Remove the part that injects the password inside the Authorization header ... in the vast majority of cases, only the username should be necessary and trusted by the app

This commit is contained in:
Alexandre Aubin 2023-12-23 20:08:35 +01:00
parent f81ae9d5c5
commit 493ba581bb

View file

@ -9,7 +9,7 @@ ngx.header["X-SSO-WAT"] = "You've just been SSOed"
-- Misc imports -- Misc imports
local jwt = require("vendor.luajwtjitsi.luajwtjitsi") local jwt = require("vendor.luajwtjitsi.luajwtjitsi")
local cipher = require('openssl.cipher') -- local cipher = require('openssl.cipher')
local rex = require("rex_pcre2") local rex = require("rex_pcre2")
local lfs = require("lfs") local lfs = require("lfs")
@ -293,14 +293,18 @@ function set_basic_auth_header()
-- For example: ctl8kk5GevYdaA5VZ2S88Q==|yTAzCx0Gd1+MCit4EQl9lA== -- For example: ctl8kk5GevYdaA5VZ2S88Q==|yTAzCx0Gd1+MCit4EQl9lA==
-- The password is encoded using AES-256-CBC with the IV being the right-side data -- The password is encoded using AES-256-CBC with the IV being the right-side data
-- cf. src/authenticators/ldap_ynhuser.py in YunoHost to see how the cookie is actually created -- cf. src/authenticators/ldap_ynhuser.py in YunoHost to see how the cookie is actually created
local password_enc_b64, iv_b64 = authPasswordEnc:match("([^|]+)|([^|]+)")
local password_enc = ngx.decode_base64(password_enc_b64) -- Tmp, possibly permanent removal of the code that inject the password inside the auth header,
local iv = ngx.decode_base64(iv_b64) -- which should not be needed in the vast majority of cases where the app just trust the $remote_user info/header ...
local password = cipher.new('aes-256-cbc'):decrypt(cookie_secret, iv):final(password_enc)
-- local password_enc_b64, iv_b64 = authPasswordEnc:match("([^|]+)|([^|]+)")
-- local password_enc = ngx.decode_base64(password_enc_b64)
-- local iv = ngx.decode_base64(iv_b64)
-- local password = cipher.new('aes-256-cbc'):decrypt(cookie_secret, iv):final(password_enc)
-- Set `Authorization` header to enable HTTP authentification -- Set `Authorization` header to enable HTTP authentification
ngx.req.set_header("Authorization", "Basic "..ngx.encode_base64( ngx.req.set_header("Authorization", "Basic "..ngx.encode_base64(
authUser..":"..password authUser..":"
)) ))
end end