YunoHost/SSOwat
1
0
Fork 0
mirror of https://github.com/YunoHost/SSOwat.git synced 2024-09-03 20:06:27 +02:00
Code Issues Projects Releases Packages Wiki Activity

Revert my stuff, just change the name of header to Proxy-Authorization + set is_logged_in to false by default

Browse source
This commit is contained in:
Kay0u 2020-12-24 17:47:55 +01:00
parent 73c5524518
commit 6c4c1ca54d
No known key found for this signature in database
GPG key ID: AE1DCADB6415A156
2 changed files with 22 additions and 38 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
access.lua
View file

@ -331,15 +331,12 @@ if hlp.has_access(permission) then
return hlp.pass() return hlp.pass()
-- 2nd case : no access ... check Authorization header, redirect to portal / login form -- 2nd case : no access ... redirect to portal / login form
else else
if is_logged_in then if is_logged_in then
return hlp.redirect(conf.portal_url) return hlp.redirect(conf.portal_url)
else else
-- Check if there is `Authorization` header, and redirect if we have successfully logged in
hlp.parse_auth_header()
-- Only display this if HTTPS. For HTTP, we can't know if the user really is -- Only display this if HTTPS. For HTTP, we can't know if the user really is
-- logged in or not, because the cookie is available only in HTTP... -- logged in or not, because the cookie is available only in HTTP...
if ngx.var.scheme == "https" then if ngx.var.scheme == "https" then

33
helpers.lua
View file

@ -255,13 +255,11 @@ function refresh_logged_in()
else else
authUser = user authUser = user
end end
end
end
end
end
return is_logged_in return is_logged_in
end end
end
end
end
-- If client set the `Proxy-Authorization` header before reaching the SSO, -- If client set the `Proxy-Authorization` header before reaching the SSO,
-- we want to match user and password against the user database. -- we want to match user and password against the user database.
@ -269,38 +267,27 @@ end
-- It allows to bypass the cookie-based procedure with a per-request -- It allows to bypass the cookie-based procedure with a per-request
-- authentication. This is useful to authenticate on the SSO during -- authentication. This is useful to authenticate on the SSO during
-- curl requests for example. -- curl requests for example.
function parse_auth_header()
local auth_header = ngx.req.get_headers()["Proxy-Authorization"] local auth_header = ngx.req.get_headers()["Proxy-Authorization"]
if auth_header then if auth_header then
_, _, b64_cred = string.find(auth_header, "^Basic%s+(.+)$") _, _, b64_cred = string.find(auth_header, "^Basic%s+(.+)$")
if b64_cred ~= nil then if b64_cred == nil then
return is_logged_in
end
_, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$") _, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$")
user = authenticate(user, password) user = authenticate(user, password)
if user then if user then
logger.debug("User got authenticated through basic auth") logger.debug("User got authenticated through basic auth")
is_logged_in = true
authUser = user authUser = user
is_logged_in = true
if has_access(permission, user) then
refresh_user_cache(user)
-- If Basic Authorization header are enable for this permission,
-- add it to the response
if permission["auth_header"] then
set_headers(user)
end
return pass()
else
return redirect(conf.portal_url)
end
else else
-- https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/407 -- https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/407
ngx.status = 407 ngx.status = 407
end end
end end
end
return is_logged_in
end end
function log_access(user, uri) function log_access(user, uri)