fix(indiekit): prevent log in with other URLs. fixes #283

packages/indiekit/controllers/session.js

@@ -2,12 +2,10 @@ import httpError from 'http-errors';
 import IndieAuth from 'indieauth-helper';
 import normalizeUrl from 'normalize-url';
 import {v4 as uuidv4} from 'uuid';
-import validator from 'express-validator';
 
 const auth = new IndieAuth({
   secret: uuidv4()
 });
-const {validationResult} = validator;
 
 export const login = (request, response) => {
   if (request.session.token) {
@@ -32,16 +30,8 @@ export const login = (request, response) => {
 };
 
 export const authenticate = async (request, response) => {
-  const errors = validationResult(request);
-  if (!errors.isEmpty()) {
-    return response.status(422).render('session/login', {
-      title: response.__('session.login.title'),
-      errors: errors.mapped()
-    });
-  }
-
   try {
-    const me = normalizeUrl(request.body.me, {
+    const me = normalizeUrl(response.locals.publication.me, {
       removeTrailingSlash: false
     });
     auth.options.me = new URL(me).href;

packages/indiekit/locales/de.js

@@ -8,8 +8,9 @@ export const de = {
   session: {
     login: {
       title: 'Einloggen',
+      description: 'Melden Sie sich mit IndieAuth zu überprüfen, ob Sie %s besitzen',
       me: 'Webadresse',
-      submit: 'Einloggen',
+      submit: 'Einloggen mit IndieAuth',
       error: {
         validateState: 'Fehlender Code oder State inkongruenz'
       }

packages/indiekit/locales/en.js

@@ -8,8 +8,9 @@ export const en = {
   session: {
     login: {
       title: 'Sign in',
+      description: 'Sign in with IndieAuth to verify that you own %s',
       me: 'Web address',
-      submit: 'Sign in',
+      submit: 'Sign in with IndieAuth',
       error: {
         validateState: 'Missing code or state mismatch'
       }

packages/indiekit/package.json

@@ -43,7 +43,6 @@
     "cookie-session": "^1.4.0",
     "debug": "^4.1.1",
     "express": "^4.17.1",
-    "express-validator": "^6.6.1",
     "got": "^11.6.2",
     "http-errors": "^1.8.0",
     "i18n": "^0.13.2",

packages/indiekit/routes/session.js

@@ -1,12 +1,11 @@
 import express from 'express';
 import * as sessionController from '../controllers/session.js';
-import * as validate from '../middleware/validation.js';
 
 const router = express.Router(); // eslint-disable-line new-cap
 
 // Log in
 router.get('/login', sessionController.login);
-router.post('/login', validate.me, sessionController.authenticate);
+router.post('/login', sessionController.authenticate);
 
 // Authentication callback
 router.get('/auth', sessionController.authenticationCallback);

packages/indiekit/tests/routes/session.js

@@ -11,12 +11,6 @@ test('Returns login page', async t => {
   t.is(response.type, 'text/html');
 });
 
-test('Login validates URL', async t => {
-  const response = await request.post('/session/login')
-    .send('me=foobar');
-  t.is(response.status, 422);
-});
-
 test('Login returns 401 if URL is unauthorized', async t => {
   const response = await request.post('/session/login')
     .send('me=example.website');

packages/indiekit/views/session/login.njk

@@ -8,20 +8,8 @@
   }) }}
 {% endblock %}
 {% block fieldset %}
-  {{ input({
-    id: "me",
-    name: "me",
-    value: errors.me.value or publication.me,
-    label: {
-      text: __("session.login.me")
-    },
-    inputmode: "url",
-    autocomplete: "url",
-    errorMessage: {
-      text: errors.me.msg,
-      label: __("error")
-    } if errors.me
-  }) | indent(2) }}
+  {% set me = publication.me | replace("http://", "") | replace("https://", "") %}
+  <p>{{ __("session.login.description", "<b>" + me + "</b>") | safe }}</p>
 
   {{ input({
     name: "redirect_uri",