adds server-validated white-list rethinkdb queries

DimensionSoftware · Aug 29, 2016 · 7025111 · 7025111
1 parent eb6870e
commit 7025111
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 22 deletions.
diff --git a/server/App.ls b/server/App.ls
@@ -22,16 +22,17 @@ require! {
 pe  = new PrettyError!
 env = process.env.NODE_ENV or \development
 
-# connect to rethinkdb
-[keys, db, db-host, db-port, http-path] =
-  [[process.env.npm_package_config_keys_0         or \AEeaEUA3152589], # XXX only using first
+[keys, db, db-host, db-port] =
+  [process.env.npm_package_config_keys_0          or \AEeaEUA3152589],
    process.env.npm_package_config_database        or \test,
    process.env.npm_package_config_domain          or \develop.com,
-   process.env.npm_package_config_rethinkdb_port  or 28015,
-   '/db']
-connection = rethinkdb {db, db-host, db-port}
-store      = new mw.rethinkdb-koa-session {connection, db}
-co <| init-rethinkdb db, connection # init rethinkdb tables & indexes
+   process.env.npm_package_config_rethinkdb_port  or 28015
+
+# connect to rethinkdb
+connection       = rethinkdb {db, db-host, db-port}
+store            = new mw.rethinkdb-koa-session {connection, db}
+global.run-query = -> connection.db db # for whitelist, etc...
+co <| init-rethinkdb db, connection    # init rethinkdb tables & indexes
 
 ### App's purpose is to abstract instantiation from starting & stopping
 module.exports =

diff --git a/server/query-whitelist.ls b/server/query-whitelist.ls
@@ -3,20 +3,61 @@ require! {
   \rethinkdb-websocket-server : {r, RP}
 }
 
+# XXX rethinkdb-websocket-server uses Promises
+
 module.exports = [
+  # everyone table
+  r.table \everyone
+    .order-by {index: (r.desc \date)}
+    .changes {+include-states, +include-initial}
+  r.table \everyone # new TODO
+    .insert (refs [\name \title \completed \date])
+    .validate session-name
+  r.table \everyone # update TODO
+    .get (RP.ref \id)
+    .update (refs [\completed \date \id \name \title])
+    .validate session-name
+  r.table \everyone
+    .get (RP.ref \id)
+    .update (refs [\completed \date \id \name \title \completed-at])
+    .validate session-name
+
+  # session table
   r.table \sessions
-    .filter {sid: RP.ref \sid}
-    .validate (({sid}, session) -> session.sid === sid)
+    .get (RP.ref \sid)
+    .changes {+include-states, +include-initial}
   r.table \sessions
     .changes {+include-states, +include-initial}
-    .validate (({sid}, session) -> console.log \sid: sid, \ref: (RP.ref \sid), \session: session; session.sid === sid)
-#  // List moves for a game with changefeed
-#  RQ(
-#    RQ.CHANGES(
-#      RQ.FILTER(
-#        RQ.TABLE("moves"),
-#        {"gameId": x => typeof x === 'string'}
-#      )
-#    ).opt("include_states", true).opt("include_initial", true)
-#  ).opt("db", RQ.DB(cfg.dbName)),
+    .validate session-id
+  r.table \sessions # add TODO
+    .get (RP.ref \id)
+    .update (refs [\cookie \id \onPage \sid \todos])
+    .validate session-auth-token
+  r.table \sessions # update TODO
+    .get (RP.ref \id)
+    .update (refs [\cookie \id \onPage \sid \name \todos])
+    .validate session-auth-token
+  r.table \sessions # update name
+    .get (RP.ref \id)
+    .update (refs [\cookie \id \onPage \sid \name])
+    .validate session-auth-token
+  r.table \sessions
+    .filter {sid: RP.ref \sid}
+    .validate session-id
 ]
+
+function session-id {sid} session
+  session.sid is sid
+
+function session-auth-token {sid}, {auth-token}:rethinkdb-session
+  console.log sid, auth-token
+  auth-token is sid
+
+function session-name {name}, {auth-token}:rethinkdb-session
+  [session] <- run-query!table \sessions .get-all auth-token, {index: \sid} .then
+  session.name ||= \Anonymous is name
+
+function refs names=[]
+  prev, cur <- fold _, {} names
+  prev[cur] = RP.ref cur
+  prev
diff --git a/shared/features.ls b/shared/features.ls
@@ -19,5 +19,5 @@ module.exports = {
   +static-assets    # disable to run in a separate process
   offline: false    # disable offline unless necessary (prevent glorious caching)
 
-  unsafely-allow-any-query: dev # when true, whitelist is used
+  unsafely-allow-any-query: dev # when true, whitelist is used to server-validate rethinkdb queries
 }
diff --git a/shared/react/App.ls b/shared/react/App.ls
@@ -36,7 +36,7 @@ module.exports = component \App (props) ->
     props.get-in [\locals \domain]
   port = if window?location.port then that else (if secure then 443 else 80)
   unless global.RethinkSession then global.RethinkSession = new Session!
-    ..connect {host, port, secure, path: '/db', auto-reconnect-delay-ms: 2000ms}
+    ..connect {host, port, secure, path: '/db', auto-reconnect-delay-ms: 1500ms}
     ..once-done-loading ~>
       # XXX on server, response already sent without session