From f59accd10e4332a8ab9b7fcb0aa9083d588f5c95 Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Mon, 9 Jan 2023 19:46:51 +0100
Subject: [PATCH] Iterate on previous security fixes: ignore Auth header on
 PROPFIND routes, and don't drop Auth header which are not Basic auth

---
 helpers.lua | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/helpers.lua b/helpers.lua
index 7192337..ef78202 100644
--- a/helpers.lua
+++ b/helpers.lua
@@ -265,7 +265,9 @@ function refresh_logged_in()
 
     local auth_header = ngx.req.get_headers()["Authorization"] or ngx.req.get_headers()["Proxy-Authorization"]
 
-    if auth_header then
+    -- Ignore this for PROPFIND routes used by Nextcloud (et al.?) which also rely on basic auth with totally yunohost-unrelated credentials ...
+    if auth_header and ngx.var.request_method ~= "PROPFIND" then
+        logger.debug(auth_header)
         _, _, b64_cred = string.find(auth_header, "^Basic%s+(.+)$")
         if b64_cred == nil then
             return is_logged_in
@@ -417,7 +419,14 @@ end
 --   - app requests that no authentication headers be sent
 -- Prevents user from pretending to be someone else on public apps
 function clear_headers()
-    ngx.req.clear_header("Authorization")
+    -- Clear auth header only if it's a 'Basic' auth stuff, not 'Bearer' stuff
+    -- Also ignore PROPFIND routes used by Nextcloud (et al.?)
+    if ngx.var.request_method ~= "PROPFIND" and ngx.req.get_headers()["Authorization"] then
+        _, _, b64_cred = string.find(auth_header, "^Basic%s+(.+)$")
+        if b64_cred ~= nil then
+            ngx.req.clear_header("Authorization")
+        end
+    end
     for k, v in pairs(conf["additional_headers"]) do
         ngx.req.clear_header(k)
     end