From d3ed96f165de7132a667c30f675cd7a240c37993 Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Tue, 4 Dec 2012 14:39:50 +0100
Subject: [PATCH 01/13] trigger redirect

---
 lib/travis/api/app/endpoint/authorization.rb | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/lib/travis/api/app/endpoint/authorization.rb b/lib/travis/api/app/endpoint/authorization.rb
index 515c9630..33978479 100644
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@@ -272,6 +272,7 @@ console.log('refusing to send a token to <%= target_origin.inspect %>, not white
   var url = window.location.pathname + '/iframe' + window.location.search;
   var img = document.createElement('img');
   var popUpWindow, timeout;
+  var handshake = location.protocol + "//" + location.host + "/auth/handshake?redirect_uri=";
 
   img.src = "https://third-party-cookies.herokuapp.com/set";
 
@@ -291,6 +292,16 @@ console.log('refusing to send a token to <%= target_origin.inspect %>, not white
 
   function popUp() {
     popUpWindow = window.open(url, 'Signing in...', 'height=400,width=800');
+    return (!popUpWindow || popUpWindow.closed || typeof popUpWindow.closed == 'undefined');
+  }
+
+  function uberParent(win) {
+    return win.parent === win ? win : uberParent(win.parent);
+  }
+
+  function redirect() {
+    win = uberParent(window);
+    win.location = handshake + win.location;
   }
 
   window.addEventListener("message", function(event) {
@@ -307,13 +318,20 @@ console.log('refusing to send a token to <%= target_origin.inspect %>, not white
       iframe();
       timeout = setTimeout(function() {
         console.log('handshake taking too long, creating pop-up');
-        popUp();
+        if(!popUp()) {
+          console.log("pop-up failed, redirecting");
+          redirect();
+        }
       }, 5000);
     } else {
       console.log("third party cookies disabled, creating pop-up");
       if(!popUp()) {
         console.log("pop-up failed, trying iframe anyhow");
         iframe();
+        timeout = setTimeout(function() {
+          console.log('handshake taking too long, redirecting');
+          if(!popUp()) { redirect(); }
+        }, 5000);
       }
     }
   }

From 811aa47098c205f4fabee0a2f5a9e34c4b949d9a Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Wed, 5 Dec 2012 14:02:42 +0100
Subject: [PATCH 02/13] rewrite post message login

---
 lib/travis/api/app/endpoint/authorization.rb | 227 ++++++++++++-------
 1 file changed, 145 insertions(+), 82 deletions(-)

diff --git a/lib/travis/api/app/endpoint/authorization.rb b/lib/travis/api/app/endpoint/authorization.rb
index 33978479..f23d73ed 100644
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@@ -263,88 +263,7 @@ __END__
 console.log('refusing to send a token to <%= target_origin.inspect %>, not whitelisted!');
 </script>
 
