Merge pull request #209 from selfhoster1312/misleading-auth-headers

Authentication headers are ONLY set when user is logged
2024-09-03 20:06:27 +02:00 · 2023-01-09 18:15:57 +01:00 · 2023-01-09 18:15:57 +01:00 · e60e95f5b4
commit e60e95f5b4
parent 2af882a69d 5e378e5c2b
2 changed files with 14 additions and 0 deletions
--- a/access.lua
+++ b/access.lua
@ -333,7 +333,11 @@ if hlp.has_access(permission) then
        -- add it to the response
        if permission["auth_header"] then
            hlp.set_headers()
+        else
+            hlp.clear_headers()
        end
+    else
+        hlp.clear_headers()
    end

    return hlp.pass()
--- a/helpers.lua
+++ b/helpers.lua
@ -414,6 +414,16 @@ function set_headers(user)

 end

+-- Removes the authentication headers. Call me when:
+--   - app is public and user is not authenticated
+--   - app requests that no authentication headers be sent
+-- Prevents user from pretending to be someone else on public apps
+function clear_headers()
+    ngx.req.clear_header("Authorization")
+    for k, v in pairs(conf["additional_headers"]) do
+        ngx.req.clear_header(k)
+    end
+end

 function refresh_user_cache(user)
    -- We definitely don't want to pass credentials on a non-encrypted