gitpod-io
diff --git a/‎package.json
Lines changed: 3 additions & 0 deletions b/‎package.json
Lines changed: 3 additions & 0 deletions
diff --git a/‎src/vs/server/node/auth.ts
Lines changed: 23 additions & 49 deletions b/‎src/vs/server/node/auth.ts
Lines changed: 23 additions & 49 deletions
diff --git a/‎src/vs/server/node/http.ts
Lines changed: 7 additions & 29 deletions b/‎src/vs/server/node/http.ts
Lines changed: 7 additions & 29 deletions
@@ -62,6 +62,7 @@
     "argon2": "^0.28.2",
     "applicationinsights": "1.0.8",
     "chokidar": "3.5.1",
+    "cookie-parser": "^1.4.5",
     "express": "^4.17.1",
     "graceful-fs": "4.2.6",
     "http-proxy-agent": "^2.1.0",
@@ -97,9 +98,11 @@
     "@types/applicationinsights": "0.20.0",
     "@types/chokidar": "2.1.3",
     "@types/cookie": "^0.3.3",
+    "@types/cookie-parser": "^1.4.2",
     "@types/copy-webpack-plugin": "^6.0.3",
     "@types/cssnano": "^4.0.0",
     "@types/debug": "4.1.5",
+    "@types/express": "^4.17.13",
     "@types/graceful-fs": "4.1.2",
     "@types/gulp-postcss": "^8.0.0",
     "@types/http-proxy-agent": "^2.0.1",
 
@@ -1,8 +1,7 @@
-import * as http from 'http';
 import * as crypto from 'crypto';
 import * as argon2 from 'argon2';
+import * as express from 'express';
 import { ServerParsedArgs } from 'vs/server/node/args';
-import { serveError } from 'vs/server/node/http';
 
 /** Ensures that the input is sanitized by checking
  * - it's a string
@@ -15,51 +14,24 @@ export function sanitizeString(str: string): string {
 	return typeof str === 'string' && str.trim().length > 0 ? str.trim() : '';
 }
 
-export const ensureAuthenticated = async (args: ServerParsedArgs, req: http.IncomingMessage, res: http.ServerResponse): Promise<boolean> => {
-	const isAuthenticated = await authenticated(args, req);
-	if (!isAuthenticated) {
-		serveError(req, res, 401, 'Unauthorized');
-	}
-	return isAuthenticated;
-};
-
 /**
  * Return true if authenticated via cookies.
  */
-export const authenticated = async (args: ServerParsedArgs, req: http.IncomingMessage): Promise<boolean> => {
+export const authenticated = async (args: ServerParsedArgs, req: express.Request): Promise<boolean> => {
 	if (!args.password && !args.hashedPassword) {
 		return true;
 	}
 	const passwordMethod = getPasswordMethod(args.hashedPassword);
-	const cookies = parseCookies(req);
 	const isCookieValidArgs: IsCookieValidArgs = {
 		passwordMethod,
-		cookieKey: sanitizeString(cookies.key),
+		cookieKey: sanitizeString(req.cookies.key),
 		passwordFromArgs: args.password || '',
 		hashedPasswordFromArgs: args.hashedPassword,
 	};
 
 	return await isCookieValid(isCookieValidArgs);
 };
 
-function parseCookies(request: http.IncomingMessage): Record<string, string> {
-	const cookies: Record<string, string> = {},
-		rc = request.headers.cookie;
-
-	// eslint-disable-next-line code-no-unused-expressions
-	rc && rc.split(';').forEach(cookie => {
-		let parts = cookie.split('=');
-		if (parts.length > 0) {
-			const name = parts.shift()!.trim();
-			let value = decodeURI(parts.join('='));
-			value = value.substring(1, value.length - 1);
-			cookies[name] = value;
-		}
-	});
-
-	return cookies;
-}
-
 export type PasswordMethod = 'ARGON2' | 'PLAIN_TEXT';
 
 /**
@@ -88,7 +60,7 @@ type HandlePasswordValidationArgs = {
 	/** The PasswordMethod */
 	passwordMethod: PasswordMethod
 	/** The password provided by the user */
-	passwordFromRequestBody: string
+	passwordFromRequestBody: string | undefined
 	/** The password set in PASSWORD or config */
 	passwordFromArgs: string | undefined
 	/** The hashed-password set in HASHED_PASSWORD or config */
@@ -174,24 +146,26 @@ export async function handlePasswordValidation({
 		hashedPassword: '',
 	};
 