-@@ container
-<!DOCTYPE html>
-<html>
-<body>
-  <script>
-  console.log('welcome to the wonderful world of authentication');
-  var url = window.location.pathname + '/iframe' + window.location.search;
-  var img = document.createElement('img');
-  var popUpWindow, timeout;
-  var handshake = location.protocol + "//" + location.host + "/auth/handshake?redirect_uri=";
-
-  img.src = "https://third-party-cookies.herokuapp.com/set";
-
-  img.onload = function() {
-    var script = document.createElement('script');
-    script.src = "https://third-party-cookies.herokuapp.com/check";
-    window.document.body.appendChild(script);
-  }
-
-  window.document.body.appendChild(img);
-
-  function iframe() {
-    var iframe = document.createElement('iframe');
-    iframe.src = url;
-    window.document.body.appendChild(iframe);
-  }
-
-  function popUp() {
-    popUpWindow = window.open(url, 'Signing in...', 'height=400,width=800');
-    return (!popUpWindow || popUpWindow.closed || typeof popUpWindow.closed == 'undefined');
-  }
-
-  function uberParent(win) {
-    return win.parent === win ? win : uberParent(win.parent);
-  }
-
-  function redirect() {
-    win = uberParent(window);
-    win.location = handshake + win.location;
-  }
-
-  window.addEventListener("message", function(event) {
-    console.log('handshake succeeded, cleaning up');
-    if(event.data === "done") {
-      if(timeout) clearTimeout(timeout);
-      if(popUpWindow && !popUpWindow.closed) popUpWindow.close();
-    }
-  });
-
-  function cookiesCheckCallback(thirdPartyCookiesEnabled) {
-    if(thirdPartyCookiesEnabled) {
-      console.log("third party cookies enabled, creating iframe");
-      iframe();
-      timeout = setTimeout(function() {
-        console.log('handshake taking too long, creating pop-up');
-        if(!popUp()) {
-          console.log("pop-up failed, redirecting");
-          redirect();
-        }
-      }, 5000);
-    } else {
-      console.log("third party cookies disabled, creating pop-up");
-      if(!popUp()) {
-        console.log("pop-up failed, trying iframe anyhow");
-        iframe();
-        timeout = setTimeout(function() {
-          console.log('handshake taking too long, redirecting');
-          if(!popUp()) { redirect(); }
-        }, 5000);
-      }
-    }
-  }
-  </script>
-</body>
-</html>
-
-@@ post_message
-<script>
-function uberParent(win) {
-  return win.parent === win ? win : uberParent(win.parent);
-}
-
+@@ common
 function tellEveryone(msg, win) {
   if(win == undefined) win = window;
   win.postMessage(msg, '*');
@@ -352,6 +271,150 @@ function tellEveryone(msg, win) {
   if(win.opener) tellEveryone(msg, win.opener);
 }
 
+@@ container
+<!DOCTYPE html>
+<html><body><script>
+// === THE FLOW ===
+
+// every serious program has a main function
+function main() {
+  doYouHave(thirdPartyCookies,
+    yesIndeed("third party cookies enabled, creating iframe",
+      doYouHave(iframe(after(5)),
+        yesIndeed("iframe succeeded", done),
+        nopeSorry("iframe taking too long, creating pop-up",
+          doYouHave(popup(after(5)),
+            yesIndeed("pop-up succeeded", done),
+            nopeSorry("pop-up failed, redirecting", redirect))))),
+    nopeSorry("third party cookies disabled, creating pop-up",
+      doYouHave(popup(after(8)),
+        yesIndeed("popup succeeded", done),
+        nopeSorry("popup failed", redirect))))();
+}
+
+// === THE LOGIC ===
+var url = window.location.pathname + '/iframe' + window.location.search;
+
+function thirdPartyCookies(yes, no) {
+  window.cookiesCheckCallback = function(enabled) { enabled ? yes() : no() };
+  var img      = document.createElement('img');
+  img.src      = "https://third-party-cookies.herokuapp.com/set";
+  img.onload   = function() {
+    var script = document.createElement('script');
+    script.src = "https://third-party-cookies.herokuapp.com/check";
+    window.document.body.appendChild(script);
+  }
+}
+
+function iframe(time) {
+  return function(yes, no) {
+    var iframe = document.createElement('iframe');
+    iframe.src = url;
+    timeout(time, yes, no);
+    window.document.body.appendChild(iframe);
+  }
+}
+
+function popup(time) {
+  return function(yes, no) {
+    if(popupWindow) {
+      timeout(time, yes, function() {
+        if(popupWindow.closed || popupHidden) {
+          no()
+        } else {
+          try {
+            popupWindow.focus();
+            popupWindow.resizeTo(900, 500);
+          } catch(err) {
+            no()
+          }
+        }
+      });
+    } else {
+      no()
+    }
+  }
+}
+
+function done() {
+  if(popupWindow && !popupWindow.closed) popupWindow.close();
+}
+
+function redirect() {
+  tellEveryone('redirect');
+}
+
+function createPopup() {
+  if(!popupWindow) {
+    popupWindow = window.open(url, 'Signing in...', 'height=50,width=50');
+    popupWindow.onload = function() {
+      try {
+        popupHidden = popupWindow.innerHeight > 0;
+        maybe(function() { popupWindow.focus() });
+      } catch(err) {
+        popupHidden = false;
+      }
+    }
+  }
+}
+
+// === THE PLUMBING ===
+<%= erb :common %>
+
+function timeout(time, yes, no) {
+  var timeout = setTimeout(time, no);
+  onSuccess(function() {
+    clearTimeout(timeout);
+    yes()
+  });
+}
+
+function onSuccess(callback) {
+  succeeded ? callback() : callbacks.push(callback)
+}
+
+function doYouHave(feature, yes, no) {
+  return function() { feature(yes, no) };
+}
+
+function yesIndeed(msg, callback) {
+  if(console && console.log) console.log(msg);
+  return callback;
+}
+
+function after(value) {
+  return value*1000;
+}
+
+var nopeSorry = yesIndeed;
+var timeoutes = [];
+var callbacks = [];
+var seconds   = 1000;
+var succeeded = false;
+var popupWindow, popupHidden;
+
+window.addEventListener("message", function(event) {
+  if(event.data === "done") {
+    succeeded = true
+    for(var i = 0; i < callbacks.length; i++) {
+      (callbacks[i])();
+    }
+  }
+});
+
+// === READY? GO! ===
+main();
+</script>
+</body>
+</html>
+
+@@ post_message
+<script>
+<%= erb :common %>
+function uberParent(win) {
+  return win.parent === win ? win : uberParent(win.parent);
+}
+
 function sendPayload(win) {
   var payload          = <%= user.to_json %>;
   payload.token        = <%= token.inspect %>;

From 497eebab944ad9553a436ff4b087a2bbde05e45c Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Wed, 5 Dec 2012 15:10:28 +0100
Subject: [PATCH 03/13] simplify popup check

---
 lib/travis/api/app/endpoint/authorization.rb | 16 +++-------------
 1 file changed, 3 insertions(+), 13 deletions(-)

diff --git a/lib/travis/api/app/endpoint/authorization.rb b/lib/travis/api/app/endpoint/authorization.rb
index f23d73ed..e73e5c42 100644
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@@ -319,7 +319,7 @@ function popup(time) {
   return function(yes, no) {
     if(popupWindow) {
       timeout(time, yes, function() {
-        if(popupWindow.closed || popupHidden) {
+        if(popupWindow.closed || popupWindow.innerHeight < 1) {
           no()
         } else {
           try {
@@ -345,17 +345,7 @@ function redirect() {
 }
 
 function createPopup() {
-  if(!popupWindow) {
-    popupWindow = window.open(url, 'Signing in...', 'height=50,width=50');
-    popupWindow.onload = function() {
-      try {
-        popupHidden = popupWindow.innerHeight > 0;
-        maybe(function() { popupWindow.focus() });
-      } catch(err) {
-        popupHidden = false;
-      }
-    }
-  }
+  if(!popupWindow) popupWindow = window.open(url, 'Signing in...', 'height=50,width=50');
 }
 
 // === THE PLUMBING ===
@@ -391,7 +381,7 @@ var timeoutes = [];
 var callbacks = [];
 var seconds   = 1000;
 var succeeded = false;
-var popupWindow, popupHidden;
+var popupWindow;
 
 window.addEventListener("message", function(event) {
   if(event.data === "done") {

From 3b84b836995a3b55269c2f67f94d07f75f7de5e1 Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Thu, 6 Dec 2012 15:08:27 +0100
Subject: [PATCH 04/13] post data for targets we know

---
 lib/travis/api/app/endpoint/authorization.rb | 30 +++++++++++++++-----
 1 file changed, 23 insertions(+), 7 deletions(-)

diff --git a/lib/travis/api/app/endpoint/authorization.rb b/lib/travis/api/app/endpoint/authorization.rb
index e73e5c42..20b0ae02 100644
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@@ -40,10 +40,7 @@ class Travis::Api::App
     # The entry point is [/auth/post_message](#/auth/post_message).
     class Authorization < Endpoint
       enable :inline_templates
-      set prefix: '/auth', allowed_targets: %r{
-        ^ http://   (localhost|127\.0\.0\.1)(:\d+)?  $ |
-        ^ https://  ([\w\-_]+\.)?travis-ci\.(org|com) $
-      }x
+      set prefix: '/auth'
 
