mirror of
https://github.com/YunoHost/SSOwat.git
synced 2024-09-03 20:06:27 +02:00
[enh] Renew session until session_max_timeout value + bugfixes + logging informations
This commit is contained in:
parent
0ff95a99dc
commit
790119235d
1 changed files with 32 additions and 21 deletions
41
access.lua
41
access.lua
|
@ -37,6 +37,10 @@ if not conf["session_timeout"] then
|
||||||
conf["session_timeout"] = 60 * 60 * 24 -- one day
|
conf["session_timeout"] = 60 * 60 * 24 -- one day
|
||||||
end
|
end
|
||||||
|
|
||||||
|
if not conf["session_max_timeout"] then
|
||||||
|
conf["session_max_timeout"] = 60 * 60 * 24 * 7 -- one week
|
||||||
|
end
|
||||||
|
|
||||||
local portal_url = conf["portal_scheme"].."://"..
|
local portal_url = conf["portal_scheme"].."://"..
|
||||||
conf["portal_domain"]..
|
conf["portal_domain"]..
|
||||||
conf["portal_path"]
|
conf["portal_path"]
|
||||||
|
@ -85,12 +89,12 @@ function flash (wat, message)
|
||||||
end
|
end
|
||||||
|
|
||||||
function set_auth_cookie (user, domain)
|
function set_auth_cookie (user, domain)
|
||||||
local maxAge = conf["session_timeout"]
|
local maxAge = conf["session_max_timeout"]
|
||||||
local expire = ngx.req.start_time() + maxAge
|
local expire = ngx.req.start_time() + maxAge
|
||||||
local session_key = cache:get("session_"..user)
|
local session_key = cache:get("session_"..user)
|
||||||
if not session_key then
|
if not session_key then
|
||||||
session_key = tostring(math.random(1111111, 9999999))
|
session_key = tostring(math.random(1111111, 9999999))
|
||||||
cache:add("session_"..user, session_key)
|
cache:add("session_"..user, session_key, conf["session_max_timeout"])
|
||||||
end
|
end
|
||||||
local hash = ngx.md5(srvkey..
|
local hash = ngx.md5(srvkey..
|
||||||
"|" ..ngx.var.remote_addr..
|
"|" ..ngx.var.remote_addr..
|
||||||
|
@ -105,14 +109,6 @@ function set_auth_cookie (user, domain)
|
||||||
cook("SSOwAuthExpire="..expire..cookie_str)
|
cook("SSOwAuthExpire="..expire..cookie_str)
|
||||||
end
|
end
|
||||||
|
|
||||||
function set_redirect_cookie (redirect_url)
|
|
||||||
cook(
|
|
||||||
"SSOwAuthRedirect="..redirect_url..
|
|
||||||
"; Path="..conf["portal_path"]..
|
|
||||||
"; Max-Age=3600;"
|
|
||||||
)
|
|
||||||
end
|
|
||||||
|
|
||||||
function delete_cookie ()
|
function delete_cookie ()
|
||||||
expired_time = "Thu, Jan 01 1970 00:00:00 UTC;"
|
expired_time = "Thu, Jan 01 1970 00:00:00 UTC;"
|
||||||
for _, domain in ipairs(conf["domains"]) do
|
for _, domain in ipairs(conf["domains"]) do
|
||||||
|
@ -144,6 +140,8 @@ function is_logged_in ()
|
||||||
-- Check hash
|
-- Check hash
|
||||||
local session_key = cache:get("session_"..ngx.var.cookie_SSOwAuthUser)
|
local session_key = cache:get("session_"..ngx.var.cookie_SSOwAuthUser)
|
||||||
if session_key and session_key ~= "" then
|
if session_key and session_key ~= "" then
|
||||||
|
-- Check cache
|
||||||
|
if cache:get(ngx.var.cookie_SSOwAuthUser.."-password") then
|
||||||
local hash = ngx.md5(srvkey..
|
local hash = ngx.md5(srvkey..
|
||||||
"|"..ngx.var.remote_addr..
