YunoHost/SSOwat
1
0
Fork 0
mirror of https://github.com/YunoHost/SSOwat.git synced 2024-09-03 20:06:27 +02:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #176 from titoko/patch-2

Browse source 
feat(security): don't set header if auth_header false
This commit is contained in:
Alexandre Aubin 2020-12-18 18:31:57 +01:00 committed by GitHub
commit 0704973f59
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 22 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
access.lua
View file

@ -319,13 +319,13 @@ end
if hlp.has_access(permission) then if hlp.has_access(permission) then
if is_logged_in then if is_logged_in then
-- If the user is logged in, we set some additional headers -- If the user is logged in, refresh_cache
hlp.set_headers() hlp.refresh_user_cache()
-- If Basic Authorization header are disabled for this permission, -- If Basic Authorization header are enable for this permission,
-- remove them from the response -- add it to the response
if not permission["auth_header"] then if permission["auth_header"] then
ngx.req.clear_header("Authorization") hlp.set_headers()
end end
end end

29
helpers.lua
View file

@ -416,7 +416,21 @@ end
-- Set the authentication headers in order to pass credentials to the -- Set the authentication headers in order to pass credentials to the
-- application underneath. -- application underneath.
function set_headers(user) function set_headers(user)
local user = user or authUser
-- Set `authorization` header to enable HTTP authentification
ngx.req.set_header("Authorization", "Basic "..ngx.encode_base64(
user..":"..cache:get(user.."-password")
))
-- Set optionnal additional headers (typically to pass email address)
for k, v in pairs(conf["additional_headers"]) do
ngx.req.set_header(k, cache:get(user.."-"..v))
end
end
function refresh_user_cache(user)
-- We definitely don't want to pass credentials on a non-encrypted -- We definitely don't want to pass credentials on a non-encrypted
-- connection. -- connection.
if ngx.var.scheme ~= "https" then if ngx.var.scheme ~= "https" then
@ -473,17 +487,6 @@ function set_headers(user)
password = cache:get(user.."-password") password = cache:get(user.."-password")
cache:set(user.."-password", password, conf["session_timeout"]) cache:set(user.."-password", password, conf["session_timeout"])
end end
-- Set `authorization` header to enable HTTP authentification
ngx.req.set_header("Authorization", "Basic "..ngx.encode_base64(
user..":"..cache:get(user.."-password")
))
-- Set optionnal additional headers (typically to pass email address)
for k, v in pairs(conf["additional_headers"]) do
ngx.req.set_header(k, cache:get(user.."-"..v))
end
end end
@ -636,7 +639,7 @@ function get_data_for(view)
-- Be sure cache is loaded -- Be sure cache is loaded
if user then if user then
set_headers(user) refresh_user_cache(user)
local mails = get_mails(user) local mails = get_mails(user)
data = { data = {
@ -973,7 +976,7 @@ function edit_user()
then then
delete_user_info_cache(user) delete_user_info_cache(user)
-- Ugly trick to force cache reloading -- Ugly trick to force cache reloading
set_headers(user) refresh_user_cache(user)
flash("win", t("information_updated")) flash("win", t("information_updated"))
return redirect(conf.portal_url.."portal.html") return redirect(conf.portal_url.."portal.html")