       # Endpoint for retrieving an authorization code, which in turn can be used
       # to generate an access token.
@@ -92,8 +89,13 @@ class Travis::Api::App
       #
       # * **redirect_uri**: URI to redirect to after handshake.
       get '/handshake' do
-        handshake do |*, redirect_uri|
-          safe_redirect redirect_uri
+        handshake do |user, token, redirect_uri|
+          if target_ok? redirect_uri
+            data = { user: user, token: token, uri: redirect_uri }
+            erb(:post_payload, locals: data)
+          else
+            safe_redirect redirect_uri
+          end
         end
       end
 
@@ -250,7 +252,12 @@ class Travis::Api::App
         end
 
         def target_ok?(target_origin)
-          target_origin =~ settings.allowed_targets
+          uri = Addressable::URI.parse(target_origin)
+          if uri.host =~ /\A(.+\.)?travis-ci\.(com|org)\E/
+            uri.scheme == 'https'
+          elsif uri == 'localhost' or uri == '127.0.0.1'
+            uri.port > 1023
+          end
         end
     end
   end
@@ -420,3 +427,12 @@ if(window.parent == window) {
   sendPayload(window.parent);
 }
 </script>
+
+@@ post_payload
+<body onload='document.forms[0].submit()'>
+  <form>
+    <input type='hidden' name='token'   value='<%= token.inspect %>'>
+    <input type='hidden' name='user'    value='<%= user.to_json %>'>
+    <input type='hidden' name='storage' value='sessionStorage'>
+  </form>
+</body>

From cd9d84783d22b38415e755ebda44564eb4d5bb9f Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Thu, 6 Dec 2012 15:20:23 +0100
Subject: [PATCH 05/13] fix regex

---
 lib/travis/api/app/endpoint/authorization.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/travis/api/app/endpoint/authorization.rb b/lib/travis/api/app/endpoint/authorization.rb
index 20b0ae02..6b511de8 100644
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@@ -253,7 +253,7 @@ class Travis::Api::App
 
         def target_ok?(target_origin)
           uri = Addressable::URI.parse(target_origin)
-          if uri.host =~ /\A(.+\.)?travis-ci\.(com|org)\E/
+          if uri.host =~ /\A(.+\.)?travis-ci\.(com|org)\Z/
             uri.scheme == 'https'
           elsif uri == 'localhost' or uri == '127.0.0.1'
             uri.port > 1023

From ee1f9d899d7fff157e131e53ed7073002c535021 Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Thu, 6 Dec 2012 15:24:46 +0100
Subject: [PATCH 06/13] set content type

---
 lib/travis/api/app/endpoint/authorization.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/travis/api/app/endpoint/authorization.rb b/lib/travis/api/app/endpoint/authorization.rb
index 6b511de8..29dec476 100644
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@@ -91,6 +91,7 @@ class Travis::Api::App
       get '/handshake' do
         handshake do |user, token, redirect_uri|
           if target_ok? redirect_uri
+            content_type :html
             data = { user: user, token: token, uri: redirect_uri }
             erb(:post_payload, locals: data)
           else

From afad81f92759ff19dd73d7220697c9916a0473af Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Thu, 6 Dec 2012 15:34:13 +0100
Subject: [PATCH 07/13] Addressable::URI.parse might return nil

---
 lib/travis/api/app/endpoint/authorization.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/travis/api/app/endpoint/authorization.rb b/lib/travis/api/app/endpoint/authorization.rb
index 29dec476..33794be5 100644
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@@ -253,7 +253,7 @@ class Travis::Api::App
         end
 
         def target_ok?(target_origin)
-          uri = Addressable::URI.parse(target_origin)
+          return unless uri = Addressable::URI.parse(target_origin)
           if uri.host =~ /\A(.+\.)?travis-ci\.(com|org)\Z/
             uri.scheme == 'https'
           elsif uri == 'localhost' or uri == '127.0.0.1'

From af1aeb8147bc3b0488cf2124e8ad8960675ea990 Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Thu, 6 Dec 2012 15:40:29 +0100
Subject: [PATCH 08/13] set action and method

---
 lib/travis/api/app/endpoint/authorization.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/travis/api/app/endpoint/authorization.rb b/lib/travis/api/app/endpoint/authorization.rb
index 33794be5..d907fc3b 100644
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@@ -431,7 +431,7 @@ if(window.parent == window) {
 
