YunoHost/SSOwat
1
0
Fork 0
mirror of https://github.com/YunoHost/SSOwat.git synced 2024-09-03 20:06:27 +02:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #209 from selfhoster1312/misleading-auth-headers

Browse source 
Authentication headers are ONLY set when user is logged
This commit is contained in:
Alexandre Aubin 2023-01-09 18:15:57 +01:00 committed by GitHub
commit e60e95f5b4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 14 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
access.lua
View file

@ -333,7 +333,11 @@ if hlp.has_access(permission) then
-- add it to the response -- add it to the response
if permission["auth_header"] then if permission["auth_header"] then
hlp.set_headers() hlp.set_headers()
else
hlp.clear_headers()
end end
else
hlp.clear_headers()
end end
return hlp.pass() return hlp.pass()

10
helpers.lua
View file

@ -414,6 +414,16 @@ function set_headers(user)
end end
-- Removes the authentication headers. Call me when:
-- - app is public and user is not authenticated
-- - app requests that no authentication headers be sent
-- Prevents user from pretending to be someone else on public apps
function clear_headers()
ngx.req.clear_header("Authorization")
for k, v in pairs(conf["additional_headers"]) do
ngx.req.clear_header(k)
end
end
function refresh_user_cache(user) function refresh_user_cache(user)
-- We definitely don't want to pass credentials on a non-encrypted -- We definitely don't want to pass credentials on a non-encrypted