epic refactoring: refactor the 'portal url' logic, we shall now have a dict mapping domains to portal urls (which is anyway imposed by cookie management unless we reintroduce complex cross-domain authentication...)

2024-09-03 20:06:27 +02:00 · 2023-07-15 21:27:40 +02:00 · 2023-07-15 21:27:40 +02:00 · 24b7630d3c
commit 24b7630d3c
parent 93ee6371ae
3 changed files with 17 additions and 38 deletions
--- a/access.lua
+++ b/access.lua
@ -65,6 +65,8 @@ function check_authentication()
    decoded, err = jwt.verify(cookie, "HS256", cookie_secret)
    -- FIXME : maybe also check that the cookie was delivered for the requested domain (or a parent?)
    -- FIXME : we might want also a way to identify expired/invalidated cookies,
    -- e.g. a user that got deleted after being logged in ...
@ -283,8 +285,14 @@ if has_access then
 -- 2nd case : no access ... redirect to portal / login form
 else
-    if is_logged_in then
+    portal_url = conf["domain_portal_urls"][ngx.var.host]
-        return redirect(conf.portal_url)
+    if portal_url == nil then
        ngx.status = 400
        ngx.header.content_type = "plain/text"
        ngx.say('Unmanaged domain')
        return
    elseif is_logged_in then
        return ngx.redirect(portal_url)
    else
        local back_url = "https://" .. ngx.var.host .. ngx.var.uri .. uri_args_string()
--- a/conf.json.example
+++ b/conf.json.example
@ -1,7 +1,8 @@
 {
-    "domains": [
+    "domain_portal_urls": [
-        "example.tld",
+        "example.tld": "example.tld/yunohost/sso",
-        "example.org"
+        "sub.example.tld": "example.tld/yunohost/sso",
        "foobar.org": "foobar.org/yunohost/sso"
    ],
    "permissions": {
        "core_skipped": {
@ -54,8 +55,6 @@
            ]
        }
    },
    "portal_domain": "example.tld",
    "portal_path": "/yunohost/sso/",
    "redirected_regex": {
        "example.tld/yunohost[\\/]?$": "https://example.tld/yunohost/sso/"
    },
--- a/config.lua
+++ b/config.lua
@ -87,38 +87,10 @@ function get_config()
        end
    end
-
+    -- Always skip the portal urls to avoid redirection looping.
-    -- Default configuration values
+    for domain, portal_url in pairs(conf["domain_portal_urls"]) do
-    default_conf = {
+        table.insert(conf["permissions"]["core_skipped"]["uris"], portal_url)
        portal_path               = "/ssowat/",
        local_portal_domain       = "yunohost.local",
        domains                   = { conf["portal_domain"], "yunohost.local" },
        logging                   = "fatal", -- Only log fatal messages by default (so apriori nothing)
        permissions               = {}
    }
    -- Load default values unless they are set in the configuration file.
    for param, default_value in pairs(default_conf) do
        conf[param] = conf[param] or default_value
    end
    -- If you access the SSO by a local domain, change the portal domain to
    -- avoid unwanted redirections.
    if ngx.var.host == conf["local_portal_domain"] then
        conf["portal_domain"] = conf["local_portal_domain"]
    end
    -- Build portal full URL out of the configuration values
    conf.portal_url = "https://"..
                      conf["portal_domain"]..
                      conf["portal_path"]
    -- Always skip the portal to avoid redirection looping.
    table.insert(conf["permissions"]["core_skipped"]["uris"], conf["portal_domain"]..conf["portal_path"])
    return conf
 end