Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cover non-Heroku secure requests in HTTPS redirect exemption #4483

Merged
merged 1 commit into from
Mar 25, 2019

Conversation

thecubic
Copy link
Contributor

resolves #4427 by flipping conditional and testing for req[uest].secure which is set on pure-HTTPS-no-middleware setups (i.e. not Heroku)

This resolves the issue for me; with this commit I do not need to set INSECURE_USE_HTTP to true which is an accidental and strange workaround being that I'm HTTPS-only full-stop.

@PieterGit
Copy link
Contributor

PieterGit commented Mar 22, 2019

@thecubic What kind of reverse proxy setup do you use?

Do you known when req.secure evaluates to true? For which types of reverse proxies?

I tried to integrate , https://www.npmjs.com/package/express-sslify into Nightscout, see (unfinished, not working branch) https://github.com/PieterGit/cgm-remote-monitor/commits/wip/http-redirect
specifically PieterGit@82cd05a

We must make this unsafe connection detection work on Heroku, Azure and reverse proxies setups (like Nginx, Apache or Letsencrypt).

According to https://en.wikipedia.org/wiki/List_of_HTTP_header_fields#Common_non-standard_response_fields X-Forwarded-Proto is a de facto standard for identifying the originating protocol of an HTTP request, but it's superseded by the Forwarded header, which is https://tools.ietf.org/html/rfc7239#section-5.4

@thecubic Can you do more research on the best way that works for all hosting scenario's and complies to X-Forwarded-Proto and Forwarded header standards? I would like to have a solution that works (and is tested) for all possible use cases.

@PieterGit PieterGit mentioned this pull request Mar 23, 2019
@thecubic
Copy link
Contributor Author

I don't use a reverse proxy. None is necessary for my setup, because expressjs supports HTTPS out-of-the-box. Part of not using Heroku for me is the non-support of TLS for free tiers.

here's the API documentation for that variable: https://expressjs.com/en/api.html#req.secure

A Boolean property that is true if a TLS connection is established

In that situation, a redirect doesn't make sense, hence the bug and this pull request. If a reverse proxy is using TLS to talk to the node server (I mean, why have a reverse proxy then but ok), it will be set, but that is again a situation where you would not redirect.

We must make this unsafe connection detection work on Heroku,

That is not affected by this pull request, since direct-to-node-server would still not have secure set, and double-fail the OR conditional

Can you do more research

That represents major scope creep from fixing a direct bug. I cannot.

I would like to have a solution that works (and is tested) for all possible use cases.

In the meantime, is this PR blocked? It passes CI and I don't see a code problem called out.

@sulkaharo
Copy link
Member

LGTM, I think this would help in many of the cases where SSL is used in self-made hosting environments. (FWIW vast majority of Nightscout users are on Azure or Heroku.)

@PieterGit PieterGit merged commit db5d8fe into nightscout:dev Mar 25, 2019
@PieterGit
Copy link
Contributor

Merged. Note this is similar as the express-sslify module logic, see https://github.com/florianheinemann/express-sslify/blob/master/index.js

@jweismann
Copy link
Contributor

As to the name of the config variable INSECURE_USE_HTTP. I believe it would be a good idea to let the name reflect the action, e.g. REDIRECT_2_HTTPS to avoid confusion in places like this where INSECURE_USE_HTTP really means the opposite, namely stick to the HTTPS already used and don't try to add additional redirections.

tanja3981 pushed a commit to tanja3981/cgm-remote-monitor that referenced this pull request May 21, 2019
PavloBasiuk added a commit to PavloBasiuk/cgm-remote-monitor that referenced this pull request Jun 4, 2019
* remove sgvdata

* Fix re-loading bug in profile editor and ensure changes made by the user aren't lost

* Add treatments delete id debug.

* Fix devicestatus ObjectID usage.

* Use new objId in api call

* Make ObjectID initialization consistent

* Fix syntax errors in websocket.js

(cherry picked from commit c945c2e)

* update fontello

use  fontello-cli --config ./config.json install and move the files to the staic/glyphs directory

* minor german language changes

* Adding me to list of translators

* improve helmet use

* add default security settings and test

* add default for hsts extendsettings

* fix app.json

* redirect by default

* test

* test csp

* allow 'unsafe-inline' for stylesSrc and scriptSrc

* Turkish language support added

* npm update, disable Content Security Policy headers for now.  Currently Nightscout is not yet compatible with CSP.

