YunoHost/SSOwat
1
0
Fork 0
mirror of https://github.com/YunoHost/SSOwat.git synced 2024-09-03 20:06:27 +02:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #177 from YunoHost/fix-auth-header-regression

Browse source 
parse auth header at the end
This commit is contained in:
Alexandre Aubin 2020-12-27 13:58:11 +01:00 committed by GitHub
commit 8a215984e4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
helpers.lua
View file

@ -232,6 +232,7 @@ function refresh_logged_in()
local authHash = ngx.var.cookie_SSOwAuthHash local authHash = ngx.var.cookie_SSOwAuthHash
authUser = nil authUser = nil
is_logged_in = false
if expireTime and expireTime ~= "" if expireTime and expireTime ~= ""
and authHash and authHash ~= "" and authHash and authHash ~= ""
@ -260,19 +261,18 @@ function refresh_logged_in()
end end
end end
-- If client set the `Authorization` header before reaching the SSO, -- If client set the `Proxy-Authorization` header before reaching the SSO,
-- we want to match user and password against the user database. -- we want to match user and password against the user database.
-- --
-- It allows to bypass the cookie-based procedure with a per-request -- It allows to bypass the cookie-based procedure with a per-request
-- authentication. This is useful to authenticate on the SSO during -- authentication. This is useful to authenticate on the SSO during
-- curl requests for example. -- curl requests for example.
local auth_header = ngx.req.get_headers()["Authorization"] local auth_header = ngx.req.get_headers()["Proxy-Authorization"]
if auth_header then if auth_header then
_, _, b64_cred = string.find(auth_header, "^Basic%s+(.+)$") _, _, b64_cred = string.find(auth_header, "^Basic%s+(.+)$")
if b64_cred == nil then if b64_cred == nil then
is_logged_in = false
return is_logged_in return is_logged_in
end end
_, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$") _, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$")
@ -282,13 +282,12 @@ function refresh_logged_in()
authUser = user authUser = user
is_logged_in = true is_logged_in = true
else else
is_logged_in = false -- https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/407
ngx.status = 407
end end
return is_logged_in
end end
is_logged_in = false return is_logged_in
return false
end end
function log_access(user, uri) function log_access(user, uri)
@ -417,7 +416,7 @@ end
-- application underneath. -- application underneath.
function set_headers(user) function set_headers(user)
local user = user or authUser local user = user or authUser
-- Set `authorization` header to enable HTTP authentification -- Set `Authorization` header to enable HTTP authentification
ngx.req.set_header("Authorization", "Basic "..ngx.encode_base64( ngx.req.set_header("Authorization", "Basic "..ngx.encode_base64(
user..":"..cache:get(user.."-password") user..":"..cache:get(user.."-password")
)) ))