YunoHost/SSOwat
1
0
Fork 0
mirror of https://github.com/YunoHost/SSOwat.git synced 2024-09-03 20:06:27 +02:00
Code Issues Projects Releases Packages Wiki Activity

Authentication headers are ONLY set when user is logged in and has access to app

Browse source 
Prevents impersonating users on public applications where the auth headers were not cleared
This commit is contained in:
selfhoster1312 2023-01-09 15:47:45 +01:00 committed by Alexandre Aubin
parent 7719d46240
commit 7fc0350788
2 changed files with 14 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
access.lua
View file

@ -333,7 +333,11 @@ if hlp.has_access(permission) then
-- add it to the response -- add it to the response
if permission["auth_header"] then if permission["auth_header"] then
hlp.set_headers() hlp.set_headers()
else
hlp.clear_headers()
end end
else
hlp.clear_headers()
end end
return hlp.pass() return hlp.pass()

10
helpers.lua
View file

@ -413,6 +413,16 @@ function set_headers(user)
end end
-- Removes the authentication headers. Call me when:
-- - app is public and user is not authenticated
-- - app requests that no authentication headers be sent
-- Prevents user from pretending to be someone else on public apps
function clear_headers()
ngx.req.clear_header("Authorization")
for k, v in pairs(conf["additional_headers"]) do
ngx.req.clear_header(k)
end
end
function refresh_user_cache(user) function refresh_user_cache(user)
-- We definitely don't want to pass credentials on a non-encrypted -- We definitely don't want to pass credentials on a non-encrypted