-	switch (passwordMethod) {
-		case 'PLAIN_TEXT': {
-			const isValid = passwordFromArgs ? safeCompare(passwordFromRequestBody, passwordFromArgs) : false;
-			passwordValidation.isPasswordValid = isValid;
-
-			const hashedPassword = await hash(passwordFromRequestBody);
-			passwordValidation.hashedPassword = hashedPassword;
-			break;
-		}
-		case 'ARGON2': {
-			const isValid = await isHashMatch(passwordFromRequestBody, hashedPasswordFromArgs || '');
-			passwordValidation.isPasswordValid = isValid;
-
-			passwordValidation.hashedPassword = hashedPasswordFromArgs || '';
-			break;
+	if (passwordFromRequestBody) {
+		switch (passwordMethod) {
+			case 'PLAIN_TEXT': {
+				const isValid = passwordFromArgs ? safeCompare(passwordFromRequestBody, passwordFromArgs) : false;
+				passwordValidation.isPasswordValid = isValid;
+
+				const hashedPassword = await hash(passwordFromRequestBody);
+				passwordValidation.hashedPassword = hashedPassword;
+				break;
+			}
+			case 'ARGON2': {
+				const isValid = await isHashMatch(passwordFromRequestBody, hashedPasswordFromArgs || '');
+				passwordValidation.isPasswordValid = isValid;
+
+				passwordValidation.hashedPassword = hashedPasswordFromArgs || '';
+				break;
+			}
+			default:
+				break;
 		}
-		default:
-			break;
 	}
 
 	return passwordValidation;
 
@@ -1,8 +1,7 @@
 import * as fs from 'fs';
 import * as path from 'path';
-import * as http from 'http';
 import { ILogService } from 'vs/platform/log/common/log';
-import { parse } from 'querystring';
+import { Request, Response } from 'express';
 
 // TODO is it enough?
 const textMimeType = new Map([
@@ -33,26 +32,7 @@ export function getMediaMime(forPath: string): string | undefined {
 	return mapExtToMediaMimes.get(ext.toLowerCase());
 }
 
-export function collectRequestData(request: http.IncomingMessage): Promise<Record<string, string>> {
-	return new Promise(resolve => {
-		const FORM_URLENCODED = 'application/x-www-form-urlencoded';
-		if (request.headers['content-type'] === FORM_URLENCODED) {
-			let body = '';
-			request.on('data', chunk => {
-				body += chunk.toString();
-			});
-			request.on('end', () => {
-				const item = parse(body) as Record<string, string>;
-				resolve(item);
-			});
-		}
-		else {
-			resolve({});
-		}
-	});
-}
-
-export async function serveFile(logService: ILogService, req: http.IncomingMessage, res: http.ServerResponse, filePath: string, responseHeaders: http.OutgoingHttpHeaders = {}) {
+export async function serveFile(logService: ILogService, req: Request, res: Response, filePath: string) {
 	try {
 
 		// Sanity checks
@@ -63,15 +43,13 @@ export async function serveFile(logService: ILogService, req: http.IncomingMessa
 		// Check if file modified since
 		const etag = `W/"${[stat.ino, stat.size, stat.mtime.getTime()].join('-')}"`; // weak validator (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ETag)
 		if (req.headers['if-none-match'] === etag) {
-			res.writeHead(304);
+			res.status(304);
 			return res.end();
 		}
 
-		// Headers
-		responseHeaders['Content-Type'] = textMimeType.get(path.extname(filePath)) || getMediaMime(filePath) || 'text/plain';
-		responseHeaders['Etag'] = etag;
-
-		res.writeHead(200, responseHeaders);
+		res.header('Content-Type', textMimeType.get(path.extname(filePath)) || getMediaMime(filePath) || 'text/plain');
+		res.header('Etag', etag);
+		res.status(200);
 
 		// Data
 		fs.createReadStream(filePath).pipe(res);
@@ -82,7 +60,7 @@ export async function serveFile(logService: ILogService, req: http.IncomingMessa
 	}
 }
 
-export function serveError(req: http.IncomingMessage, res: http.ServerResponse, errorCode: number, errorMessage: string): void {
+export function serveError(req: Request, res: Response, errorCode: number, errorMessage: string): void {
 	res.writeHead(errorCode, { 'Content-Type': 'text/plain' });
 	res.end(errorMessage);
 }