From 6c4c1ca54da72ceedf4b7dc9dd35439e2d392c8a Mon Sep 17 00:00:00 2001
From: Kay0u <pierre@kayou.io>
Date: Thu, 24 Dec 2020 17:47:55 +0100
Subject: [PATCH] Revert my stuff, just change the name of header to
 Proxy-Authorization + set is_logged_in to false by default

---
 access.lua  |  5 +----
 helpers.lua | 55 ++++++++++++++++++++---------------------------------
 2 files changed, 22 insertions(+), 38 deletions(-)

diff --git a/access.lua b/access.lua
index 5637d4e..5b4c1d4 100644
--- a/access.lua
+++ b/access.lua
@@ -331,15 +331,12 @@ if hlp.has_access(permission) then
 
     return hlp.pass()
 
--- 2nd case : no access ... check Authorization header, redirect to portal / login form
+-- 2nd case : no access ... redirect to portal / login form
 else
 
     if is_logged_in then
         return hlp.redirect(conf.portal_url)
     else
-        -- Check if there is `Authorization` header, and redirect if we have successfully logged in
-        hlp.parse_auth_header()
-
         -- Only display this if HTTPS. For HTTP, we can't know if the user really is
         -- logged in or not, because the cookie is available only in HTTP...
         if ngx.var.scheme == "https" then
diff --git a/helpers.lua b/helpers.lua
index 842b2b9..de99177 100644
--- a/helpers.lua
+++ b/helpers.lua
@@ -255,52 +255,39 @@ function refresh_logged_in()
                     else
                         authUser = user
                     end
+                    return is_logged_in
                 end
             end
         end
     end
 
-    return is_logged_in
-end
+    -- If client set the `Proxy-Authorization` header before reaching the SSO,
+    -- we want to match user and password against the user database.
+    --
+    -- It allows to bypass the cookie-based procedure with a per-request
+    -- authentication. This is useful to authenticate on the SSO during
+    -- curl requests for example.
 
--- If client set the `Proxy-Authorization` header before reaching the SSO,
--- we want to match user and password against the user database.
---
--- It allows to bypass the cookie-based procedure with a per-request
--- authentication. This is useful to authenticate on the SSO during
--- curl requests for example.
-function parse_auth_header()
     local auth_header = ngx.req.get_headers()["Proxy-Authorization"]
 
     if auth_header then
         _, _, b64_cred = string.find(auth_header, "^Basic%s+(.+)$")
-        if b64_cred ~= nil then
-            _, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$")
-            user = authenticate(user, password)
-            if user then
-                logger.debug("User got authenticated through basic auth")
-                is_logged_in = true
-                authUser = user
-
-                if has_access(permission, user) then
-                    refresh_user_cache(user)
-
-                    -- If Basic Authorization header are enable for this permission,
-                    -- add it to the response
-                    if permission["auth_header"] then
-                        set_headers(user)
-                    end
-
-                    return pass()
-                else
-                    return redirect(conf.portal_url)
-                end
-            else
-                -- https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/407
-                ngx.status = 407
-            end
+        if b64_cred == nil then
+            return is_logged_in
+        end
+        _, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$")
+        user = authenticate(user, password)
+        if user then
+            logger.debug("User got authenticated through basic auth")
+            authUser = user
+            is_logged_in = true
+        else
+            -- https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/407
+            ngx.status = 407
         end
     end
+
+    return is_logged_in
 end
 
 function log_access(user, uri)