parse auth header at the end

2024-09-03 20:06:27 +02:00 · 2020-12-23 15:20:55 +01:00 · 2020-12-23 15:20:55 +01:00 · a756462e6c
commit a756462e6c
parent 75cecb9a7a
2 changed files with 36 additions and 24 deletions
--- a/access.lua
+++ b/access.lua
@ -331,12 +331,15 @@ if hlp.has_access(permission) then

    return hlp.pass()

-- 2nd case : no access ... redirect to portal / login form
+-- 2nd case : no access ... check Authorization header, redirect to portal / login form
 else

    if is_logged_in then
        return hlp.redirect(conf.portal_url)
    else
+        -- Check if there is `Authorization` header, and redirect if we have successfully logged in
+        hlp.parse_auth_header()
+
        -- Only display this if HTTPS. For HTTP, we can't know if the user really is
        -- logged in or not, because the cookie is available only in HTTP...
        if ngx.var.scheme == "https" then
--- a/helpers.lua
+++ b/helpers.lua
@ -260,35 +260,44 @@ function refresh_logged_in()
        end
    end

-    -- If client set the `Authorization` header before reaching the SSO,
-    -- we want to match user and password against the user database.
-    --
-    -- It allows to bypass the cookie-based procedure with a per-request
-    -- authentication. This is useful to authenticate on the SSO during
-    -- curl requests for example.
+    return false
+end

+-- If client set the `Authorization` header before reaching the SSO,
+-- we want to match user and password against the user database.
+--
+-- It allows to bypass the cookie-based procedure with a per-request
+-- authentication. This is useful to authenticate on the SSO during
+-- curl requests for example.
+function parse_auth_header()
    local auth_header = ngx.req.get_headers()["Authorization"]

    if auth_header then
        _, _, b64_cred = string.find(auth_header, "^Basic%s+(.+)$")
-        if b64_cred == nil then
-            is_logged_in = false
-            return is_logged_in
-        end
-        _, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$")
-        user = authenticate(user, password)
-        if user then
-            logger.debug("User got authenticated through basic auth")
-            authUser = user
-            is_logged_in = true
-        else
-            is_logged_in = false
-        end
-        return is_logged_in
-    end
+        if b64_cred ~= nil then
+            _, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$")
+            user = authenticate(user, password)
+            if user then
+                logger.debug("User got authenticated through basic auth")
+                is_logged_in = true
+                authUser = user

-    is_logged_in = false
-    return false
+                if has_access(permission, user) then
+                    refresh_user_cache(user)
+
+                    -- If Basic Authorization header are enable for this permission,
+                    -- add it to the response
+                    if permission["auth_header"] then
+                        set_headers(user)
+                    end
+
+                    return pass()
+                else
+                    return redirect(conf.portal_url)
+                end
+            end
+        end
+    end
 end

 function log_access(user, uri)