 @@ post_payload
 <body onload='document.forms[0].submit()'>
-  <form>
+  <form action="<%= uri %>" method='post'>
     <input type='hidden' name='token'   value='<%= token.inspect %>'>
     <input type='hidden' name='user'    value='<%= user.to_json %>'>
     <input type='hidden' name='storage' value='sessionStorage'>

From 7b4fe5dab3ac4566d3c5a37f4cabea32b462613b Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Thu, 6 Dec 2012 15:52:49 +0100
Subject: [PATCH 09/13] no inspect

---
 lib/travis/api/app/endpoint/authorization.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/travis/api/app/endpoint/authorization.rb b/lib/travis/api/app/endpoint/authorization.rb
index d907fc3b..fd9e73df 100644
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@@ -432,7 +432,7 @@ if(window.parent == window) {
 @@ post_payload
 <body onload='document.forms[0].submit()'>
   <form action="<%= uri %>" method='post'>
-    <input type='hidden' name='token'   value='<%= token.inspect %>'>
+    <input type='hidden' name='token'   value='<%= token %>'>
     <input type='hidden' name='user'    value='<%= user.to_json %>'>
     <input type='hidden' name='storage' value='sessionStorage'>
   </form>

From 24ea1ca7c046edbe668e7e4b089b27d0bf3bc067 Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Thu, 6 Dec 2012 16:05:36 +0100
Subject: [PATCH 10/13] cheap escape

---
 lib/travis/api/app/endpoint/authorization.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/travis/api/app/endpoint/authorization.rb b/lib/travis/api/app/endpoint/authorization.rb
index fd9e73df..e57f0576 100644
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@@ -433,7 +433,7 @@ if(window.parent == window) {
 <body onload='document.forms[0].submit()'>
   <form action="<%= uri %>" method='post'>
     <input type='hidden' name='token'   value='<%= token %>'>
-    <input type='hidden' name='user'    value='<%= user.to_json %>'>
+    <input type='hidden' name='user'    value="<%= user.to_json.gsub('"', '&quot;') %>">
     <input type='hidden' name='storage' value='sessionStorage'>
   </form>
 </body>

From 981a32f877c1a90321da97696fd36725285abf03 Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Thu, 6 Dec 2012 16:24:34 +0100
Subject: [PATCH 11/13] fix setTimeout

---
 lib/travis/api/app/endpoint/authorization.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/travis/api/app/endpoint/authorization.rb b/lib/travis/api/app/endpoint/authorization.rb
index e57f0576..00b09dd1 100644
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@@ -360,7 +360,7 @@ function createPopup() {
 <%= erb :common %>
 
 function timeout(time, yes, no) {
-  var timeout = setTimeout(time, no);
+  var timeout = setTimeout(no, time);
   onSuccess(function() {
     clearTimeout(timeout);
     yes()

From 2250d1ba5c85eee77d47a2075b7a65b248124c54 Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Thu, 6 Dec 2012 16:51:33 +0100
Subject: [PATCH 12/13] only send user payload

---
 lib/travis/api/app/endpoint/authorization.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/travis/api/app/endpoint/authorization.rb b/lib/travis/api/app/endpoint/authorization.rb
index 00b09dd1..a75c35af 100644
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@@ -92,7 +92,7 @@ class Travis::Api::App
         handshake do |user, token, redirect_uri|
           if target_ok? redirect_uri
             content_type :html
-            data = { user: user, token: token, uri: redirect_uri }
+            data = { user: user['user'], token: token, uri: redirect_uri }
             erb(:post_payload, locals: data)
           else
             safe_redirect redirect_uri

From 83e42adc65ce0a842858e15454eade4a74cce0ce Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Thu, 6 Dec 2012 16:55:58 +0100
Subject: [PATCH 13/13] that did not work

---
 lib/travis/api/app/endpoint/authorization.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/travis/api/app/endpoint/authorization.rb b/lib/travis/api/app/endpoint/authorization.rb
index a75c35af..00b09dd1 100644
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@@ -92,7 +92,7 @@ class Travis::Api::App
         handshake do |user, token, redirect_uri|
           if target_ok? redirect_uri
             content_type :html
-            data = { user: user['user'], token: token, uri: redirect_uri }
+            data = { user: user, token: token, uri: redirect_uri }
             erb(:post_payload, locals: data)
           else
             safe_redirect redirect_uri