Authentication headers are ONLY set when user is logged in and has access to app

Prevents impersonating users on public applications where the auth headers were not cleared
This commit is contained in:
selfhoster1312 2023-01-09 15:47:45 +01:00
parent 2af882a69d
commit 5e378e5c2b
2 changed files with 14 additions and 0 deletions

View file

@ -333,7 +333,11 @@ if hlp.has_access(permission) then
-- add it to the response -- add it to the response
if permission["auth_header"] then if permission["auth_header"] then
hlp.set_headers() hlp.set_headers()
else
hlp.clear_headers()
end end
else
hlp.clear_headers()
end end
return hlp.pass() return hlp.pass()

View file

@ -414,6 +414,16 @@ function set_headers(user)
end end
-- Removes the authentication headers. Call me when:
-- - app is public and user is not authenticated
-- - app requests that no authentication headers be sent
-- Prevents user from pretending to be someone else on public apps
function clear_headers()
ngx.req.clear_header("Authorization")
for k, v in pairs(conf["additional_headers"]) do
ngx.req.clear_header(k)
end
end
function refresh_user_cache(user) function refresh_user_cache(user)
-- We definitely don't want to pass credentials on a non-encrypted -- We definitely don't want to pass credentials on a non-encrypted