diff --git a/Parse-Dashboard/index.js b/Parse-Dashboard/index.js index 3b2ed4f524..faec9183e3 100644 --- a/Parse-Dashboard/index.js +++ b/Parse-Dashboard/index.js @@ -120,13 +120,27 @@ p.then(config => { auth = basicAuth(req); } + // On platforms with certain routing setups, all requests may appear as + // localhost requests. Use the X-FORWARDED-FOR header to obtain the IP + // of the original sender of the request. + const remoteAddress = + req.headers['x-forwarded-for'] || + req.connection.remoteAddress; + + // Similarly as above, TLS termination is somtimes done far before the app server and + // so we need to use the original request information via X-FORWARDED-PROTO. + const isSecure = + (req.headers['x-forwarded-proto'] && req.headers['x-forwarded-proto'] === 'https') || + req.secure; + //Based on advice from Doug Wilson here: //https://github.com/expressjs/express/issues/2518 const requestIsLocal = - req.connection.remoteAddress === '127.0.0.1' || - req.connection.remoteAddress === '::ffff:127.0.0.1' || - req.connection.remoteAddress === '::1'; - if (!requestIsLocal && !req.secure && !allowInsecureHTTP) { + remoteAddress === '127.0.0.1' || + remoteAddress === '::ffff:127.0.0.1' || + remoteAddress === '::1'; + + if (!requestIsLocal && !isSecure && !allowInsecureHTTP) { //Disallow HTTP requests except on localhost, to prevent the master key from being transmitted in cleartext return res.send({ success: false, error: 'Parse Dashboard can only be remotely accessed via HTTPS' }); } diff --git a/package.json b/package.json index 0137b2e484..25f19da1db 100644 --- a/package.json +++ b/package.json @@ -28,28 +28,25 @@ "LICENSE" ], "dependencies": { - "basic-auth": "^1.0.3", - "commander": "^2.9.0", - "express": "^4.13.4", - "json-file-plus": "^3.2.0", - "package-json": "^2.3.1" - }, - "devDependencies": { "babel-core": "~5.8.12", "babel-loader": "~5.3.0", "babel-plugin-remove-proptypes": "~1.0.0", "babel-polyfill": "^6.7.2", "babel-runtime": "~5.8.25", "css-loader": "~0.18.0", + "babel-runtime": "~5.8.25", + "basic-auth": "^1.0.3", + "css-loader": "~0.18.0", + "commander": "^2.9.0", + "express": "^4.13.4", "file-loader": "^0.8.5", - "history": "~1.9.1", - "http-server": "~0.8.5", "immutable": "~3.7.5", "immutable-devtools": "~0.0.4", - "jest-cli": "^0.7.1", + "json-file-plus": "^3.2.0", "js-beautify": "~1.5.0", "marked": "^0.3.5", "node-sass": "~3.4.2", + "package-json": "^2.3.1", "parse": "1.6.14", "prismjs": "~1.2.0", "react": "^0.14.0", @@ -61,17 +58,24 @@ "sass-loader": "~3.1.2", "style-loader": "~0.12.3", "svg-prep": "~1.0.0", - "transform-jest-deps": "^2.1.0", "webpack": "~1.12.0" }, + "devDependencies": { + "history": "~1.9.1", + "http-server": "~0.8.5", + "jest-cli": "^0.7.1", + "transform-jest-deps": "^2.1.0" + }, "scripts": { "dev": "node ./Parse-Dashboard/index.js & webpack --config webpack/build.config.js --devtool eval-source-map --progress --watch", "dashboard": "node ./Parse-Dashboard/index.js & webpack --config webpack/build.config.js --progress --watch", + "dist": "npm run build && cp -r production/bundles Parse-Dashboard/public/bundles", "pig": "http-server ./PIG -p 4041 -s & webpack --config webpack/PIG.config.js --progress --watch", "build": "NODE_ENV=production webpack --config webpack/production.config.js && webpack --config webpack/PIG.config.js", "test": "NODE_PATH=./node_modules jest", "generate": "node scripts/generate.js", "prepublish": "webpack --config webpack/publish.config.js --progress", + "postinstall": "if [ -n \"$POST_INSTALL_BUILD\" ]; then npm run dist; fi", "start": "node ./Parse-Dashboard/index.js" }, "bin": {