YunoHost/SSOwat
1
0
Fork 0
mirror of https://github.com/YunoHost/SSOwat.git synced 2024-09-03 20:06:27 +02:00
Code Issues Projects Releases Packages Wiki Activity

auth: also confirm that the cookie was delivered for this domain (or parent)

Browse source
This commit is contained in:
Alexandre Aubin 2023-11-28 19:57:57 +01:00
parent 6263195756
commit 3336464481
1 changed files with 21 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
access.lua
View file

@ -34,18 +34,18 @@ function cached_jwt_verify(data, secret)
decoded, err = jwt.verify(data, "HS256", cookie_secret) decoded, err = jwt.verify(data, "HS256", cookie_secret)
if not decoded then if not decoded then
logger:error(err) logger:error(err)
return nil, nil, nil, err return nil, nil, nil, nil, err
end end
-- As explained in set_basic_auth_header(), user and hashed password do not contain ':' -- As explained in set_basic_auth_header(), user and hashed password do not contain ':'
-- And cache cannot contain tables, so we use "id:user:password" format -- And cache cannot contain tables, so we use "id:user:password" format
cached = decoded['id']..":"..decoded["user"]..":"..decoded["pwd"] cached = decoded['id']..":"..decoded['host']..":"..decoded["user"]..":"..decoded["pwd"]
cache:set(data, cached, 120) cache:set(data, cached, 120)
logger:debug("Result saved in cache") logger:debug("Result saved in cache")
return decoded['id'], decoded["user"], decoded["pwd"], err return decoded['id'], decoded['host'], decoded["user"], decoded["pwd"], err
else else
logger:debug("Result found in cache") logger:debug("Result found in cache")
session_id, user, pwd = res:match("([^:]+):([^:]+):(.*)") session_id, host, user, pwd = res:match("([^:]+):([^:]+):([^:]+):(.*)")
return session_id, user, pwd, nil return session_id, host, user, pwd, nil
end end
end end
@ -60,7 +60,7 @@ function match(s, regex)
end end
end end
-- Test whether a string starts with another -- Test whether a string starts/ends with something
function string.starts(String, Start) function string.starts(String, Start)
if not String then if not String then
return false return false
@ -68,6 +68,13 @@ function string.starts(String, Start)
return string.sub(String, 1, string.len(Start)) == Start return string.sub(String, 1, string.len(Start)) == Start
end end
function string.ends(String, End)
if not String then
return false
end
return string.sub(String, -string.len(End)) == End
end
-- Convert a table of arguments to an URI string -- Convert a table of arguments to an URI string
function uri_args_string(args) function uri_args_string(args)
if not args then if not args then
@ -110,7 +117,7 @@ function check_authentication()
return false, nil, nil return false, nil, nil
end end
session_id, user, pwd, err = cached_jwt_verify(cookie, cookie_secret) session_id, host, user, pwd, err = cached_jwt_verify(cookie, cookie_secret)
if err ~= nil then if err ~= nil then
return false, nil, nil return false, nil, nil
@ -123,6 +130,13 @@ function check_authentication()
return false, nil, nil return false, nil, nil
end end
-- Check the host the cookie was meant to does match the request
-- (this should never happen except if somehow a malicious user manually tries
-- to use a cookie that was delivered from a different domain)
if host ~= ngx.var.host and not string.endswith(ngx.var.host, "." .. host) then
return false, nil, nil
end
return true, user, pwd return true, user, pwd
end end