|
"|"..ngx.var.remote_addr..
|
||||||
"|"..ngx.var.cookie_SSOwAuthUser..
|
"|"..ngx.var.cookie_SSOwAuthUser..
|
||||||
|
@ -153,6 +151,7 @@ function is_logged_in ()
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
end
|
||||||
|
|
||||||
return false
|
return false
|
||||||
end
|
end
|
||||||
|
@ -180,8 +179,10 @@ function authenticate (user, password)
|
||||||
attrs = {"uid"}
|
attrs = {"uid"}
|
||||||
} do
|
} do
|
||||||
if attribs["uid"] then
|
if attribs["uid"] then
|
||||||
|
ngx.log(ngx.NOTICE, "Use email: "..user)
|
||||||
user = attribs["uid"]
|
user = attribs["uid"]
|
||||||
else
|
else
|
||||||
|
ngx.log(ngx.NOTICE, "Unknown email: "..user)
|
||||||
return false
|
return false
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
@ -196,24 +197,27 @@ function authenticate (user, password)
|
||||||
cache:flush_expired()
|
cache:flush_expired()
|
||||||
if connected then
|
if connected then
|
||||||
cache:add(user.."-password", password, conf["session_timeout"])
|
cache:add(user.."-password", password, conf["session_timeout"])
|
||||||
|
ngx.log(ngx.NOTICE, "Connected as: "..user)
|
||||||
return user
|
return user
|
||||||
else
|
else
|
||||||
|
ngx.log(ngx.NOTICE, "Connection failed for: "..user)
|
||||||
return false
|
return false
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
function set_headers (user)
|
function set_headers (user)
|
||||||
if ngx.var.scheme ~= "https" then
|
if ngx.var.scheme ~= "https" then
|
||||||
return redirect("https://"..ngx.var.http_host..ngx.var.uri)
|
return redirect("https://"..ngx.var.host..ngx.var.uri)
|
||||||
end
|
end
|
||||||
user = user or ngx.var.cookie_SSOwAuthUser
|
user = user or ngx.var.cookie_SSOwAuthUser
|
||||||
if not cache:get(user.."-password") then
|
if not cache:get(user.."-password") then
|
||||||
flash("info", "Please log in to access to this content")
|
flash("info", "Please log in to access to this content")
|
||||||
local back_url = ngx.var.scheme .. "://" .. ngx.var.http_host .. ngx.var.uri
|
local back_url = ngx.var.scheme .. "://" .. ngx.var.host .. ngx.var.uri
|
||||||
return redirect(portal_url.."?r="..ngx.encode_base64(back_url))
|
return redirect(portal_url.."?r="..ngx.encode_base64(back_url))
|
||||||
end
|
end
|
||||||
if not cache:get(user.."-uid") then
|
if not cache:get(user.."-uid") then
|
||||||
ldap = lualdap.open_simple("localhost")
|
ldap = lualdap.open_simple("localhost")
|
||||||
|
ngx.log(ngx.NOTICE, "Reloading LDAP values for: "..user)
|
||||||
for dn, attribs in ldap:search {
|
for dn, attribs in ldap:search {
|
||||||
base = "uid=".. user ..",ou=users,dc=yunohost,dc=org",
|
base = "uid=".. user ..",ou=users,dc=yunohost,dc=org",
|
||||||
scope = "base",
|
scope = "base",
|
||||||
|
@ -224,13 +228,17 @@ function set_headers (user)
|
||||||
if type(v) == "table" then
|
if type(v) == "table" then
|
||||||
for k2,v2 in ipairs(v) do
|
for k2,v2 in ipairs(v) do
|
||||||
if k2 == 1 then cache:set(user.."-"..k, v2, conf["session_timeout"]) end
|
if k2 == 1 then cache:set(user.."-"..k, v2, conf["session_timeout"]) end
|
||||||
cache:set(user.."-"..k.."|"..k2, v2, conf["session_timeout"])
|
cache:set(user.."-"..k.."|"..k2, v2, conf["session_max_timeout"])