* fix settings.test.js

* fix INSECURE_USE_HTTP

* Some correction

* Some corrections

* Some corrections-1

* Some corrections-2

* Some corrections-3

* clean Turkish language support

* Fix identation

* Initial weektoweek

* More updates for weektoweek

* Add weektoweek report to index

* Fix syntax error

* Fix syntax error

* Fix spelling for localeData

* Fix initialization of weekstoshow array

* Initialize new week

* Fix call to prepareHtml

* Make new sgv array for each week

* Fix reference into datastorage array

* Increment currDay as required

* error correction rising/falling

* Add weektoweek debug logs

* Update CONTRIBUTING.md

Added notes on expectations on Pull Requests

* clean Turkish language support

* Update CONTRIBUTING.md

Added note on README updates

* Update CONTRIBUTING.md

Clarified plugins, bug fixing parts

* Fix syntax error

* Fixed index error

* Handle sort order differences

* Sort week before prepareHtml

* Fix syntax error

* Test fix for week partition

* Fix first day of week getting squashed

* Fix it for real this time

* Update app.json

* Fix missing comma

* Adds back the support for loading Entries with CSV and TEXT formats (nightscout#4114)

* Adds back the support for loading Entries with CSV and TEXT formats

* Add default JSON processing MIME type to request formatting

* Cleanly return a blank string if no entries are found

* Restore TSV output extension, better logging

* Initial Japanese Additions

* Don't move to next week if current week is empty

* Fix syntax error

* Color by day and week report specific size and scale

* Comment out some debug

* style format update

* Use from and to dates to set week span for week2week

* Fix newest on top start point

* Fix newest on top

* Don't render week to week if not selected

* Add unit test for weektoweek report

* Remove weektoweek logging code

* Add clean treatments admin tool.

* Fix clean treatments status html id name

* Return status to treatments delete by query

* Add clean entries db admin tool

(cherry picked from commit f56f0b3)

* Correct delete query fields for entries db

* Make devicestatus delete consistent with entries

* cleanup devicestatus delete

* Add isId to api/devicestatus

* Set query options correctly for devicestatus

* Use dateString for devicestatus date field

* Fix devicestatus default date field

* Fix devicestatus delete query handling

* No 'model' concept for devicestatus

* initialize query find by id correctly for devicestatus delete

* Match devicestatus api indention

* Make treatments delete match devicestatus

* Remove old treatments id api path

* Add entries support for delete query

* Remove unused function.

* Removed unused function.

* Add API updates for new delete options.

* Reload data when entries or treatments are deleted

* Fix week 2 week report when not all weekdays are selected

* Fix weekNum calculation

* Make week2week more resilient to date selections

* Fix codacy findings

* Remove more unused variables

* Add new strings to language.js

* Prevent deleting entries or treatments more recent than 2 days ago

* Add unit test for removing old devicestatus records

* Fix codacy finding

* Add unit test for cleantreatmentsdb.js

* Add unit test for cleanentriesdb.js

* Update Makefile

Regenerated the Codacy Token and gave the new token to Travis

* Update Makefile

Regenerated the Codacy Token and gave the new token to Travis

* Add insert, query, delete test for treatments api

* Add insert, query, delete test for entries api

* Add insert, query, delete test for devicestatus api

* Japanese!

Adding myself as a Japanese Translator. ^_^

* More Japanese

Trying to add an additional update. Having issues with the process. Hopefully I got it this time!

* Add support for Node 10. Upgrade to node 8.14.x . Don't start on older Node versions (except Node 8.11.1 from Azure)

- incorporates nightscout#4134 and nightscout#4129

* allow node ^10.4.2 || ^8.14.1 || ~8.11.1

* fix version typo and add missing parts of PR

* Additions and improvements for Danish language

* Update bgclock.html

Fix for clock showing "24:xx" in 24-hour mode.

