mirror of
https://github.com/YunoHost/SSOwat.git
synced 2024-09-03 20:06:27 +02:00
Move handling of login through HTTP headers to is_logged_in helper
This commit is contained in:
Alexandre Aubin
parent
b2b9b9c8e3
commit
abc38bbffe
2 changed files with 24 additions and 27 deletions
27
access.lua
27
access.lua
|
|
@ -265,39 +265,12 @@ if conf["redirected_regex"] then
|
||||||
end
|
end
|
||||||
|
|
||||||
--
|
--
|
||||||
-- 4. Basic HTTP Authentication
|
|
||||||
--
|
--
|
||||||
-- If the `Authorization` header is set before reaching the SSO, we want to
|
|
||||||
-- match user and password against the user database.
|
|
||||||
--
|
--
|
||||||
-- It allows you to bypass the cookie-based procedure with a per-request
|
|
||||||
-- authentication. Very usefull when you are trying to reach a specific URL
|
|
||||||
-- via cURL for example.
|
|
||||||
--
|
--
|
||||||
|
|
||||||
if not is_logged_in then
|
|
||||||
local auth_header = ngx.req.get_headers()["Authorization"]
|
|
||||||
|
|
||||||
if auth_header then
|
|
||||||
_, _, b64_cred = string.find(auth_header, "^Basic%s+(.+)$")
|
|
||||||
_, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$")
|
|
||||||
user = hlp.authenticate(user, password)
|
|
||||||
if user then
|
|
||||||
logger.debug("User got authenticated through basic auth")
|
|
||||||
|
|
||||||
-- If user has no access to this URL, redirect him to the portal
|
|
||||||
if not permission or not hlp.has_access(permission, user) then
|
|
||||||
return hlp.redirect(conf.portal_url)
|
|
||||||
end
|
|
||||||
|
|
||||||
if permission["auth_header"] then
|
|
||||||
logger.debug("Set Headers")
|
|
||||||
hlp.set_headers(user)
|
|
||||||
end
|
|
||||||
return hlp.pass()
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
--
|
--
|
||||||
--
|
--
|
||||||
|
|
|
||||||
24
helpers.lua
24
helpers.lua
|
|
@ -260,6 +260,30 @@ function refresh_logged_in()
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
-- If client set the `Authorization` header before reaching the SSO,
|
||||||
|
-- we want to match user and password against the user database.
|
||||||
|
--
|
||||||
|
-- It allows to bypass the cookie-based procedure with a per-request
|
||||||
|
-- authentication. This is useful to authenticate on the SSO during
|
||||||
|
-- curl requests for example.
|
||||||
|
|
||||||
|
local auth_header = ngx.req.get_headers()["Authorization"]
|
||||||
|
|
||||||
|
if auth_header then
|
||||||
|
_, _, b64_cred = string.find(auth_header, "^Basic%s+(.+)$")
|
||||||
|
_, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$")
|
||||||
|
user = authenticate(user, password)
|
||||||
|
if user then
|
||||||
|
logger.debug("User got authenticated through basic auth")
|
||||||
|
authUser = user
|
||||||
|
is_logged_in = true
|
||||||
|
else
|
||||||
|
is_logged_in = false
|
||||||
|
end
|
||||||
|
return is_logged_in
|
||||||
|
end
|
||||||
|
|
||||||
|
is_logged_in = false
|
||||||
return false
|
return false
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue