YunoHost/SSOwat
1
0
Fork 0
mirror of https://github.com/YunoHost/SSOwat.git synced 2024-09-03 20:06:27 +02:00
Code Issues Projects Releases Packages Wiki Activity

security: Also check client-provided auth headers to prevent impersonation

Browse source
This commit is contained in:
Alexandre Aubin 2023-01-09 18:32:32 +01:00
parent 7fc0350788
commit 1f56a08621
1 changed files with 3 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
helpers.lua
View file

@ -256,14 +256,14 @@ function refresh_logged_in()
return false
end
-- If client set the `Proxy-Authorization` header before reaching the SSO,
-- If client set the Authorization/Proxy-Authorization header before reaching the SSO,
-- we want to match user and password against the user database.
--
-- It allows to bypass the cookie-based procedure with a per-request
-- authentication. This is useful to authenticate on the SSO during
-- curl requests for example.
local auth_header = ngx.req.get_headers()["Proxy-Authorization"]
local auth_header = ngx.req.get_headers()["Authorization"] or ngx.req.get_headers()["Proxy-Authorization"]
if auth_header then
_, _, b64_cred = string.find(auth_header, "^Basic%s+(.+)$")
@ -277,8 +277,7 @@ function refresh_logged_in()
authUser = user
is_logged_in = true
else
-- https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/407
ngx.status = 407
return ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
end