Implement http login on subreddit cnames.

r2/r2/controllers/api.py

@@ -364,12 +364,19 @@ class ApiController(RedditController):
             responder._send_data(modhash = user.modhash())
             responder._send_data(cookie  = user.make_cookie())
 
-    @cross_domain([g.origin, g.https_endpoint], allow_credentials=True)
+    @cross_domain(g.trusted_origins, allow_credentials=True)
+    def POST_login(self, *args, **kwargs):
+        return self._handle_login(*args, **kwargs)
+
+    @cross_domain(g.trusted_origins, allow_credentials=True)
+    def POST_register(self, *args, **kwargs):
+        return self._handle_register(*args, **kwargs)
+
     @validatedForm(VDelay("login"),
                    user = VLogin(['user', 'passwd']),
                    username = VLength('user', max_length = 100),
                    rem    = VBoolean('rem'))
-    def POST_login(self, form, responder, user, username, rem):
+    def _handle_login(self, form, responder, user, username, rem):
         if responder.has_errors('vdelay', errors.RATELIMIT):
             return
 
@@ -381,14 +388,13 @@ class ApiController(RedditController):
         if not responder.has_errors("passwd", errors.WRONG_PASSWORD):
             self._login(responder, user, rem)
 
-    @cross_domain([g.origin, g.https_endpoint], allow_credentials=True)
     @validatedForm(VCaptcha(),
                    VRatelimit(rate_ip = True, prefix = "rate_register_"),
                    name = VUname(['user']),
                    email = ValidEmails("email", num = 1),
                    password = VPassword(['passwd', 'passwd2']),
                    rem = VBoolean('rem'))
-    def POST_register(self, form, responder, name, email,
+    def _handle_register(self, form, responder, name, email,
                       password, rem):
         bad_captcha = responder.has_errors('captcha', errors.BAD_CAPTCHA)
         if not (responder.has_errors("user", errors.BAD_USERNAME,

r2/r2/controllers/post.py

@@ -173,10 +173,9 @@ class PostController(ApiController):
                                            msg_hash = msg_hash)).render()
 
 
-    @cross_domain([g.origin, g.https_endpoint], allow_credentials=True)
     @validate(dest = VDestination(default = "/"))
     def POST_login(self, dest, *a, **kw):
-        ApiController.POST_login(self, *a, **kw)
+        ApiController._handle_login(self, *a, **kw)
         c.render_style = "html"
         c.response_content_type = ""
 
@@ -186,10 +185,9 @@ class PostController(ApiController):
 
         return self.redirect(dest)
 
-    @cross_domain([g.origin, g.https_endpoint], allow_credentials=True)
     @validate(dest = VDestination(default = "/"))
     def POST_reg(self, dest, *a, **kw):
-        ApiController.POST_register(self, *a, **kw)
+        ApiController._handle_register(self, *a, **kw)
         c.render_style = "html"
         c.response_content_type = ""
 

r2/r2/lib/app_globals.py

@@ -289,6 +289,8 @@ class Globals(object):
         if self.https_endpoint:
             self.secure_domains.add(urlparse(self.https_endpoint).netloc)
 
+        self.trusted_origins = [self.origin, self.https_endpoint] + ['http://' + cname for cname in self.authorized_cnames]
+
         # load the unique hashed names of files under static
         static_files = os.path.join(self.paths.get('static_files'), 'static')
         names_file_path = os.path.join(static_files, 'names.json')

r2/r2/lib/pages/pages.py

@@ -454,7 +454,7 @@ class LoginFormWide(CachedTemplate):
     """generates a login form suitable for the 300px rightbox."""
     def __init__(self):
         self.cname = c.cname
-        self.auth_cname = not c.frameless_cname or c.authorized_cname
+        self.auth_cname = c.authorized_cname
         CachedTemplate.__init__(self)
 
 class SubredditInfoBar(CachedTemplate):

r2/r2/public/static/js/login.js

@@ -1,5 +1,11 @@
 r.login = {
     post: function(form, action, callback) {
+        if (r.config.cnameframe && !r.config.https_endpoint) {
+            form.$el.unbind()
+            form.$el.submit()
+            return
+        }
+
         var username = $('input[name="user"]', form.$el).val(),
             endpoint = r.config.https_endpoint || ('http://'+r.config.ajax_domain),
             sameOrigin = location.protocol+'//'+location.host == endpoint,

r2/r2/templates/login.html

@@ -44,9 +44,12 @@
 %endif
 
 <%def name="login_form(register=False, user='', dest='', include_tos=True)">
-  <% op = "reg" if register else "login" %>
+  <%
+    op = "reg" if register else "login"
+    base = g.https_endpoint if not c.cname else ''
+  %>
   <form id="login_${op}" method="post" 
-        action="${add_sr(g.https_endpoint + '/post/' + op, nocname = True)}"
+        action="${add_sr(base + '/post/' + op, nocname=not c.authorized_cname)}"
         class="user-form ${'register-form' if register else 'login-form'}">
     %if c.cname:
        <input type="hidden" name="${UrlParser.cname_get}" 

r2/r2/templates/loginformwide.html

@@ -27,9 +27,12 @@
 
 <%namespace file="utils.html" import="error_field"/>
 
-<% op = "login-main" %>
+<%
+  op = "login-main"
+  base = g.https_endpoint if not thing.cname else ''
+%>
 <form method="post"
-      action="${add_sr(g.https_endpoint + '/post/login', nocname = True)}"
+      action="${add_sr(base + '/post/login', nocname=not thing.auth_cname)}"
       id="login_${op}"
       class="login-form login-form-side">
   %if thing.cname:

r2/r2/templates/utils.html

@@ -365,6 +365,7 @@ ${unsafe(txt)}
 <%def name="js_preamble()">
   <%
      from r2.lib.template_helpers import get_domain
+     use_https_endpoint = request.host == g.domain or request.host.endswith("." + g.domain)
    %>
    r = {};
    r.config = reddit = {
@@ -386,7 +387,7 @@ ${unsafe(txt)}
       /* where do ajax request go? */
       ajax_domain: "${get_domain(cname=c.authorized_cname, subreddit = False)}",
       extension: '${c.extension}',
-      https_endpoint: "${g.https_endpoint}",
+      https_endpoint: '${g.https_endpoint if use_https_endpoint else ""}',
       /* debugging? */
       debug: ${"true" if g.debug else "false"}, 
       vl: {},