* Pad 24h hours with zero

* Upgrade to Node 10 for Azure. Upgrade to version Node 8.15.0 for Node 8 users.

According to Darren Lee @balshor Node 10.14.1 is available on Azure, see https://gitter.im/nightscout/public?at=5c2a50c70b7fc97caaca6211 or https://gist.github.com/balshor/f3bbb86ff98eeecefc5dd4bdb4118b1b

* update code comments on Node versions

thanks @jpcunningh nightscout#4155 (comment)

* Updated rawbg settings to use a single setting tri-state variable.

* upgrade share2nightscout-bridge to  ~0.2.0-dev-20190102

Use npm released version instead of wip/generalize branch. This version will also make sure Nightscout won't crash if Dexcom servers are down.

* update to released version of share2nightscout-bridge and update webpck-cli to 3.2.0

* Added Japanese

Added Japanese and myself to the list of editors. :) Hope I got the details right!

* add jsdom pinned to 11.11.0 (required for benv unit tests)

* Make weektoweek use SCALE_Y system setting correctly

* Make default scale y initialize correctly

* Cleanup code for initializing weektoweek scale

* Add mmconnect note to the ENABLE description

* Add MMCONNECT_ vars

* Update minimed-connect-to-nightscout reference

* Update moment dependency to match dev

* Removed advanced entries for clarity

Didn't get any feedback either way on this change after multiple enquiries, so going ahead with simplification here. If anyone sorely misses any of these items from the default form, can always put them back in. Also added SHOW_PLUGINS, as it's a useful starter setting.

* Tweak mLab/Mongo wording

* Have the UI fully update immediately after new data update. Debounce the Mongo loading for 5 seconds after data has been updated (nightscout#4189)

* Update --bug-report.md

Adding auto-labeling of bugs with the bug label

* Update README.md

Added clarity to ssl config details, and specifics for the use of letsencrypt

* Update README.md

Feedback from @unsoluble

* Fixed the spacing.

I see what you mean. Fixed it. :)

* Semiquote

Used the wrong semiquote.. urg. sorry! All better now.

* spacing check.

* Spacing Test x2

* This should do it!

* Norwegian language corrections and translations

* make Saving profile translatable

* revert minimed-connect version

* two small tweaks

* fix readENVTruthy and make INSECURE_USE_HTTP, SECURE_HSTS_HEADER, SECURE_HSTS_HEADER_* and SECURE_CSP work as expected.

readENVTruthy never returned defaultValue. if not set to on|off|true|false the default value is returned

* npm update

* add missing env

* upgrade to minmum of Node 10.15.1

* fix ident and add extra test to env.test.js

* remove mqtt leftover

* ie8 is not compatible with Terser, so make that explicit

* npm update and integrate terser-webpack-plugin as minimizer

Stick to `terser` version `~3.14.1` instead of `^3.16.0`, because of
```
ERROR in js/bundle.js from Terser
TypeError: Cannot read property 'minify' of undefined
    at minify (E:\path\toc\cgm-remote-monitor\node_modules\terser-webpack-plugin\dist\minify.js:175:23)
```

See terser/terser#254 for details on that bug

* user correct env

* Update IFTTT maker-setup.md docs (nightscout#4206)

* Create test.md

Create folder maker-setup-images

* Add files via upload

Added images to maker-setup-images

* Delete test.md

Delete temp file

* Update maker-setup.md

* Update README.md

Altered the IFTTT section

* Loopalyzer enhanced (nightscout#4215)

* Added table with profiles

First attempt

* Prettified profiles table, ensured last profile displayed

* 1st attempt add showing active profile

* Finalized support for displaying multiple profiles

* Improved deduplication of profiles

* Restored formatting

* Made profiles table a selectable option

* Tolerant in case profile is missing data

* More tolerant on bad profiles

* Refactored the deduplication

Note - needs to be thoroughly tested

* Fixed the profiles table and deduplication of profiles

* Fixed enable/disable of time shift checkbox

* Added explanation of time shift feature

* Added timeshift explanation

Need to run through a last verification before merging to NS,
but my NS currently won't build b/c of npm issues.

* Final Loopalyzer-enhanced

Profiles table works, information on time shift feature added, time shift disabled when only single day.

