[integrity][vulnerability] Issue #310 Client certificate authentication for all Validation Service/Console requests (Note: Validation Service/Coneole is still a skeleton and non-functional)

t2ym · t2ym · commit 485aab0f93cb · 2019-10-01T12:37:09.000+09:00
diff --git a/demo-backend/validationService.js b/demo-backend/validationService.js
@@ -76,18 +76,12 @@ if (isCLI) {
 
   app
     .use(bodyParser.json())
-    .all(updateAPIPath, (req, res, next) => {
+    .use((req, res, next) => {
       if (req.client.authorized) {
         const peerCert = req.socket.getPeerCertificate();
         if (peerCert.fingerprint256 === fingerprint256) { // only a single client certificate is authenticated
-          let body = req.method === 'POST' ? req.body : null;
-          //console.log('request body: ', JSON.stringify(body, null, 2));
-          updateBrowsers(req, body);
-          let result = {
-            browsers: browsers || {},
-          };
-          res.setHeader('content-type', 'application/json');
-          res.status(200).send(JSON.stringify(result, null, 2));
+          //console.log('client certificate authentication passed for ' + req.url);
+          next();
         }
         else {
           console.error('fingerprints not matched', peerCert.fingerprint256, fingerprint256);
@@ -99,6 +93,16 @@ if (isCLI) {
         res.sendStatus(403);
       }
     })
+    .all(updateAPIPath, (req, res, next) => {
+      let body = req.method === 'POST' ? req.body : null;
+      //console.log('request body: ', JSON.stringify(body, null, 2));
+      updateBrowsers(req, body);
+      let result = {
+        browsers: browsers || {},
+      };
+      res.setHeader('content-type', 'application/json');
+      res.status(200).send(JSON.stringify(result, null, 2));
+    })
     .get('*', express.static(path.resolve(path.join(__dirname, 'validation-console', 'dist')), {}));
 
   switch (mode) {
