From 5e378e5c2bda935530ebaad4a2aae03cd009c87f Mon Sep 17 00:00:00 2001
From: selfhoster1312 <selfhoster1312@kl.netlib.re>
Date: Mon, 9 Jan 2023 15:47:45 +0100
Subject: [PATCH] Authentication headers are ONLY set when user is logged in
 and has access to app Prevents impersonating users on public applications
 where the auth headers were not cleared

---
 access.lua  |  4 ++++
 helpers.lua | 10 ++++++++++
 2 files changed, 14 insertions(+)

diff --git a/access.lua b/access.lua
index 18aa0a8..74cc709 100644
--- a/access.lua
+++ b/access.lua
@@ -333,7 +333,11 @@ if hlp.has_access(permission) then
         -- add it to the response
         if permission["auth_header"] then
             hlp.set_headers()
+        else
+            hlp.clear_headers()
         end
+    else
+        hlp.clear_headers()
     end
 
     return hlp.pass()
diff --git a/helpers.lua b/helpers.lua
index f5318a5..2bd4c13 100644
--- a/helpers.lua
+++ b/helpers.lua
@@ -414,6 +414,16 @@ function set_headers(user)
 
 end
 
+-- Removes the authentication headers. Call me when:
+--   - app is public and user is not authenticated
+--   - app requests that no authentication headers be sent
+-- Prevents user from pretending to be someone else on public apps
+function clear_headers()
+    ngx.req.clear_header("Authorization")
+    for k, v in pairs(conf["additional_headers"]) do
+        ngx.req.clear_header(k)
+    end
+end
 
 function refresh_user_cache(user)
     -- We definitely don't want to pass credentials on a non-encrypted