* Maker docs copyedit & cleanup (nightscout#4256)

* copyedit-and-cleanup

* fix filename typo

* Reimplement Predictions support to Reports (nightscout#4254)

* reimplement nightscout#3179 (Predictions support to Reports)

* add predictions.js

* set version to release candidate 1: 0.11.0-rc1-20190205 (nightscout#4259)

* Tag matafiles with 0.10.3-master-20180805

* Fixes the site for iOS 9 and older

* Name too long, please switch back to BWP

* Create issue templates for NS repo

* Update CONTRIBUTING.md

Added notes on expectations on Pull Requests

* Update CONTRIBUTING.md

Added note on README updates

* Update CONTRIBUTING.md

Clarified plugins, bug fixing parts

* Update --bug-report.md

Adding auto-labeling of bugs with the bug label

* fix contributors (nightscout#4260)

* fix typo in contributors

* fix typo

* Fix auth button ui & update cache busting for App Cache (nightscout#4270)

* small doc fix to comments on Node versions

* Update README.md

* * Fixes authentication dialog UI on Mobile Safari
* Improves app cache busting, so after deploy the app is guaranteed to notice it has to reload content
* Small fix to Finnish language related to auth UI

* Merge master to dev (nightscout#4273)

Merging changes made to Master since last release into Dev for a release

* Update release version

* Update dev version to 0.11.1

* remove + from version, make way for 0.11.1, upgrade webpack (nightscout#4277)

* Improvement: causes client to say Ok Ok when the alarm test button is pressed, needed for speech to work on mobile browsers

* Added janrpn as maintainer of the Danish language (nightscout#4379)

* Update CONTRIBUTING.md

Added myself as maintainer of the Danish language

* Revert "Update CONTRIBUTING.md"

This reverts commit 4864a67.

* Added myself as maintainer of the Danish language

* Changed base image to node:10-alpine (nightscout#4409)

* Wrong Korean translation update (nightscout#4407)

Korean translation update

* @diabetlum added in the list (nightscout#4328)

Add @diabetlum as a maintainer for Türkçe / Turkish language

* Turkish language updates (nightscout#4271)

* required correction

* required correction2

* @diabetlum added in the list

@diabetlum added in the list

* Testing if recent changes have fixed builds in Linux-based Travis instances

* Make sure NPM is up to date

* Protein and Fat logging support (nightscout#3830)

* Add protein and fat logging to CarePortal, simple sums to day to day reporting, grams in graphs

* Add fat and protein to swagger

* Fix aggregate report sometimes considering logged carbs, protein and fat as a string. Add editing of protein and fat to reports. Show protein and carbs on daily reports

* Node and npm update (nightscout#4412)

* npmupdate, update webpack, webpack-bundle-analyzer, swagger-ui-dist, jsonwebtoken, helmet, flot

* update to version 0.11.2-dev-20190224

* also test on latest Node (currently 11), but don't fail Travis build if it fails.

implement cclauss suggestion on openaps/oref0#1203 (comment)

* fix travis

* Node minor security upgrade

Node.js 8.15.1 (LTS "Carbon")
Node.js 10.15.2 (LTS "Dubnium")
Node.js 11.10.1 (Current)

https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/

* fix typo

* npm update

* update npm-shrinkwrap.json

* Croatian translation (nightscout#4349)

* Croatian (hr) translations

* typo correction in hr translation

* added myself to translation

* fix incomplete edit

* few Croatian translation enhancements

* Remove profile toggle and always show Profile Editor link (nightscout#4448)

* Remove Profile Editor toggle

`profile` isn't an optional plugin anymore; doesn't need this display toggle. (Plus it was erroneously toggling off in the absence of the `basal` plugin — see nightscout#4442.)

