How to hide HTML and other Content in EJS and Node

Question

Having a tough time doing a simple web site in EJS.

I have this set up in my server file:

    //Use the .html extension instead of having to name the views as *.ejs
    server.engine('.html', require('ejs').__express);

    // This avoids having to provide the extension to res.render()
    server.set('view engine', 'html');

    //set up directory to serve css and javascript files
    server.use(Express.static(__dirname, '/views'));

This works great. I have HTML files, I have graphics, I have CSS. I am serving it up with a simple controller that renders the page. Nothing dynamic in these pages. But I do want them protected with an id/password system, and only served up through Express.

The access works fine, I have an end point set up to serve them. I'm forcing log in in that end point. But the problem is, that if someone knows the actual path to those files, they can get at them. So, the access is localhost:8081/admin/documentation/. However, the files are at /views/app_documents. And by entering in localhost:8081/views/app_documents/file_name.html, they can download/view the content, without going through my controls. I moved the content out of views, and grab it in my code, and serve it up, but that doesn't work for images or CSS.

Any suggestions for how to get around this?

Answer 1

In case anyone else wants to do this, took a while. There are a few problems, as you still need to be able to directly access JS libraries, images and CSS. I found my answer in enter link description here.

The following modifications to that code does the trick. UserIsAllowed checks my permissions system to see if they can access that folder. If they can, no harm, off you go. Otherwise, kill the attempt. They get ACCESS_DENIED back as a string. I can't just kill anyone not going through my code, because then the CSS and images would not work. But this functions nicely. I now am able to serve up content based on my custom permissions system, which is part of a bunch of other administration functions. I can also have multiple different areas based on the URL that are protected by different privileges.

        // This function returns a middleware function. It checks to see if the user has access
    var protectPath = function(regex)
    {
        return function(request, response, next)
        {
            if (!regex.test(request.url)) { return next(); }

            userIsAllowed(regex,function(allowed)
            {
                if (allowed)
                {
                    next(); // send the request to the next handler, which is express.static
                }
                else
                {
                    response.end('ACCESS_DENIED');
                }
            });

            function userIsAllowed(regex,callback) {

                if (regex.test('documentation_website') && request.session.admin_me && _.contains(request.session.admin_me["privileges"],"view_server_documentation")) callback(true);
                else callback(false);
            }
        };
    };

    server.use(protectPath(/^\/documentation_website\/.*$/));

Answer 2

Well, the things you find out after the fact.

This:

server.use(Express.static(__dirname, '/views'));

Is very bad. It should be:

server.use(Express.static('./views'));

The way it was, you could download our code, also. So, server.js was available for download. Yikes.

Live and learn.

Still can download the content without going through my authentication, though.