From abc38bbffe03286537ab87febbd614cee9e60ab8 Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Sun, 20 Sep 2020 17:53:18 +0200
Subject: [PATCH] Move handling of login through HTTP headers to is_logged_in
 helper

---
 access.lua  | 27 ---------------------------
 helpers.lua | 24 ++++++++++++++++++++++++
 2 files changed, 24 insertions(+), 27 deletions(-)

diff --git a/access.lua b/access.lua
index 725d224..825e678 100644
--- a/access.lua
+++ b/access.lua
@@ -265,39 +265,12 @@ if conf["redirected_regex"] then
 end
 
 --
--- 4. Basic HTTP Authentication
 --
--- If the `Authorization` header is set before reaching the SSO, we want to
--- match user and password against the user database.
 --
--- It allows you to bypass the cookie-based procedure with a per-request
--- authentication. Very usefull when you are trying to reach a specific URL
--- via cURL for example.
 --
 
-if not is_logged_in then
-    local auth_header = ngx.req.get_headers()["Authorization"]
 
-    if auth_header then
-        _, _, b64_cred = string.find(auth_header, "^Basic%s+(.+)$")
-        _, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$")
-        user = hlp.authenticate(user, password)
-        if user then
-            logger.debug("User got authenticated through basic auth")
 
-            -- If user has no access to this URL, redirect him to the portal
-            if not permission or not hlp.has_access(permission, user) then
-            return hlp.redirect(conf.portal_url)
-            end
-
-            if permission["auth_header"] then
-                logger.debug("Set Headers")
-                hlp.set_headers(user)
-            end
-            return hlp.pass()
-        end
-    end
-end
 
 --
 --
diff --git a/helpers.lua b/helpers.lua
index 937584b..6aca31d 100644
--- a/helpers.lua
+++ b/helpers.lua
@@ -260,6 +260,30 @@ function refresh_logged_in()
         end
     end
 
+    -- If client set the `Authorization` header before reaching the SSO,
+    -- we want to match user and password against the user database.
+    --
+    -- It allows to bypass the cookie-based procedure with a per-request
+    -- authentication. This is useful to authenticate on the SSO during
+    -- curl requests for example.
+
+    local auth_header = ngx.req.get_headers()["Authorization"]
+
+    if auth_header then
+        _, _, b64_cred = string.find(auth_header, "^Basic%s+(.+)$")
+        _, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$")
+        user = authenticate(user, password)
+        if user then
+            logger.debug("User got authenticated through basic auth")
+            authUser = user
+            is_logged_in = true
+        else
+            is_logged_in = false
+        end
+        return is_logged_in
+    end
+
+    is_logged_in = false
     return false
 end