Merge branch 'http-validation'

Kyle Mattimore · Kyle Mattimore · commit f1449d80bb84 · 2020-08-04T15:31:06.000-05:00
diff --git a/index.js b/index.js
@@ -2,13 +2,17 @@
 
 var anonymousAccessBlocker = require('./middleware/anonymousAccessBlocker');
 var healthcheck = require('./middleware/healthcheck');
+var httpValidation = require('./middleware/httpValidation');
 var log41n = require('./middleware/log41n');
 
 var Log1n = function() {
     var self = this;
 
     self.register = function(keystone){
+        console.log('keystone-hosting: Adding Keystone routes');
+
         keystone.pre('routes', healthcheck(keystone));
+        keystone.pre('routes', httpValidation(keystone));
         keystone.pre('routes', log41n(keystone));
         keystone.pre('routes', anonymousAccessBlocker());
     };
@@ -17,4 +21,5 @@ var Log1n = function() {
 module.exports = new Log1n();
 module.exports.anonymousAccessBlocker = anonymousAccessBlocker;
 module.exports.healthcheck = healthcheck;
+module.exports.httpValidation = httpValidation;
 module.exports.log41n = log41n;
diff --git a/middleware/anonymousAccessBlocker.js b/middleware/anonymousAccessBlocker.js
@@ -21,10 +21,7 @@ module.exports = function() {
                 // The set of allowed ranges has to be separated by space characters, a comma, or newline.
                 var allowedRanges = ipRanges.split(/\s+|,|\n/);
                 
-                // Using req.ips requires that express 'trust proxy' setting is
-                // true. When it *is* set the value for ips is extracted from the
-                // X-Forwarded-For request header. The originating IP address is
-                // the last one in the array.
+                //if CLIENT_IP_ADDRESS_HEADER is set and a request coming in does not contain it, it will be denied regardless of IP
                 var requestIP = (process.env.CLIENT_IP_ADDRESS_HEADER) ? req.header(process.env.CLIENT_IP_ADDRESS_HEADER) : req.ip;
                 requestIP = rangeCheck.searchIP(requestIP);
                 
@@ -34,13 +31,13 @@ module.exports = function() {
                 
                 if (requestAllowed) {
                     // Allow the request to process
-                    console.log('Allowed IP: ' + requestIP);
+                    console.log('keystone-hosting: Allowed IP ' + requestIP);
                     return next();
                 }
             }
 
             // Request is not allowed.  Send the contents of the unauthorized.html file.
-            console.log('Blocked IP: ' + requestIP);
+            console.log('keystone-hosting: Blocked IP ' + requestIP);
             
             //set 'unauthorized' response code
             res.status(401)
diff --git a/middleware/httpValidation.js b/middleware/httpValidation.js
@@ -0,0 +1,26 @@
+module.exports = function(keystone) {
+
+    //register a route to a static (e.g. /.well-known/etc) response, if configured
+    return function(req, res, next) {
+
+        //example from cloudflare:
+        //"http_url": "http://http-preval.example.com/.well-known/pki-validation/ca3-0052344e54074d9693e89e27486692d6.txt",
+        //(include leading slash) /.well-known/pki-validation/ca3-0052344e54074d9693e89e27486692d6.txt
+        //"http_body": "ca3-be794c5f757b468eba805d1a705e44f6"
+        //ca3-be794c5f757b468eba805d1a705e44f6
+        
+        var enabled = process.env.HTTP_VALIDATION_LISTEN;
+        var httpPath = process.env.HTTP_VALIDATION_PATH;
+        var httpBody = process.env.HTTP_VALIDATION_BODY;
+
+        //ignore all requests except the exact match for /.well-known/etc...
+        if(enabled !== 'true' || !httpPath || !httpBody || req.path !== httpPath) {
+            // console.log('keystone-hosting: ignoring request' + req.path)
+            return next();
+        }
+
+        //hijack this request and simply return the desired body (a guid)
+        console.log('keystone-hosting: HTTP Validation responding to ' + req.path)
+        res.send(httpBody);
+    }
+}
