171 commits

Author	SHA1	Message	Date
Alexandre Aubin	493ba581bb	Remove the part that injects the password inside the Authorization header ... in the vast majority of cases, only the username should be necessary and trusted by the app	2023-12-23 20:08:35 +01:00
Alexandre Aubin	f81ae9d5c5	Add a query string 'msg=access_denied' when denying access to a logged-in user, such that we may display it nicely on the frontend?	2023-11-28 19:59:13 +01:00
Alexandre Aubin	3336464481	auth: also confirm that the cookie was delivered for this domain (or parent)	2023-11-28 19:57:57 +01:00
Alexandre Aubin	6263195756	ew, /tabz/	2023-11-28 19:26:03 +01:00
Alexandre Aubin	31a325dc8c	Typoz	2023-11-28 19:14:19 +01:00
Alexandre Aubin	6223239e94	implement proper expiration/prolong mechanism for cookies	2023-11-28 19:14:19 +01:00
Alexandre Aubin	b0b128f53d	Remove unused 'redirected_regex' mechanism, + we don't need the label and show_tile property on acls	2023-10-07 17:49:49 +02:00
Alexandre Aubin	8d2acdd174	Fix the boring case where the cookie secret doesnt exist yet	2023-10-06 14:44:05 +02:00
Alexandre Aubin	769f5f9cfa	access.lua: add special 'default' key in 'domain_portal_urls' to handle case where we reach an unmanaged domain	2023-09-29 14:31:30 +02:00
Alexandre Aubin	cac360bee9	access.lua: move helper at the top with the other sugar stuff	2023-09-29 14:30:36 +02:00
Alexandre Aubin	99749decdc	access.lua: rework again ACL check because the previous code sometimes ended up with error 500 because of permission = nil	2023-09-29 14:30:14 +02:00
Alexandre Aubin	e04e601455	Merge remote-tracking branch 'origin/bookworm' into portal-api	2023-09-27 18:49:28 +02:00
Alexandre Aubin	46352e6a7f	fix cached_jwt_verify signature	2023-09-27 18:43:13 +02:00
selfhoster1312	5eff85928e	Cache JWT crypto work, only check auth on non-public routes	2023-09-02 19:39:07 +02:00
selfhoster1312	5fcfd9ede6	Do not 500 when a requested domain is not configured for SSOWat	2023-08-13 18:17:52 +02:00
Alexandre Aubin	1ac6388242	Misc fixes after tests on the battlefield	2023-07-18 01:26:56 +02:00
Alexandre Aubin	24b7630d3c	epic refactoring: refactor the 'portal url' logic, we shall now have a dict mapping domains to portal urls (which is anyway imposed by cookie management unless we reintroduce complex cross-domain authentication...)	2023-07-15 21:27:40 +02:00
Alexandre Aubin	93ee6371ae	refactoring: drop the complex redirection check which was meant to check the callback URLs ... this is to be handled in the future new portal (or whatever is going to implement the callback redirection logic)	2023-07-15 21:22:27 +02:00
Alexandre Aubin	02952d0202	Moar epic refactoring ... merge 'helpers.lua' inside 'access.lua' to reduce complexity ...	2023-07-15 19:51:31 +02:00
Alexandre Aubin	df094ea0e3	Cleanup unused stuff	2023-07-13 16:41:17 +02:00
Alexandre Aubin	ea0bc8a89c	portalapi: propagate changes on the new API, decrypt the AES256-encrypted password found in user cookie to be able to construct the basic auth headers	2023-07-11 22:41:09 +02:00
Alexandre Aubin	8faa8057f0	security: rework previous fixes to use the new use_remote_user_var_in_nginx_conf in ssowat conf introduced in yunohost 11.1.2	2023-01-10 00:03:25 +01:00
selfhoster1312	5e378e5c2b	Authentication headers are ONLY set when user is logged in and has access to app ... Prevents impersonating users on public applications where the auth headers were not cleared	2023-01-09 15:47:45 +01:00
Alexandre Aubin	d0dba1fd2e	Epic refactoring for new portal API etc	2021-12-26 17:01:56 +01:00
ljf	ca2a605dce	[fix] Typo json	2021-06-29 18:57:06 +02:00
ljf	89d78ab312	[enh] Avoid to list hidden files	2021-06-29 18:50:05 +02:00
ljf	b3741580da	[fix] dash filename, mime types, ynh_userinfo.json	2021-06-29 18:34:40 +02:00
Kay0u	384889ae11	match the beginning of url permissions	2021-01-20 01:28:08 +01:00
Titoko	1747da0571	Update access.lua	2020-12-17 20:12:22 +01:00
Alexandre Aubin	06f1f30226	Update access.lua ... Co-authored-by: Kayou <pierre@kayou.io>	2020-09-21 14:40:37 +02:00
Alexandre Aubin	41ed91bbcb	Misc cosmetics / debug tweaks	2020-09-20 18:00:49 +02:00
Alexandre Aubin	dcbf66d4e4	Rework/simplify code that effectively apply the permission	2020-09-20 18:00:37 +02:00
Alexandre Aubin	a11d8f0d87	Move identification of relevant permission from helpers.lua to access.lua	2020-09-20 17:58:26 +02:00
Alexandre Aubin	abc38bbffe	Move handling of login through HTTP headers to is_logged_in helper	2020-09-20 17:53:18 +02:00
Alexandre Aubin	b2b9b9c8e3	Refactor/move handling of portal assets	2020-09-20 17:47:24 +02:00
Kay0u	41ac2e5bf8	Merge remote-tracking branch 'origin/dev' into permission_protection	2020-09-01 20:56:20 +02:00
Kay0u	b5a1d8dfed	find recursively relative to the theme directory	2020-06-18 15:20:11 +02:00
Kay0u	20de3f5f37	fix theme loading	2020-06-18 14:49:26 +02:00
Kay0u	720e35df4e	do not reauth if we are already logged in	2020-05-21 22:56:52 +02:00
Kay0u	24b3f7dc3a	HTTP Auth before permissions managment	2020-05-21 21:53:04 +02:00
Kay0u	400f88e6ca	fix the redirect loop \o/	2020-05-21 21:51:55 +02:00
Kayou	0f1eea3306	Merge branch 'stretch-unstable' into permission_protection	2020-05-21 21:17:36 +02:00
Alexandre Aubin	09e0fa37aa	Alex made a drunk copypasta that broke everything lul - var user not defined ... In fact we don't need this debug line 'cause it's already done in redirect() itself	2020-04-15 01:42:47 +02:00
Kayou	6ee3486783	Merge branch 'stretch-unstable' into permission_protection	2020-04-09 21:34:38 +02:00
Alexandre Aubin	286eb771a7	Merge pull request #158 from YunoHost/dont_set_header_unallowed_users ... Don't set header if user don't have access	2020-04-01 02:36:58 +02:00
Kay0u	0fc89d0fc9	Rework access	2020-04-01 00:43:59 +02:00
Kay0u	d8c74604c0	portal with the new config file	2020-03-31 02:20:40 +02:00
Kay0u	8cc2bd4b28	Avoid unnecessarily reloading the config file	2020-03-29 18:02:49 +02:00
Josué Tille	ef3d6af9e0	Dont't set header but serve ynhpanel	2020-03-27 15:38:41 +01:00
Josué Tille	b1080c1e1a	Don't set header if user don't have access	2020-03-27 15:30:52 +01:00