Skip to content

Commit

Permalink
fix #84 Only supply credentials to Portal if password came as plainte…
Browse files Browse the repository at this point in the history
…xt from settings
  • Loading branch information
gjsjohnmurray committed Apr 28, 2021
1 parent 44a4e18 commit 848b710
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 10 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
## 2.0.3 (28-Apr-2021)
* Only supply credentials to Portal if password came as plaintext from settings (#84).

## 2.0.2 (22-Apr-2021)
* Support <kbd>Alt</kbd> / <kbd>Option</kbd> modifier on Edit and View buttons to add workspace folder for server-side web application files.
* Add newly defined server to the 'Recent' list.
Expand Down
22 changes: 12 additions & 10 deletions src/api/getPortalUriWithCredentials.ts
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
import * as vscode from 'vscode';
import { Uri } from 'vscode';
import { extensionId } from '../extension';
import { extensionId, ServerSpec } from '../extension';

export async function getPortalUriWithCredentials(name: string, scope?: vscode.ConfigurationScope): Promise<Uri | undefined> {

Expand All @@ -10,22 +10,24 @@ export async function getPortalUriWithCredentials(name: string, scope?: vscode.C
if (typeof spec !== 'undefined') {
const webServer = spec.webServer;
let queryString = '';

// We can only pass credentials in cleartext as a queryparam, so only do this if user was willing to store password in cleartext in settings.
const settingsSpec: ServerSpec | undefined = vscode.workspace.getConfiguration('intersystems.servers', scope).get(name);
spec.password = settingsSpec?.password;

// At this point we don't know if the target is IRIS or Cache, so add credentials in both formats.
// Deliberately put password before username, otherwise it is visible in VS Code's confirmation dialog triggered target domain
// hasn't been set as trusted. Likewise, deliberately put IRIS* after Cache*
if (spec?.password) {
if (spec?.password && spec?.username) {
// At this point we don't know if the target is IRIS or Cache, so add credentials in both formats.
// Deliberately put password before username, otherwise it is visible in VS Code's confirmation dialog triggered target domain
// hasn't been set as trusted. Likewise, deliberately put IRIS* after Cache*
const passwordEncoded = encodeURIComponent(spec.password);
queryString += `&CachePassword=${passwordEncoded}&IRISPassword=${passwordEncoded}`;
}
if (spec?.username) {
const usernameEncoded = encodeURIComponent(spec.username);
queryString += `&CacheUsername=${usernameEncoded}&IRISUsername=${usernameEncoded}`;

// Add a cache-buster and push any credentials offscreen
queryString = '_=' + new Date().getTime().toString().padEnd(480,' ') + queryString;
}

// Add a dummy cache-buster and push the actual credentials offscreen
queryString = '_=' + new Date().getTime().toString().padEnd(480,' ') + queryString;

return vscode.Uri.parse(`${webServer.scheme}://${webServer.host}:${webServer.port}${webServer.pathPrefix}/csp/sys/UtilHome.csp?${queryString}`, true);
}
})
Expand Down

0 comments on commit 848b710

Please sign in to comment.