YunoHost/SSOwat
1
0
Fork 0
mirror of https://github.com/YunoHost/SSOwat.git synced 2024-09-03 20:06:27 +02:00
Code Issues Projects Releases Packages Wiki Activity

security: Also check client-provided auth headers to prevent impersonation

Browse source
This commit is contained in:
Alexandre Aubin 2023-01-09 18:32:32 +01:00
parent 7fc0350788
commit 1f56a08621
1 changed files with 3 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
helpers.lua
View file

@ -256,14 +256,14 @@ function refresh_logged_in()
return false return false
end end
-- If client set the `Proxy-Authorization` header before reaching the SSO, -- If client set the Authorization/Proxy-Authorization header before reaching the SSO,
-- we want to match user and password against the user database. -- we want to match user and password against the user database.
-- --
-- It allows to bypass the cookie-based procedure with a per-request -- It allows to bypass the cookie-based procedure with a per-request
-- authentication. This is useful to authenticate on the SSO during -- authentication. This is useful to authenticate on the SSO during
-- curl requests for example. -- curl requests for example.
local auth_header = ngx.req.get_headers()["Proxy-Authorization"] local auth_header = ngx.req.get_headers()["Authorization"] or ngx.req.get_headers()["Proxy-Authorization"]
if auth_header then if auth_header then
_, _, b64_cred = string.find(auth_header, "^Basic%s+(.+)$") _, _, b64_cred = string.find(auth_header, "^Basic%s+(.+)$")
@ -277,8 +277,7 @@ function refresh_logged_in()
authUser = user authUser = user
is_logged_in = true is_logged_in = true
else else
-- https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/407 return ngx.exit(ngx.HTTP_UNAUTHORIZED)
ngx.status = 407
end end
end end