Screw tokens, be Batman

This commit is contained in:
Kload 2013-10-17 00:12:14 +02:00
parent 800d8ccf44
commit 5ae1199bf1
2 changed files with 5 additions and 23 deletions

View file

@ -6,7 +6,6 @@ local conf_file = assert(io.open(conf_path, "r"), "Configuration file is missing
local conf = json.decode(conf_file:read("*all")) local conf = json.decode(conf_file:read("*all"))
local portal_url = conf["portal_scheme"].."://".. local portal_url = conf["portal_scheme"].."://"..
conf["portal_domain"].. conf["portal_domain"]..
":"..conf["portal_port"]..
conf["portal_path"] conf["portal_path"]
table.insert(conf["skipped_urls"], conf["portal_domain"]..conf["portal_path"]) table.insert(conf["skipped_urls"], conf["portal_domain"]..conf["portal_path"])
@ -49,17 +48,6 @@ function set_auth_cookie (user, domain)
cook("SSOwAuthExpire="..expire..cookie_str) cook("SSOwAuthExpire="..expire..cookie_str)
end end
function set_token_cookie ()
local token = tostring(math.random(111111, 999999))
tokens[token] = token
cook(
"SSOwAuthToken="..token..
"; Domain=."..conf["portal_domain"]..
"; Path="..conf["portal_path"]..
"; Max-Age=3600"
)
end
function set_redirect_cookie (redirect_url) function set_redirect_cookie (redirect_url)
cook( cook(
"SSOwAuthRedirect="..redirect_url.. "SSOwAuthRedirect="..redirect_url..
@ -84,7 +72,6 @@ function delete_onetime_cookie ()
expired_time = "Thu, Jan 01 1970 00:00:00 UTC;" expired_time = "Thu, Jan 01 1970 00:00:00 UTC;"
local cookie_str = "; Path="..conf["portal_path"].. local cookie_str = "; Path="..conf["portal_path"]..
"; Max-Age="..expired_time "; Max-Age="..expired_time
cook("SSOwAuthToken=;" ..cookie_str)
cook("SSOwAuthRedirect=;" ..cookie_str) cook("SSOwAuthRedirect=;" ..cookie_str)
end end
@ -167,11 +154,11 @@ function display_login_form ()
end end
-- Set redirect -- Set redirect
if args.r then set_redirect_cookie(ngx.decode_base64(args.r)) end if args.r then
-- Set token set_redirect_cookie(ngx.decode_base64(args.r))
set_token_cookie()
ngx.header["Cache-Control"] = "no-cache"
ngx.header["Set-Cookie"] = cookies ngx.header["Set-Cookie"] = cookies
end
ngx.header["Cache-Control"] = "no-cache"
return return
end end
@ -180,11 +167,7 @@ function do_login ()
local args = ngx.req.get_post_args() local args = ngx.req.get_post_args()
local uri_args = ngx.req.get_uri_args() local uri_args = ngx.req.get_uri_args()
-- CSRF check if string.starts(ngx.var.http_referer, portal_url) then
local token = ngx.var.cookie_SSOwAuthToken
if token and tokens[token] then
tokens[token] = nil
ngx.status = ngx.HTTP_CREATED ngx.status = ngx.HTTP_CREATED
if authenticate(args.user, args.password) then if authenticate(args.user, args.password) then

View file

@ -8,7 +8,6 @@ math.randomseed(os.time())
srvkey = math.random(1111111, 9999999) srvkey = math.random(1111111, 9999999)
-- Shared table -- Shared table
tokens = {}
cache = {} cache = {}
login = {} login = {}
logout = {} logout = {}