From 1f56a0862188c97bd5d2cae27d92a14385d67680 Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Mon, 9 Jan 2023 18:32:32 +0100
Subject: [PATCH] security: Also check client-provided auth headers to prevent
 impersonation

---
 helpers.lua | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/helpers.lua b/helpers.lua
index 3a94936..7192337 100644
--- a/helpers.lua
+++ b/helpers.lua
@@ -256,14 +256,14 @@ function refresh_logged_in()
         return false
     end
 
-    -- If client set the `Proxy-Authorization` header before reaching the SSO,
+    -- If client set the Authorization/Proxy-Authorization header before reaching the SSO,
     -- we want to match user and password against the user database.
     --
     -- It allows to bypass the cookie-based procedure with a per-request
     -- authentication. This is useful to authenticate on the SSO during
     -- curl requests for example.
 
-    local auth_header = ngx.req.get_headers()["Proxy-Authorization"]
+    local auth_header = ngx.req.get_headers()["Authorization"] or ngx.req.get_headers()["Proxy-Authorization"]
 
     if auth_header then
         _, _, b64_cred = string.find(auth_header, "^Basic%s+(.+)$")
@@ -277,8 +277,7 @@ function refresh_logged_in()
             authUser = user
             is_logged_in = true
         else
-            -- https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/407
-            ngx.status = 407
+            return ngx.exit(ngx.HTTP_UNAUTHORIZED)
         end
     end