misc: add referer checker and csp header (#68)

* misc: add referer checker and csp header

* chore: add tests

src/server/index.js

@@ -8,6 +8,7 @@ const notificationRoute = require('./routes/notification');
 const viewRoute = require('./routes/view');
 const constants = require('./lib/constants');
 const { checkAuth } = require('./middlewares/auth');
+const { refererChecker } = require('./lib/refererChecker');
 
 const app = express()
 app.use(morgan(function (tokens, req, res) {
@@ -48,14 +49,14 @@ app.get(constants.route.forClient.CLIENT_SETUP, viewRoute.setup);
 // authorization
 app.get(constants.route.forClient.OPEN_AUTH_PAGE, authorizationRoute.openAuthPage);
 app.get(constants.route.forThirdParty.AUTH_CALLBACK, authorizationRoute.oauthCallback);
-app.get(constants.route.forClient.GET_USER_INFO, checkAuth, authorizationRoute.getUserInfo);
-app.post(constants.route.forClient.GENERATE_TOKEN, authorizationRoute.generateToken);
+app.get(constants.route.forClient.GET_USER_INFO, refererChecker, checkAuth, authorizationRoute.getUserInfo);
+app.post(constants.route.forClient.GENERATE_TOKEN, refererChecker, authorizationRoute.generateToken);
 // revoke
-app.post(constants.route.forClient.REVOKE_TOKEN, authorizationRoute.revokeToken);
+app.post(constants.route.forClient.REVOKE_TOKEN, refererChecker, authorizationRoute.revokeToken);
 // configure
-app.post(constants.route.forClient.SUBSCRIBE, subscriptionRoute.subscribe);
-app.delete(constants.route.forClient.SUBSCRIBE, subscriptionRoute.deleteSubscription);
-app.get(constants.route.forClient.GET_FORM_DATA, checkAuth, subscriptionRoute.getFormData);
+app.post(constants.route.forClient.SUBSCRIBE, refererChecker, subscriptionRoute.subscribe);
+app.delete(constants.route.forClient.SUBSCRIBE, refererChecker, subscriptionRoute.deleteSubscription);
+app.get(constants.route.forClient.GET_FORM_DATA, refererChecker, checkAuth, subscriptionRoute.getFormData);
 // notification
 app.post(constants.route.forThirdParty.NOTIFICATION, notificationRoute.notification);
 // Home page

src/server/lib/constants.js

@@ -19,5 +19,8 @@ const icon = {
   LOGO: 'https://raw.githubusercontent.com/ringcentral/google-forms-notification-add-in/main/icons/logo.png',
 };
 
+const IFRAME_HOST_DOMAINS = "https://*.ringcentral.com https://*.ringcentral.biz https://*.glip.com https://*.glip.net https://glip.com https://*.labs.ringcentral.com http://*.integration.ringcentral.com http://*.devtest.ringcentral.com https://*.unifyoffice.com https://*.officeathand.att.com https://*.cloudoffice.avaya.com https://*.cloudwork.bt.com https://*.rainbowoffice.com https://*.businessconnect.telus.com https://*.vodafonebusiness.ringcentral.com";
+
 exports.route = route;
 exports.icon = icon;
+exports.IFRAME_HOST_DOMAINS = IFRAME_HOST_DOMAINS;

src/server/lib/refererChecker.js

@@ -0,0 +1,34 @@
+function getOrigin(uri) {
+  if (!uri) {
+    return null;
+  }
+  const url = new URL(uri);
+  return url.origin;
+}
+
+const KNOWN_REFERER_HOSTS = [
+  getOrigin(process.env.APP_SERVER),
+];
+
+function refererChecker(req, res, next) {
+  const referrer = req.get('Referer');
+  if (!referrer) {
+    res.status(403).send('No Referer');
+    return;
+  }
+  const referrerOrigin = getOrigin(referrer);
+  if (
+    KNOWN_REFERER_HOSTS.find(host => {
+      if (!host) {
+        return false;
+      }
+      return host === referrerOrigin;
+    })
+  ) {
+    next();
+    return;
+  }
+  res.status(403).send('Invalid Referer');
+};
+
+exports.refererChecker = refererChecker;

src/server/routes/view.js

@@ -5,6 +5,7 @@ const constants = require('../lib/constants');
 
 async function setup(req, res) {
   const rcWebhookUri = req.query.webhook;
+  res.set('Content-Security-Policy', `frame-ancestors 'self' ${constants.IFRAME_HOST_DOMAINS};`);
   res.render('setup', {
     assetsPath: process.env.ASSETS_PATH,
     data: {