* Remove profilecontrol class

* Add support for rendering Triple Up and Triple Down Direction (nightscout#4458)

* Support TripleUp Direction for Medtronic Guardian using a single triple arrow Unicode char

* release candiate for 0.11.2 with Minimed EU Server and Guardian Connecti integration (nightscout#4487)

* first release candiate for 0.11.2 with Minimed EU Server and Guardian Connect integration

- integrates mddub/minimed-connect-to-nightscout#11 into Nightscout

* bump node 10 LTS version

* cover request.secure in HTTPS redirect exemption (nightscout#4483)

* Fix CSP handling (nightscout#4449)

* Change incompatible module and fix a memory leak in the process

* Fix fonts, allow websocket

* Oops fix a brainfart with using the hostname

* Don't inlude null hostname

* Update the shrinkwrap

* Instantiate new cache if new instance of profile code is created. Calculate IOB with three digit precision to keep tests happy (and this is roughly the precision we're operating at anyway).

* - implement @jweismann suggestions nightscout#4449 (comment)
- add frameAncestors, baseUri and formAction protection

* update README and run doctoc

* fix reportOnly

* add objectSrc

* Use modern CSS loading

* Change CSS to use the "official" async loading across the board (which hopefully plays nicer with CSP)

* first release candiate for 0.11.2 with Minimed EU Server and Guardian Connect integration

- integrates mddub/minimed-connect-to-nightscout#11 into Nightscout

* bump node 10 LTS version

* increase logging, fix /swagger.yaml

* fix typo

* set version to rc2, update mongodb to 3.2.2

* add SECURE_CSP_REPORT_ONLY (default false).

* npm update and revert to requiring Node versions without security issues.

* Enable id query with no date (nightscout#4481)

* Enable id query with no date

* Add unit test for query.js

* Fix stale data alarms on latest iOS  (nightscout#4542)

* Suspend TimeAgo reports for 15 seconds if the app has been sleeping. Add a BACK link to reports (due to iOS now not resetting springboard web apps, so it's impossible to go back to the main view)

* Move detection to another plugin call

* Wip/ios springboard app fixes (nightscout#4543)

* Suspend TimeAgo reports for 15 seconds if the app has been sleeping. Add a BACK link to reports (due to iOS now not resetting springboard web apps, so it's impossible to go back to the main view)

* Move detection to another plugin call

* Fix typoed millsecond multiplier and drop the alarm suspend to 10 seconds

* Moved to braces module, which is maintained and doesn't have vulnerable dependencies. Added a mention of EU minimed servers to README.

* Wip/libre reporting fixes (nightscout#4502)

* release 0.11.1 (nightscout#4279)

* Update dev version to 0.11.1

* remove + from version, make way for 0.11.1, upgrade webpack (nightscout#4277)

* Reporting compatibiilty fixes for Libre/Miaomiao

  * Allow sgv readings that are spaced 1 minute apart (report.js)
  * Calculate GVI using the actual time deltas of each individual sgv record (don't assume 5 minute gaps)
  * Calculate rapid rise deltas using time delta of the sgv record (don't assume 5 minute gaps)
  * Fix bug in GVIDelta calculation

* Bug fixes after testing

  * Each for loop was dropping the last 2 values of the array
      - firstly, due to using < instead of <= for the length comparator
      - secondly, the last value in the array is never checked, so it was not added

* Code clean ups

  * Commented out all unused references to RMS calculation
  * Removed unused totals variable
  * Formatted using project js-beautify rules

* Update npm-shrinkwrap.json

* Add display_units as a required variable (nightscout#4559)

* re-add out of range RMS (nightscout#4450)

* Allow framing in Helmet, as many users have setups like monitoring two PWDs in a frame-based setup, which was broken by the previous release (nightscout#4495)

* Fixed alexa doc link. (nightscout#4423)

* uncomment the rest of rms
not sure if it's right, but at least there's no error

* display '50+ U', when there's no reservoir value for an Eros pod

* display Loop override in a new pill

could be also be used by openaps, AAPS, or other systems

* css tweaks so the pills align better

* another CSS tweak that allows the pills on the right side to wrap

* update readme to include the override plugin and resole TODO

* fix loop test to expect evBG in the pill value

* Add try/catch blocks to around plugin calls, which should in most cases prevent a single data error in a single plugin from taking down the entire Nightscout (nightscout#4595)

* add triple-arrow svgs (nightscout#4640)

* Fix BG data wrapping issue with Chrome (nightscout#4667)
@thecubic thecubic deleted the dev branch June 26, 2019 05:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants