mirror of
https://github.com/YunoHost/SSOwat.git
synced 2024-09-03 20:06:27 +02:00
Authentication headers are ONLY set when user is logged in and has access to app
Prevents impersonating users on public applications where the auth headers were not cleared
This commit is contained in:
parent
2af882a69d
commit
5e378e5c2b
2 changed files with 14 additions and 0 deletions
|
@ -333,7 +333,11 @@ if hlp.has_access(permission) then
|
|||
-- add it to the response
|
||||
if permission["auth_header"] then
|
||||
hlp.set_headers()
|
||||
else
|
||||
hlp.clear_headers()
|
||||
end
|
||||
else
|
||||
hlp.clear_headers()
|
||||
end
|
||||
|
||||
return hlp.pass()
|
||||
|
|
10
helpers.lua
10
helpers.lua
|
@ -414,6 +414,16 @@ function set_headers(user)
|
|||
|
||||
end
|
||||
|
||||
-- Removes the authentication headers. Call me when:
|
||||
-- - app is public and user is not authenticated
|
||||
-- - app requests that no authentication headers be sent
|
||||
-- Prevents user from pretending to be someone else on public apps
|
||||
function clear_headers()
|
||||
ngx.req.clear_header("Authorization")
|
||||
for k, v in pairs(conf["additional_headers"]) do
|
||||
ngx.req.clear_header(k)
|
||||
end
|
||||
end
|
||||
|
||||
function refresh_user_cache(user)
|
||||
-- We definitely don't want to pass credentials on a non-encrypted
|
||||
|
|
Loading…
Reference in a new issue