|
||||||
end
|
end
|
||||||
else
|
else
|
||||||
cache:set(user.."-"..k, v, conf["session_timeout"])
|
cache:set(user.."-"..k, v, conf["session_timeout"])
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
else
|
||||||
|
-- Revalidate session for another day by default
|
||||||
|
password = cache:get(user.."-password")
|
||||||
|
cache:set(user.."-password", password, conf["session_timeout"])
|
||||||
end
|
end
|
||||||
|
|
||||||
-- Set HTTP Auth header
|
-- Set HTTP Auth header
|
||||||
|
@ -545,6 +553,7 @@ function do_logout()
|
||||||
local args = ngx.req.get_uri_args()
|
local args = ngx.req.get_uri_args()
|
||||||
if is_logged_in() then
|
if is_logged_in() then
|
||||||
cache:delete("session_"..ngx.var.cookie_SSOwAuthUser)
|
cache:delete("session_"..ngx.var.cookie_SSOwAuthUser)
|
||||||
|
cache:delete(user.."-uid") -- Ugly trick to reload cache
|
||||||
flash("info", "Logged out")
|
flash("info", "Logged out")
|
||||||
return redirect(portal_url)
|
return redirect(portal_url)
|
||||||
end
|
end
|
||||||
|
@ -552,6 +561,7 @@ end
|
||||||
|
|
||||||
function redirect (url)
|
function redirect (url)
|
||||||
ngx.header["Set-Cookie"] = cookies
|
ngx.header["Set-Cookie"] = cookies
|
||||||
|
ngx.log(ngx.INFO, "Redirect to: "..url)
|
||||||
return ngx.redirect(url)
|
return ngx.redirect(url)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -573,6 +583,7 @@ if string.match(ngx.var.uri, "~sso~%d+$") then
|
||||||
cda_key = string.sub(ngx.var.uri, -7)
|
cda_key = string.sub(ngx.var.uri, -7)
|
||||||
if login[cda_key] then
|
if login[cda_key] then
|
||||||
set_auth_cookie(login[cda_key], ngx.var.host)
|
set_auth_cookie(login[cda_key], ngx.var.host)
|
||||||
|
ngx.log(ngx.NOTICE, "Cross-domain authentication: "..login[cda_key].." connected on "..ngx.var.host)
|
||||||
login[cda_key] = nil
|
login[cda_key] = nil
|
||||||
return redirect(string.gsub(ngx.var.uri, "~sso~%d+$", ""))
|
return redirect(string.gsub(ngx.var.uri, "~sso~%d+$", ""))
|
||||||
end
|
end
|
||||||
|
@ -597,7 +608,7 @@ then
|
||||||
-- Logout
|
-- Logout
|
||||||
return do_logout()
|
return do_logout()
|
||||||
|
|
||||||
elseif is_logged_in() and uri_args.r then
|
elseif is_logged_in() and uri_args.r and ngx.decode_base64(uri_args.r) ~= portal_url then
|
||||||
cda_key = tostring(math.random(1111111, 9999999))
|
cda_key = tostring(math.random(1111111, 9999999))
|
||||||
login[cda_key] = ngx.var.cookie_SSOwAuthUser
|
login[cda_key] = ngx.var.cookie_SSOwAuthUser
|
||||||
return redirect(ngx.decode_base64(uri_args.r).."~sso~"..cda_key)
|
return redirect(ngx.decode_base64(uri_args.r).."~sso~"..cda_key)
|
||||||
|
@ -787,6 +798,6 @@ end
|
||||||
--
|
--
|
||||||
|
|
||||||
flash("info", "Please log in to access to this content")
|
flash("info", "Please log in to access to this content")
|
||||||
local back_url = ngx.var.scheme .. "://" .. ngx.var.http_host .. ngx.var.uri
|
local back_url = ngx.var.scheme .. "://" .. ngx.var.host .. ngx.var.uri
|
||||||
return redirect(portal_url.."?r="..ngx.encode_base64(back_url))
|
return redirect(portal_url.."?r="..ngx.encode_base64(back_url))
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue