From b3741580dafae4c3bd1f356ca28232f5a6dfb1cb Mon Sep 17 00:00:00 2001
From: ljf <ljf+git@grimaud.me>
Date: Tue, 29 Jun 2021 18:34:40 +0200
Subject: [PATCH 1/6] [fix] dash filename, mime types, ynh_userinfo.json

---
 access.lua  |  3 ++-
 helpers.lua | 22 +++++++++++++++++-----
 2 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/access.lua b/access.lua
index ea67df4..f85e1c0 100644
--- a/access.lua
+++ b/access.lua
@@ -208,6 +208,7 @@ end
 if is_logged_in then
     assets = {
                    ["/ynh_portal.js"] = "js/ynh_portal.js",
+                   ["/ynh_userinfo.js"] = "ynh_userinfo.json",
                    ["/ynh_overlay.css"] = "css/ynh_overlay.css"
              }
     theme_dir = "/usr/share/ssowat/portal/assets/themes/"..conf.theme
@@ -218,7 +219,7 @@ if is_logged_in then
     pfile:close()
 
     for shortcut, full in pairs(assets) do
-        if string.match(ngx.var.uri, "^"..shortcut.."$") then
+        if ngx.var.uri == shortcut then
             logger.debug("Serving static asset "..full)
             return hlp.serve("/yunohost/sso/assets/"..full, "static_asset")
         end
diff --git a/helpers.lua b/helpers.lua
index 26b4fc5..d56f0ce 100644
--- a/helpers.lua
+++ b/helpers.lua
@@ -550,13 +550,24 @@ function serve(uri, cache)
         png  = "image/png",
         svg  = "image/svg+xml",
         ico  = "image/vnd.microsoft.icon",
-        woff = "application/x-font-woff",
+        woff = "font/woff",
+        woff2 = "font/woff2",
+        ttf = "font/ttf",
         json = "application/json"
     }
 
+    -- Allow .ms to specify mime type
+    mime = ext
+    if ext == "ms" then
+        subext = string.match(file, "^.+%.(.+)%.ms$")
+        if subext then
+            mime = subext
+        end
+    end
+
     -- Set Content-Type
-    if mime_types[ext] then
-        ngx.header["Content-Type"] = mime_types[ext]
+    if mime_types[mime] then
+        ngx.header["Content-Type"] = mime_types[mime]
     else
         ngx.header["Content-Type"] = "text/plain"
     end
@@ -570,9 +581,10 @@ function serve(uri, cache)
     elseif ext == "ms" then
         local data = get_data_for(file)
         content = lustache:render(content, data)
-    elseif ext == "json" then
+    elseif uri == "/ynh_userinfo.json" then
         local data = get_data_for(file)
         content = json.encode(data)
+        cache = "dynamic"
     end
 
     -- Reset flash messages
@@ -612,7 +624,7 @@ function get_data_for(view)
     elseif view == "portal.html"
         or view == "edit.html"
         or view == "password.html"
-        or view == "ynhpanel.json" then
+        or view == "ynh_userinfo.json" then
 
         -- Invalidate cache before loading these views.
         -- Needed if the LDAP db is changed outside ssowat (from the cli for example).

From 89d78ab312448ca890a2c5be38e7774e26957e12 Mon Sep 17 00:00:00 2001
From: ljf <ljf+git@grimaud.me>
Date: Tue, 29 Jun 2021 18:50:05 +0200
Subject: [PATCH 2/6] [enh] Avoid to list hidden files

---
 access.lua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/access.lua b/access.lua
index f85e1c0..9c0cd26 100644
--- a/access.lua
+++ b/access.lua
@@ -212,7 +212,7 @@ if is_logged_in then
                    ["/ynh_overlay.css"] = "css/ynh_overlay.css"
              }
     theme_dir = "/usr/share/ssowat/portal/assets/themes/"..conf.theme
-    local pfile = io.popen('find "'..theme_dir..'" -type f -exec realpath --relative-to "'..theme_dir..'" {} \\;')
+    local pfile = io.popen('find "'..theme_dir..'" -not -path "*/\\.*" -type f -exec realpath --relative-to "'..theme_dir..'" {} \\;')
     for filename in pfile:lines() do
         assets["/ynhtheme/"..filename] = "themes/"..conf.theme.."/"..filename
     end

From ca2a605dce50a3f45eb6bcaa3a9578fad1059897 Mon Sep 17 00:00:00 2001
From: ljf <ljf+git@grimaud.me>
Date: Tue, 29 Jun 2021 18:57:06 +0200
Subject: [PATCH 3/6] [fix] Typo json

---
 access.lua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/access.lua b/access.lua
index 9c0cd26..18aa0a8 100644
--- a/access.lua
+++ b/access.lua
@@ -208,7 +208,7 @@ end
 if is_logged_in then
     assets = {
                    ["/ynh_portal.js"] = "js/ynh_portal.js",
-                   ["/ynh_userinfo.js"] = "ynh_userinfo.json",
+                   ["/ynh_userinfo.json"] = "ynh_userinfo.json",
                    ["/ynh_overlay.css"] = "css/ynh_overlay.css"
              }
     theme_dir = "/usr/share/ssowat/portal/assets/themes/"..conf.theme

From 6de4b10e81cc3d315a1e757f575d488aa9516029 Mon Sep 17 00:00:00 2001
From: ljf <ljf+git@grimaud.me>
Date: Fri, 2 Jul 2021 17:40:17 +0200
Subject: [PATCH 4/6] [fix] Security risk due to cache full of different uris

---
 helpers.lua | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/helpers.lua b/helpers.lua
index d56f0ce..1764ebb 100644
--- a/helpers.lua
+++ b/helpers.lua
@@ -277,15 +277,6 @@ function refresh_logged_in()
     return is_logged_in
 end
 
-function log_access(user, uri)
-  local key = "ACC|"..user.."|"..uri
-  local block = cache:get(key)
-  if block == nil then
-    logger.info("User "..user.."@"..ngx.var.remote_addr.." accesses "..uri)
-    cache:set(key, "block", 60)
-  end
-end
-
 -- Check whether a user is allowed to access a URL using the `permissions` directive
 -- of the configuration file
 function has_access(permission, user)
@@ -308,7 +299,6 @@ function has_access(permission, user)
     -- The user has permission to access the content if he is in the list of allowed users
     if element_is_in_table(user, permission["users"]) then
         logger.debug("User "..user.." can access "..ngx.var.host..ngx.var.uri..uri_args_string())
-        log_access(user, ngx.var.host..ngx.var.uri..uri_args_string())
         return true
     else
         logger.debug("User "..user.." cannot access "..ngx.var.uri)

From f6ddb7af65ce4465824c7dd88ae6aff73602da2e Mon Sep 17 00:00:00 2001
From: ljf <ljf+git@grimaud.me>
Date: Fri, 2 Jul 2021 19:49:17 +0200
Subject: [PATCH 5/6] [fix] Nextcloud calls strangely logout the user in SSO

---
 helpers.lua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/helpers.lua b/helpers.lua
index 1764ebb..8569555 100644
--- a/helpers.lua
+++ b/helpers.lua
@@ -461,7 +461,7 @@ function refresh_user_cache(user)
     else
         -- Else, just revalidate session for another day by default
         password = cache:get(user.."-password")
-        cache:set(user.."-password", password, conf["session_timeout"])
+        cache:replace(user.."-password", password, conf["session_timeout"])
     end
 end
 

From 8d0998bc3a8dde027da7af762ecd7fafa079fa42 Mon Sep 17 00:00:00 2001
From: ljf <ljf+git@grimaud.me>
Date: Fri, 2 Jul 2021 19:51:02 +0200
Subject: [PATCH 6/6] [enh] Add comment

---
 helpers.lua | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/helpers.lua b/helpers.lua
index 8569555..0b89466 100644
--- a/helpers.lua
+++ b/helpers.lua
@@ -461,6 +461,8 @@ function refresh_user_cache(user)
     else
         -- Else, just revalidate session for another day by default
         password = cache:get(user.."-password")
+        -- Here we don't use set method to avoid strange logout
+        -- See https://github.com/YunoHost/issues/issues/1830
         cache:replace(user.."-password", password, conf["session_timeout"])
     end
 end