Commit graph

128 commits

Author SHA1 Message Date
Alexandre Aubin
c0e38b19a0 rex_pcre is now rex_pcre2 2023-05-15 17:22:50 +02:00
ewilly
ba5ffba490 Fix auth_header
If a colon is in the password, user and password are not well detected.
For example if user="me" and password="pass:word" the function give
user="me:pass" password="word"
2023-01-12 22:23:41 +01:00
Alexandre Aubin
8faa8057f0 security: rework previous fixes to use the new use_remote_user_var_in_nginx_conf in ssowat conf introduced in yunohost 11.1.2 2023-01-10 00:03:25 +01:00
Alexandre Aubin
4e92965eda Stupid typo 2023-01-09 20:51:00 +01:00
Alexandre Aubin
92f1e0505a Iterate on previous security fixes: ignore Auth header on PROPFIND routes, and don't drop Auth header which are not Basic auth 2023-01-09 19:46:51 +01:00
Alexandre Aubin
7a2d0ed27a security: Also check client-provided auth headers to prevent impersonation 2023-01-09 18:32:32 +01:00
selfhoster1312
5e378e5c2b Authentication headers are ONLY set when user is logged in and has access to app
Prevents impersonating users on public applications where the auth headers were not cleared
2023-01-09 15:47:45 +01:00
Alexandre Aubin
71f68b0d4b
Fix password check, path to yunohost lib changed in 11.x 2022-12-06 15:59:32 +01:00
Cyril Romain
7cd4965f6c [fix] helpers.lua: openssl v3 support for hmac_sha512
This change is backward compatible with older openssl versions
2022-11-06 19:38:12 +01:00
Alexandre Aubin
e2996f1451 User info self-edit would not update displayName (which is supposed to be the same as cn) resulting in inconsistencies 2022-10-09 17:27:04 +02:00
Kay0u
981960fb50
Another fix for redirect function 2021-11-16 21:40:04 +01:00
Alexandre Aubin
325964742d
Improve check for unauthorized redirect url
Co-authored-by: Kayou <pierre@kayou.io>
2021-11-15 19:02:13 +01:00
Kayou
0e6369bb38
fix not only alphanumeric characters domain name 2021-11-15 00:49:51 +01:00
ljf (zamentur)
35ee437272
[fix] Avoid redirection on unmanaged domains (#191)
* [fix] Avoid redirection on unmanaged domains

* [fix] redirect with uri

* Update helpers.lua

Co-authored-by: Alexandre Aubin <alex.aubin@mailoo.org>
2021-09-19 21:15:54 +02:00
Alexandre Aubin
07378dfd46 Forgot to python -> python3 in password check 2021-08-15 21:41:50 +02:00
Alexandre Aubin
b28788d708 Improve logging when failing to authenticate ssowat cookies 2021-08-14 21:26:19 +02:00
ljf
c34d9fd74d [fix] Not enough random file name 2021-07-29 16:34:56 +02:00
ljf
8d0998bc3a [enh] Add comment 2021-07-02 19:51:02 +02:00
ljf
f6ddb7af65 [fix] Nextcloud calls strangely logout the user in SSO 2021-07-02 19:49:17 +02:00
ljf
6de4b10e81 [fix] Security risk due to cache full of different uris 2021-07-02 17:40:17 +02:00
ljf
b3741580da [fix] dash filename, mime types, ynh_userinfo.json 2021-06-29 18:34:40 +02:00
Alexandre Aubin
2e8c2f9c67
Merge pull request #183 from YunoHost/avoid-a-syscall-for-cookies
Avoid a syscall for cookies
2021-04-08 15:38:18 +02:00
Kay0u
45e4f9de05
avoid a syscall for cookies 2021-04-08 11:11:46 +02:00
Kay0u
24e7755e8a
remove SSOwAuthRedirect 2021-04-08 10:58:36 +02:00
Kay0u
6c4c1ca54d
Revert my stuff, just change the name of header to Proxy-Authorization + set is_logged_in to false by default 2020-12-24 17:49:24 +01:00
Kay0u
73c5524518
is_logged_in is false at the beginning of the refresh function 2020-12-24 10:20:29 +01:00
Kay0u
50db509330
revert: set "Authorization" headers not Proxy 2020-12-23 18:39:54 +01:00
Kay0u
0ff5cc6af7
Authorization -> Proxy-Authorization 2020-12-23 18:13:34 +01:00
Kay0u
a756462e6c
parse auth header at the end 2020-12-23 15:20:55 +01:00
Titoko
1747da0571 Update access.lua 2020-12-17 20:12:22 +01:00
titoko
2ca6847d4d
Update helpers.lua 2020-12-13 12:05:27 +01:00
titoko
a0129b437e
fix(Authorization): Skipped Autorization Header that are not Basic 2020-12-12 14:23:46 +01:00
Alexandre Aubin
6a7a9d668e Restore ngx logging used by fail2ban to detect failed logging attempt 2020-10-31 13:53:19 +01:00
Alexandre Aubin
ed6fa1aa49 Add a small helper to check if an element is in a table ... in turn fixing a bug related to calling has_access 2020-09-21 14:42:26 +02:00
Alexandre Aubin
41ed91bbcb Misc cosmetics / debug tweaks 2020-09-20 18:00:49 +02:00
Alexandre Aubin
a11d8f0d87 Move identification of relevant permission from helpers.lua to access.lua 2020-09-20 17:58:26 +02:00
Alexandre Aubin
abc38bbffe Move handling of login through HTTP headers to is_logged_in helper 2020-09-20 17:53:18 +02:00
Kay0u
41ac2e5bf8
Merge remote-tracking branch 'origin/dev' into permission_protection 2020-09-01 20:56:20 +02:00
Kay0u
fb45cd0441
do not compare the same thing several times 2020-06-18 14:48:14 +02:00
Kay0u
397f7b3910
authUser is defined only if authHash is accepted 2020-05-21 22:57:57 +02:00
Kay0u
6a240e1dea
better log message 2020-05-21 22:57:05 +02:00
SilverViper
728620778e
prevent SSOwAuthRedirect=;; 2020-04-30 17:39:07 +02:00
SilverViper
e4b415a64e
Remove all ;; in Set-Cookie 2020-04-30 15:45:41 +02:00
Laurent Peuch
e0a66428ea [fix] invalid more cookies 2020-04-17 00:56:40 +02:00
Kay0u
0fc89d0fc9
Rework access 2020-04-01 00:43:59 +02:00
Kay0u
d8c74604c0
portal with the new config file 2020-03-31 02:20:40 +02:00
Kay0u
8cc2bd4b28
Avoid unnecessarily reloading the config file 2020-03-29 18:02:49 +02:00
Kay0u
bf0dc73381
using permissions, not users directive 2020-03-04 11:34:24 +01:00
Kay0u
97620aaac7
Unused condition 2020-03-04 11:32:53 +01:00
Kay0u
af892991af
refactor legacy url protections 2020-02-13 10:06:32 +07:00