YunoHost/SSOwat
1
0
Fork 0
mirror of https://github.com/YunoHost/SSOwat.git synced 2024-09-03 20:06:27 +02:00
Code Issues Projects Releases Packages Wiki Activity

[enh] Renew session until session_max_timeout value + bugfixes + logging informations

Browse source
This commit is contained in:
Kload 2014-04-16 21:06:47 +02:00
parent 0ff95a99dc
commit 790119235d
1 changed files with 32 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

53
access.lua
View file

@ -37,6 +37,10 @@ if not conf["session_timeout"] then
conf["session_timeout"] = 60 * 60 * 24 -- one day
end
if not conf["session_max_timeout"] then
conf["session_max_timeout"] = 60 * 60 * 24 * 7 -- one week
end
local portal_url = conf["portal_scheme"].."://"..
conf["portal_domain"]..
conf["portal_path"]
@ -85,12 +89,12 @@ function flash (wat, message)
end
function set_auth_cookie (user, domain)
local maxAge = conf["session_timeout"]
local maxAge = conf["session_max_timeout"]
local expire = ngx.req.start_time() + maxAge
local session_key = cache:get("session_"..user)
if not session_key then
session_key = tostring(math.random(1111111, 9999999))
cache:add("session_"..user, session_key)
cache:add("session_"..user, session_key, conf["session_max_timeout"])
end
local hash = ngx.md5(srvkey..
"|" ..ngx.var.remote_addr..
@ -105,14 +109,6 @@ function set_auth_cookie (user, domain)
cook("SSOwAuthExpire="..expire..cookie_str)
end
function set_redirect_cookie (redirect_url)
cook(
"SSOwAuthRedirect="..redirect_url..
"; Path="..conf["portal_path"]..
"; Max-Age=3600;"
)
end
function delete_cookie ()
expired_time = "Thu, Jan 01 1970 00:00:00 UTC;"
for _, domain in ipairs(conf["domains"]) do
@ -144,12 +140,15 @@ function is_logged_in ()
-- Check hash
local session_key = cache:get("session_"..ngx.var.cookie_SSOwAuthUser)
if session_key and session_key ~= "" then
local hash = ngx.md5(srvkey..
"|"..ngx.var.remote_addr..
"|"..ngx.var.cookie_SSOwAuthUser..
"|"..ngx.var.cookie_SSOwAuthExpire..
"|"..session_key)
return hash == ngx.var.cookie_SSOwAuthHash
-- Check cache
if cache:get(ngx.var.cookie_SSOwAuthUser.."-password") then
local hash = ngx.md5(srvkey..
"|"..ngx.var.remote_addr..
"|"..ngx.var.cookie_SSOwAuthUser..
"|"..ngx.var.cookie_SSOwAuthExpire..
"|"..session_key)
return hash == ngx.var.cookie_SSOwAuthHash
end
end
end
end
@ -180,8 +179,10 @@ function authenticate (user, password)
attrs = {"uid"}
} do
if attribs["uid"] then
ngx.log(ngx.NOTICE, "Use email: "..user)
user = attribs["uid"]
else
ngx.log(ngx.NOTICE, "Unknown email: "..user)
return false
end
end
@ -196,24 +197,27 @@ function authenticate (user, password)
cache:flush_expired()
if connected then
cache:add(user.."-password", password, conf["session_timeout"])
ngx.log(ngx.NOTICE, "Connected as: "..user)
return user
else
ngx.log(ngx.NOTICE, "Connection failed for: "..user)
return false
end
end
function set_headers (user)
if ngx.var.scheme ~= "https" then
return redirect("https://"..ngx.var.http_host..ngx.var.uri)
return redirect("https://"..ngx.var.host..ngx.var.uri)
end
user = user or ngx.var.cookie_SSOwAuthUser
if not cache:get(user.."-password") then
flash("info", "Please log in to access to this content")
local back_url = ngx.var.scheme .. "://" .. ngx.var.http_host .. ngx.var.uri
local back_url = ngx.var.scheme .. "://" .. ngx.var.host .. ngx.var.uri
return redirect(portal_url.."?r="..ngx.encode_base64(back_url))
end
if not cache:get(user.."-uid") then
ldap = lualdap.open_simple("localhost")
ngx.log(ngx.NOTICE, "Reloading LDAP values for: "..user)
for dn, attribs in ldap:search {
base = "uid=".. user ..",ou=users,dc=yunohost,dc=org",
scope = "base",
@ -224,13 +228,17 @@ function set_headers (user)
if type(v) == "table" then
for k2,v2 in ipairs(v) do
if k2 == 1 then cache:set(user.."-"..k, v2, conf["session_timeout"]) end
cache:set(user.."-"..k.."|"..k2, v2, conf["session_timeout"])
cache:set(user.."-"..k.."|"..k2, v2, conf["session_max_timeout"])
end
else
cache:set(user.."-"..k, v, conf["session_timeout"])
end
end
end
else
-- Revalidate session for another day by default
password = cache:get(user.."-password")
cache:set(user.."-password", password, conf["session_timeout"])
end
-- Set HTTP Auth header
@ -545,6 +553,7 @@ function do_logout()
local args = ngx.req.get_uri_args()
if is_logged_in() then
cache:delete("session_"..ngx.var.cookie_SSOwAuthUser)
cache:delete(user.."-uid") -- Ugly trick to reload cache
flash("info", "Logged out")
return redirect(portal_url)
end
@ -552,6 +561,7 @@ end
function redirect (url)
ngx.header["Set-Cookie"] = cookies
ngx.log(ngx.INFO, "Redirect to: "..url)
return ngx.redirect(url)
end
@ -573,6 +583,7 @@ if string.match(ngx.var.uri, "~sso~%d+$") then
cda_key = string.sub(ngx.var.uri, -7)
if login[cda_key] then
set_auth_cookie(login[cda_key], ngx.var.host)
ngx.log(ngx.NOTICE, "Cross-domain authentication: "..login[cda_key].." connected on "..ngx.var.host)
login[cda_key] = nil
return redirect(string.gsub(ngx.var.uri, "~sso~%d+$", ""))
end
@ -597,7 +608,7 @@ then
-- Logout
return do_logout()
elseif is_logged_in() and uri_args.r then
elseif is_logged_in() and uri_args.r and ngx.decode_base64(uri_args.r) ~= portal_url then
cda_key = tostring(math.random(1111111, 9999999))
login[cda_key] = ngx.var.cookie_SSOwAuthUser
return redirect(ngx.decode_base64(uri_args.r).."~sso~"..cda_key)
@ -787,6 +798,6 @@ end
--
flash("info", "Please log in to access to this content")
local back_url = ngx.var.scheme .. "://" .. ngx.var.http_host .. ngx.var.uri
local back_url = ngx.var.scheme .. "://" .. ngx.var.host .. ngx.var.uri
return redirect(portal_url.."?r="..ngx.encode_base64(back_url))