diff options
| -rw-r--r-- | app/controllers/home_controller.rb | 4 | ||||
| -rw-r--r-- | app/views/home/index.html.haml | 21 | ||||
| -rw-r--r-- | app/views/layouts/_content.html.haml | 2 | ||||
| -rw-r--r-- | app/views/layouts/application.html.haml | 3 | ||||
| -rw-r--r-- | app/views/layouts/home.html.haml | 12 | ||||
| -rw-r--r-- | users/config/locales/en.yml | 1 | ||||
| -rw-r--r-- | users/leap_web_users.gemspec | 2 | ||||
| -rw-r--r-- | users/lib/warden/strategies/secure_remote_password.rb | 2 | ||||
| -rw-r--r-- | users/test/integration/browser/account_test.rb | 20 |
9 files changed, 52 insertions, 15 deletions
diff --git a/app/controllers/home_controller.rb b/app/controllers/home_controller.rb index 120541e..be26eb6 100644 --- a/app/controllers/home_controller.rb +++ b/app/controllers/home_controller.rb @@ -1,9 +1,9 @@ - class HomeController < ApplicationController + layout 'home' + def index if logged_in? redirect_to user_overview_url(current_user) end - debugger if params[:debug] end end diff --git a/app/views/home/index.html.haml b/app/views/home/index.html.haml index 8c90436..0d1ac73 100644 --- a/app/views/home/index.html.haml +++ b/app/views/home/index.html.haml @@ -1,12 +1,15 @@ -%h1= t(:welcome, :provider => APP_CONFIG[:domain]) +#main + .container-fluid + .row-fluid + %h1= t(:welcome, :provider => APP_CONFIG[:domain]) -%p - We provide secure communication services, including encrypted internet, email (coming soon), and chat (coming later). + %p + We provide secure communication services, including encrypted internet, email (coming soon), and chat (coming later). -= home_page_buttons + = home_page_buttons -- if Rails.env == 'development' - .row-fluid - %hr - %p - = link_to "fetch a cert", cert_path + - if Rails.env == 'development' + .row-fluid + %hr + %p + = link_to "fetch a cert", cert_path diff --git a/app/views/layouts/_content.html.haml b/app/views/layouts/_content.html.haml index 19af627..d5c2fa3 100644 --- a/app/views/layouts/_content.html.haml +++ b/app/views/layouts/_content.html.haml @@ -1,5 +1,5 @@ -# --# Partial for displaying the page content. This is the only place that content should be displayed. +-# Partial for displaying the page content. This is the only place that content should be displayed (except for home layout) -# - if content_for?(:content) diff --git a/app/views/layouts/application.html.haml b/app/views/layouts/application.html.haml index 380f92d..816b558 100644 --- a/app/views/layouts/application.html.haml +++ b/app/views/layouts/application.html.haml @@ -11,8 +11,7 @@ = yield(:head) %body #masthead - - if params[:controller] != 'home' - = render 'layouts/masthead' + = render 'layouts/masthead' #main .container-fluid - if logged_in? diff --git a/app/views/layouts/home.html.haml b/app/views/layouts/home.html.haml new file mode 100644 index 0000000..e6fa15d --- /dev/null +++ b/app/views/layouts/home.html.haml @@ -0,0 +1,12 @@ +!!! +%html + %head + %meta{:content => "width=device-width, initial-scale=1.0", :name => "viewport"} + %title= html_title + %meta{:content => content_for?(:description) ? yield(:description) : "LEAP Web", :name => "description"} + = stylesheet_link_tag "application", :media => "all" + = javascript_include_tag "application" + = csrf_meta_tags + = yield(:head) + %body + = yield
\ No newline at end of file diff --git a/users/config/locales/en.yml b/users/config/locales/en.yml index 1aa7005..62f822c 100644 --- a/users/config/locales/en.yml +++ b/users/config/locales/en.yml @@ -12,6 +12,7 @@ en: change_password: "Change Password" login_message: "Please log in with your account." invalid_user_pass: "Not a valid username/password combination" + invalid_ephemeral: "Invalid random key used. This looked like an attempt to hack the site to us. If it wasn't please contact support so we can look into the issue." all_strategies_failed: "Could not understand your login attempt. Please first send your login and a SRP ephemeral value A and then send the client_auth in the same session (using cookies)." update_login_and_password: "Update Login and Password" destroy_my_account: "Destroy my account" diff --git a/users/leap_web_users.gemspec b/users/leap_web_users.gemspec index d33328a..7d1f220 100644 --- a/users/leap_web_users.gemspec +++ b/users/leap_web_users.gemspec @@ -17,6 +17,6 @@ Gem::Specification.new do |s| s.add_dependency "leap_web_core", LeapWeb::VERSION - s.add_dependency "ruby-srp", "~> 0.2.0" + s.add_dependency "ruby-srp", "~> 0.2.1" s.add_dependency "rails_warden" end diff --git a/users/lib/warden/strategies/secure_remote_password.rb b/users/lib/warden/strategies/secure_remote_password.rb index 2c681be..4688fcd 100644 --- a/users/lib/warden/strategies/secure_remote_password.rb +++ b/users/lib/warden/strategies/secure_remote_password.rb @@ -49,6 +49,8 @@ module Warden else fail! :base => 'invalid_user_pass' end + rescue SRP::InvalidEphemeral + fail!(:base => "invalid_ephemeral") end def json_response(object) diff --git a/users/test/integration/browser/account_test.rb b/users/test/integration/browser/account_test.rb index ce63baf..c65c491 100644 --- a/users/test/integration/browser/account_test.rb +++ b/users/test/integration/browser/account_test.rb @@ -20,4 +20,24 @@ class AccountTest < BrowserIntegrationTest assert_equal '/', current_path end + # trying to seed an invalid A for srp login + test "detects attempt to circumvent SRP" do + user = FactoryGirl.create :user + visit '/sessions/new' + fill_in 'Username', with: user.login + fill_in 'Password', with: "password" + inject_malicious_js + click_on 'Log In' + assert !page.has_content?("Welcome") + assert page.has_content?("Invalid random key") + end + + def inject_malicious_js + page.execute_script <<-EOJS + var calc = new srp.Calculate(); + calc.A = function(_a) {return "00";}; + calc.S = calc.A; + srp.session = new srp.Session(null, calc); + EOJS + end end |