only allow https and www.cubbi.es in authorizations controller for now

2011-06-29 16:26:26 -07:00 · 2011-06-29 16:26:26 -07:00 · 144ac82577
commit 144ac82577
parent 3887144db6
2 changed files with 11 additions and 3 deletions
--- a/app/controllers/authorizations_controller.rb
+++ b/app/controllers/authorizations_controller.rb
@ -39,13 +39,13 @@ class AuthorizationsController < ApplicationController
      message = verify(signed_string, Base64.decode64(params[:signature]), public_key, manifest)
      if not (message =='ok')
        render :text => message, :status => 403
-      elsif manifest["application_base_url"].match(/^http:\/\/(localhost:\d+|chubbi\.es|cubbi\.es)\/$/).nil?
+      elsif manifest["application_base_url"].match(/^https?:\/\/(localhost:\d+|chubbi\.es|www\.cubbi\.es|cubbi\.es)\/$/).nil?
        # This will only be temporary (less than a month) while we iron out the kinks in Diaspora Connect. Essentially,
        # whatever we release people will try to work off of and it sucks to build things on top of non-stable things.
        # We also started writing a gem that we'll release (around the same time) that makes becoming a Diaspora enabled
        # ruby project a breeze.

-        render :nothing => true
+        render :text => "Domain (#{manifest["application_base_url"]}) currently not authorized for Diaspora OAuth", :status => 403
      else
        client = OAuth2::Provider.client_class.create_or_reset_from_manifest!(manifest, public_key)

--- a/spec/controllers/authorizations_controller_spec.rb
+++ b/spec/controllers/authorizations_controller_spec.rb
@ -75,6 +75,13 @@ describe AuthorizationsController do
        response.body.blank?.should be_false
      end

+      it 'renders something for cubbies ' do
+        prepare_manifest("https://www.cubbi.es/")
+        @controller.stub!(:verify).and_return('ok')
+        post :token,  @params_hash
+        response.body.blank?.should be_false
+      end
+      
      it 'renders something for localhost' do
        prepare_manifest("http://localhost:3423/")
        @controller.stub!(:verify).and_return('ok')
@ -86,7 +93,8 @@ describe AuthorizationsController do
        prepare_manifest("http://myspace.com")
        @controller.stub!(:verify).and_return('ok')
        post :token,  @params_hash
-        response.body.blank?.should be_true
+        response.code.should == "403"
+        response.body.should include("http://myspace.com")
      end
    end