Revert my stuff, just change the name of header to Proxy-Authorization + set is_logged_in to false by default

2024-09-03 20:06:27 +02:00 · 2020-12-24 17:47:55 +01:00 · 2020-12-24 17:47:55 +01:00 · 6c4c1ca54d
commit 6c4c1ca54d
parent 73c5524518
2 changed files with 22 additions and 38 deletions
--- a/access.lua
+++ b/access.lua
@ -331,15 +331,12 @@ if hlp.has_access(permission) then

    return hlp.pass()

-- 2nd case : no access ... check Authorization header, redirect to portal / login form
+-- 2nd case : no access ... redirect to portal / login form
 else

    if is_logged_in then
        return hlp.redirect(conf.portal_url)
    else
-        -- Check if there is `Authorization` header, and redirect if we have successfully logged in
-        hlp.parse_auth_header()
-
        -- Only display this if HTTPS. For HTTP, we can't know if the user really is
        -- logged in or not, because the cookie is available only in HTTP...
        if ngx.var.scheme == "https" then
--- a/helpers.lua
+++ b/helpers.lua
@ -255,52 +255,39 @@ function refresh_logged_in()
                    else
                        authUser = user
                    end
-                end
-            end
-        end
-    end
-
                    return is_logged_in
-end
+                end
+            end
+        end
+    end
+
+    -- If client set the `Proxy-Authorization` header before reaching the SSO,
+    -- we want to match user and password against the user database.
+    --
+    -- It allows to bypass the cookie-based procedure with a per-request
+    -- authentication. This is useful to authenticate on the SSO during
+    -- curl requests for example.

-- If client set the `Proxy-Authorization` header before reaching the SSO,
-- we want to match user and password against the user database.
--
-- It allows to bypass the cookie-based procedure with a per-request
-- authentication. This is useful to authenticate on the SSO during
-- curl requests for example.
-function parse_auth_header()
    local auth_header = ngx.req.get_headers()["Proxy-Authorization"]

    if auth_header then
        _, _, b64_cred = string.find(auth_header, "^Basic%s+(.+)$")
-        if b64_cred ~= nil then
+        if b64_cred == nil then
+            return is_logged_in
+        end
        _, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$")
        user = authenticate(user, password)
        if user then
            logger.debug("User got authenticated through basic auth")
-                is_logged_in = true
            authUser = user
-
-                if has_access(permission, user) then
-                    refresh_user_cache(user)
-
-                    -- If Basic Authorization header are enable for this permission,
-                    -- add it to the response
-                    if permission["auth_header"] then
-                        set_headers(user)
-                    end
-
-                    return pass()
-                else
-                    return redirect(conf.portal_url)
-                end
+            is_logged_in = true
        else
            -- https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/407
            ngx.status = 407
        end
    end
-    end
+
+    return is_logged_in
 end

 function log_access(user, uri)