mirror of
https://github.com/YunoHost/SSOwat.git
synced 2024-09-03 20:06:27 +02:00
Revert my stuff, just change the name of header to Proxy-Authorization + set is_logged_in to false by default
This commit is contained in:
parent
73c5524518
commit
6c4c1ca54d
2 changed files with 22 additions and 38 deletions
|
@ -331,15 +331,12 @@ if hlp.has_access(permission) then
|
||||||
|
|
||||||
return hlp.pass()
|
return hlp.pass()
|
||||||
|
|
||||||
-- 2nd case : no access ... check Authorization header, redirect to portal / login form
|
-- 2nd case : no access ... redirect to portal / login form
|
||||||
else
|
else
|
||||||
|
|
||||||
if is_logged_in then
|
if is_logged_in then
|
||||||
return hlp.redirect(conf.portal_url)
|
return hlp.redirect(conf.portal_url)
|
||||||
else
|
else
|
||||||
-- Check if there is `Authorization` header, and redirect if we have successfully logged in
|
|
||||||
hlp.parse_auth_header()
|
|
||||||
|
|
||||||
-- Only display this if HTTPS. For HTTP, we can't know if the user really is
|
-- Only display this if HTTPS. For HTTP, we can't know if the user really is
|
||||||
-- logged in or not, because the cookie is available only in HTTP...
|
-- logged in or not, because the cookie is available only in HTTP...
|
||||||
if ngx.var.scheme == "https" then
|
if ngx.var.scheme == "https" then
|
||||||
|
|
47
helpers.lua
47
helpers.lua
|
@ -255,52 +255,39 @@ function refresh_logged_in()
|
||||||
else
|
else
|
||||||
authUser = user
|
authUser = user
|
||||||
end
|
end
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
return is_logged_in
|
return is_logged_in
|
||||||
end
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
-- If client set the `Proxy-Authorization` header before reaching the SSO,
|
||||||
|
-- we want to match user and password against the user database.
|
||||||
|
--
|
||||||
|
-- It allows to bypass the cookie-based procedure with a per-request
|
||||||
|
-- authentication. This is useful to authenticate on the SSO during
|
||||||
|
-- curl requests for example.
|
||||||
|
|
||||||
-- If client set the `Proxy-Authorization` header before reaching the SSO,
|
|
||||||
-- we want to match user and password against the user database.
|
|
||||||
--
|
|
||||||
-- It allows to bypass the cookie-based procedure with a per-request
|
|
||||||
-- authentication. This is useful to authenticate on the SSO during
|
|
||||||
-- curl requests for example.
|
|
||||||
function parse_auth_header()
|
|
||||||
local auth_header = ngx.req.get_headers()["Proxy-Authorization"]
|
local auth_header = ngx.req.get_headers()["Proxy-Authorization"]
|
||||||
|
|
||||||
if auth_header then
|
if auth_header then
|
||||||
_, _, b64_cred = string.find(auth_header, "^Basic%s+(.+)$")
|
_, _, b64_cred = string.find(auth_header, "^Basic%s+(.+)$")
|
||||||
if b64_cred ~= nil then
|
if b64_cred == nil then
|
||||||
|
return is_logged_in
|
||||||
|
end
|
||||||
_, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$")
|
_, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$")
|
||||||
user = authenticate(user, password)
|
user = authenticate(user, password)
|
||||||
if user then
|
if user then
|
||||||
logger.debug("User got authenticated through basic auth")
|
logger.debug("User got authenticated through basic auth")
|
||||||
is_logged_in = true
|
|
||||||
authUser = user
|
authUser = user
|
||||||
|
is_logged_in = true
|
||||||
if has_access(permission, user) then
|
|
||||||
refresh_user_cache(user)
|
|
||||||
|
|
||||||
-- If Basic Authorization header are enable for this permission,
|
|
||||||
-- add it to the response
|
|
||||||
if permission["auth_header"] then
|
|
||||||
set_headers(user)
|
|
||||||
end
|
|
||||||
|
|
||||||
return pass()
|
|
||||||
else
|
|
||||||
return redirect(conf.portal_url)
|
|
||||||
end
|
|
||||||
else
|
else
|
||||||
-- https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/407
|
-- https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/407
|
||||||
ngx.status = 407
|
ngx.status = 407
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
|
||||||
|
return is_logged_in
|
||||||
end
|
end
|
||||||
|
|
||||||
function log_access(user, uri)
|
function log_access(user, uri)
|
||||||
|
|
Loading…
Reference in a new issue