Fix login from ios and probably other email clients, also add key in the email itself. According to https://security.stackexchange.com/questions/177643/is-emailing-sign-in-links-bad-practice having any keys in the email is not secure anyway, so we are unsafe already anyway, at least now users have a chance to copy the key and delete the email

2020-04-29 09:15:46 +02:00 · 2020-04-29 09:15:46 +02:00 · 140b68b2c8
parent 909b76f167
commit 140b68b2c8
2 changed files with 54 additions and 30 deletions
--- a/web/lib/express.js
+++ b/web/lib/express.js
@ -181,16 +181,7 @@ router.get(
  }
 );

-router.get("/login", { public: true }, (_req, res) => {
-  res.render("shared/login", { mode });
-});
-
-router.post("/login", { public: true }, async (req, res) => {
-  const submittedKey =
-    req.files && req.files.ssb_key
-      ? req.files.ssb_key.data.toString()
-      : req.body.ssb_key || req.body.x_ssb_key; // x_ssb_key is because hotmail for some reason appends the x_
-
+const doLogin = async (submittedKey, res) => {
  try {
    const decodedKey = reconstructKeys(submittedKey);
    res.cookie("ssb_key", JSON.stringify(decodedKey), cookieOptions);
@ -205,6 +196,24 @@ router.post("/login", { public: true }, async (req, res) => {
    debug("Error on login", e);
    res.send("Invalid key");
  }
+};
+
+router.get("/login", { public: true }, async (req, res) => {
+  const login_key =
+    req.query.key && Buffer.from(req.query.key, "base64").toString("utf8");
+
+  if (login_key) {
+    await doLogin(JSON.parse(login_key), res);
+  } else {
+    res.render("shared/login", { mode });
+  }
+});
+
+router.post("/login", { public: true }, async (req, res) => {
+  const submittedKey =
+    req.files && req.files.ssb_key && req.files.ssb_key.data.toString();
+
+  await doLogin(submittedKey, res);
 });

 router.get("/download", { public: true }, (_req, res) => {
@ -267,24 +276,38 @@ router.get("/keys", (req, res) => {
 });

 router.post("/keys/email", async (req, res) => {
+  /* According to https://security.stackexchange.com/questions/177643/is-emailing-sign-in-links-bad-practice
+   * having any keys in the email is not secure, but the alternative to just ask users to copy their key on
+   * sign up will not work because users tend to press Next > Next > Next > Done without reading, and it will
+   * lead to loss of account access.
+   * Solution is to put an email field which they fill without thinking and send them the key by email, asking
+   * on the email body to copy the key and delete it later.
+   */
  const email = req.body.email;
  const origin = req.body.origin;
+  const ssb_key = req.signedCookies["ssb_key"];
+  const login_key = Buffer.from(JSON.stringify(ssb_key)).toString("base64");

-  let html = await ejs.renderFile("views/shared/email_sign_in.ejs", {
-    origin,
-    ssb_key: req.signedCookies["ssb_key"],
-  });
+  if (process.env.NODE_ENV == "production") {
+    let html = await ejs.renderFile("views/shared/email_sign_in.ejs", {
+      origin,
+      ssb_key,
+      login_key,
+    });

-  sgMail.setApiKey(process.env.SENDGRID_API_KEY);
-  const msg = {
-    to: email,
-    from: "Feedless <rgrchvs@gmail.com>",
-    subject: `Login button for ${req.context.profile.name}`,
-    html,
-  };
-  await sgMail.send(msg);
+    sgMail.setApiKey(process.env.SENDGRID_API_KEY);
+    const msg = {
+      to: email,
+      from: "Feedless <rgrchvs@gmail.com>",
+      subject: `Login button for ${req.context.profile.name}`,
+      html,
+    };
+    await sgMail.send(msg);

-  res.redirect("/");
+    res.redirect("/");
+  } else {
+    res.render("shared/email_sign_in", { origin, ssb_key, login_key });
+  }
 });

 router.get("/keys/copy", (req, res) => {
--- a/web/views/shared/email_sign_in.ejs
+++ b/web/views/shared/email_sign_in.ejs
@ -1,12 +1,13 @@
-<div style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; -webkit-font-smoothing: antialiased; line-height: 1.3em; font-size: 16px; padding: 30px 0">
-  <h1 style="font-weight: bold; line-height: 1.3em; margin: 0; padding: 10px 0 0 0; font-weight: 200;">Login button</h1>
+<div style="font-family: Helvetica, Arial, sans-serif; line-height: 1.3em; font-size: 16px; padding: 30px 0; max-width: 600px; margin: 0 auto;">
+  <h1 style="font-family: 'Lucida Grande', sans-serif; font-weight: bold; line-height: 1.3em; margin: 0; padding: 10px 0 0 0; font-weight: 200;">Login button</h1>
  <p>Welcome to Feedless, please use the button below to login to your account:</p>
-  <form action="<%= origin %>/login" method="POST" style="padding: 20px 0">
-    <input type="hidden" name="ssb_key" value="<%= ssb_key %>" />
-    <input type="submit" value="Login to Feedless" style="background: #08d; color: #fff; border-radius: 3px; padding: 8px 10px; border: none; cursor: pointer; text-decoration: none; display: inline-block; padding: 16px 20px; font-size: 18px; -webkit-appearance: none;">
-  </form>
+  <a href="<%= origin %>/login?key=<%= login_key %>" style="background: #7fe7e7; color: #044; border-radius: 3px; margin-bottom: 10px; border: 1px solid #5f5f5f; cursor: pointer; text-decoration: none; display: inline-block; padding: 16px 20px; font-size: 18px; -webkit-appearance: none;">
+    Login to Feedless
+  </a>
+  <p>Alternatively, you can copy the key to somewhere safe and delete this email:</p>
+  <pre style="word-wrap: break-word; white-space: pre-wrap; background: #f5f5f5; border: 1px solid #ccc; border-radius: 3px; padding: 10px;"><%= ssb_key %></pre>
  <p>
-    Never delete or forward this email, it is they key to accessing your account
+    Never share those keys and never forward this email
  </p>
  <p>
    From your friends at Feedless 😉