.Core (MonadHandler) import Yesod.Core (MonadHandler)
import Yesod.Core.Handler (waiRequest) import Yesod.Core.Handler (waiRequest)
getAvatarUrl :: MonadHandler m => Text -> m (Maybe Text) getAvatarUrl :: MonadHandler m => Bool -> Text -> m (Maybe Text)
getAvatarUrl email = do getAvatarUrl secure email = do
secure <- isSecure <$> waiRequest
let opts = def let opts = def
{ optSecure = secure { optSecure = secure
, optTryGravatar = False , optTryGravatar = False

View file

@ -27,8 +27,9 @@ import Text.Hamlet (hamletFile)
import Yesod.Auth.Account import Yesod.Auth.Account
import Yesod.Auth.Account.Message (AccountMsg (MsgUsernameExists)) import Yesod.Auth.Account.Message (AccountMsg (MsgUsernameExists))
import Yesod.Auth.Message (AuthMessage (IdentifierNotFound)) import Yesod.Auth.Message (AuthMessage (IdentifierNotFound))
import Yesod.Default.Util (addStaticContentExternal)
import Yesod.Core.Types (Logger) import Yesod.Core.Types (Logger)
import Yesod.Default.Util (addStaticContentExternal)
import Yesod.Mail.Send import Yesod.Mail.Send
import qualified Yesod.Core.Unsafe as Unsafe import qualified Yesod.Core.Unsafe as Unsafe

View file

@ -31,6 +31,7 @@ import Text.Blaze.Html (toHtml)
import Yesod.Auth.Account (newAccountR) import Yesod.Auth.Account (newAccountR)
import Vervis.Model.Ident import Vervis.Model.Ident
import Vervis.Secure
import Vervis.Widget (avatarW) import Vervis.Widget (avatarW)
-- | Get list of users -- | Get list of users
@ -108,4 +109,5 @@ getPersonR ident = do
Entity sid _s <- getBy404 $ UniqueSharer ident Entity sid _s <- getBy404 $ UniqueSharer ident
Entity _pid p <- getBy404 $ UniquePersonIdent sid Entity _pid p <- getBy404 $ UniquePersonIdent sid
return p return p
secure <- getSecure
defaultLayout $(widgetFile "person") defaultLayout $(widgetFile "person")

61
src/Vervis/Secure.hs Normal file
View file

@ -0,0 +1,61 @@
{- This file is part of Vervis.
-
- Written in 2018 by fr33domlover <fr33domlover@riseup.net>.
-
- Copying is an act of love. Please copy, reuse and share.
-
- The author(s) have dedicated all copyright and related and neighboring
- rights to this software to the public domain worldwide. This software is
- distributed without any warranty.
-
- You should have received a copy of the CC0 Public Domain Dedication along
- with this software. If not, see
- <http://creativecommons.org/publicdomain/zero/1.0/>.
-}
-- | Sometimes we need to give the user a URL with a different domain than the
-- main web application, but with the same protocol scheme: If we're running in
-- HTTPS, then provide an HTTPS URL. And if we're running plain HTTP, provide
-- an HTTP URL (not because HTTPS is bad, but because we may be serving that
-- URL too and simply not providing SSL for it).
--
-- In order to construct that URL, we need to figure out whether the request
-- we're serving is secured with HTTPS.
--
-- Since the web app may be running behind a reverse proxy, checking the
-- request itself isn't enough - we need to know whether a reverse proxy may be
-- serving our web app via HTTPS.
--
-- One way to detect that is @Forwarded@ headers in the request, but it seems
-- they can be faked, i.e. just inserted manually by an HTTP client. So our
-- approach here is to rely on the configured approot: If you use a reverse
-- proxy, specify the approot in your web app settings file, otherwise only the
-- request itself will be consulted.
module Vervis.Secure
( getSecure
)
where
import Prelude
import Control.Monad ((<=<))
import Data.Text (Text)
import Network.Wai (isSecure)
import Yesod.Core.Handler (getsYesod, waiRequest)
import qualified Data.Text as T (take)
import Vervis.Foundation
import Vervis.Settings
getSecure :: Handler Bool
getSecure = do
let detectScheme t =
case T.take 5 t of
"https" -> Just True
"http:" -> Just False
_ -> Nothing
msec <- getsYesod $ detectScheme <=< appRoot . appSettings
case msec of
Nothing -> isSecure <$> waiRequest
Just sec -> return sec

View file

@ -1,6 +1,6 @@
{- This file is part of Vervis. {- This file is part of Vervis.
- -
- Written in 2016 by fr33domlover <fr33domlover@riseup.net>. - Written in 2016, 2018 by fr33domlover <fr33domlover@riseup.net>.
- -
- Copying is an act of love. Please copy, reuse and share. - Copying is an act of love. Please copy, reuse and share.
- -
@ -53,9 +53,9 @@ revisionW =
changes = $darcsTotalPatches :: Int changes = $darcsTotalPatches :: Int
in $(widgetFile "widget/revision") in $(widgetFile "widget/revision")
avatarW :: Text -> WidgetT site IO () avatarW :: Bool -> Text -> WidgetT site IO ()
avatarW email = do avatarW secure email = do
murl <- getAvatarUrl email murl <- getAvatarUrl secure email
[whamlet| [whamlet|
<div> <div>
$maybe url <- murl $maybe url <- murl

View file

@ -1,6 +1,6 @@
$# This file is part of Vervis. $# This file is part of Vervis.
$# $#
$# Written in 2016 by fr33domlover <fr33domlover@riseup.net>. $# Written in 2016, 2018 by fr33domlover <fr33domlover@riseup.net>.
$# $#
$# ♡ Copying is an act of love. Please copy, reuse and share. $# ♡ Copying is an act of love. Please copy, reuse and share.
$# $#
@ -12,7 +12,7 @@ $# You should have received a copy of the CC0 Public Domain Dedication along
$# with this software. If not, see $# with this software. If not, see
$# <http://creativecommons.org/publicdomain/zero/1.0/>. $# <http://creativecommons.org/publicdomain/zero/1.0/>.
^{avatarW $ personEmail person} ^{avatarW secure $ personEmail person}
<ul> <ul>
<li> <li>

View file

@ -92,8 +92,8 @@ library
Text.FilePath.Local Text.FilePath.Local
Text.Jasmine.Local Text.Jasmine.Local
Web.PathPieces.Local Web.PathPieces.Local
Yesod.Paginate.Local
Yesod.Mail.Send Yesod.Mail.Send
Yesod.Paginate.Local
Vervis.Application Vervis.Application
Vervis.Avatar Vervis.Avatar
@ -160,6 +160,7 @@ library
Vervis.Readme Vervis.Readme
Vervis.Render Vervis.Render
Vervis.Role Vervis.Role
Vervis.Secure
Vervis.Settings Vervis.Settings
Vervis.Settings.StaticFiles Vervis.Settings.StaticFiles
Vervis.SourceTree Vervis.SourceTree