epic refactoring: refactor the 'portal url' logic, we shall now have a dict mapping domains to portal urls (which is anyway imposed by cookie management unless we reintroduce complex cross-domain authentication...)

2024-09-03 20:06:27 +02:00 · 2023-07-15 21:27:40 +02:00 · 2023-07-15 21:27:40 +02:00 · 24b7630d3c
commit 24b7630d3c
parent 93ee6371ae
3 changed files with 17 additions and 38 deletions
--- a/access.lua
+++ b/access.lua
@ -65,6 +65,8 @@ function check_authentication()

    decoded, err = jwt.verify(cookie, "HS256", cookie_secret)

+    -- FIXME : maybe also check that the cookie was delivered for the requested domain (or a parent?)
+
    -- FIXME : we might want also a way to identify expired/invalidated cookies,
    -- e.g. a user that got deleted after being logged in ...

@ -283,8 +285,14 @@ if has_access then
 -- 2nd case : no access ... redirect to portal / login form
 else

-    if is_logged_in then
-        return redirect(conf.portal_url)
+    portal_url = conf["domain_portal_urls"][ngx.var.host]
+    if portal_url == nil then
+        ngx.status = 400
+        ngx.header.content_type = "plain/text"
+        ngx.say('Unmanaged domain')
+        return
+    elseif is_logged_in then
+        return ngx.redirect(portal_url)
    else
        local back_url = "https://" .. ngx.var.host .. ngx.var.uri .. uri_args_string()

--- a/conf.json.example
+++ b/conf.json.example
@ -1,7 +1,8 @@
 {
-    "domains": [
-        "example.tld",
-        "example.org"
+    "domain_portal_urls": [
+        "example.tld": "example.tld/yunohost/sso",
+        "sub.example.tld": "example.tld/yunohost/sso",
+        "foobar.org": "foobar.org/yunohost/sso"
    ],
    "permissions": {
        "core_skipped": {
@ -54,8 +55,6 @@
            ]
        }
    },
-    "portal_domain": "example.tld",
-    "portal_path": "/yunohost/sso/",
    "redirected_regex": {
        "example.tld/yunohost[\\/]?$": "https://example.tld/yunohost/sso/"
    },
--- a/config.lua
+++ b/config.lua
@ -87,38 +87,10 @@ function get_config()
        end
    end

-
-    -- Default configuration values
-    default_conf = {
-        portal_path               = "/ssowat/",
-        local_portal_domain       = "yunohost.local",
-        domains                   = { conf["portal_domain"], "yunohost.local" },
-        logging                   = "fatal", -- Only log fatal messages by default (so apriori nothing)
-        permissions               = {}
-    }
-
-
-    -- Load default values unless they are set in the configuration file.
-    for param, default_value in pairs(default_conf) do
-        conf[param] = conf[param] or default_value
+    -- Always skip the portal urls to avoid redirection looping.
+    for domain, portal_url in pairs(conf["domain_portal_urls"]) do
+        table.insert(conf["permissions"]["core_skipped"]["uris"], portal_url)
    end

-
-    -- If you access the SSO by a local domain, change the portal domain to
-    -- avoid unwanted redirections.
-    if ngx.var.host == conf["local_portal_domain"] then
-        conf["portal_domain"] = conf["local_portal_domain"]
-    end
-
-
-    -- Build portal full URL out of the configuration values
-    conf.portal_url = "https://"..
-                      conf["portal_domain"]..
-                      conf["portal_path"]
-
-
-    -- Always skip the portal to avoid redirection looping.
-    table.insert(conf["permissions"]["core_skipped"]["uris"], conf["portal_domain"]..conf["portal_path"])
-
    return conf
 end