Commit graph

183 commits

Author SHA1 Message Date
Alexandre Aubin
a44988a120 Epic bug because some vars not initialized as nil 2024-01-31 01:30:11 +01:00
Alexandre Aubin
5ed18f7b84 Condition typo ~.~ 2024-01-31 00:15:46 +01:00
Alexandre Aubin
55d893a80f Remove tmp comment 2024-01-30 21:11:03 +01:00
Alexandre Aubin
b2fe0da547 Clarify code 400 return in edge case where there's no default portal redirection 2024-01-30 21:10:17 +01:00
Alexandre Aubin
e877b2ee85 Make some variables explicitly local 2024-01-30 20:55:16 +01:00
Alexandre Aubin
f6090f86d6 Have 'cookie_secret' as capslocked to make it ~obvious it's a global/constant 2024-01-30 20:52:23 +01:00
Alexandre Aubin
46d3b2420b zzzzz 2024-01-30 20:24:08 +01:00
Alexandre Aubin
447fc0d587 auth header: unfortunately some apps such as nextcloud do need the password to be sent, so let's add more semantic to enable password only for some apps.. 2024-01-30 19:40:28 +01:00
Alexandre Aubin
27f7faaf62 Replace the old perm_user_remote_user_var_in_nginx_conf with protect_against_basic_auth_spoofing such that every perm is protected against auth spoofing by default 2024-01-30 19:36:05 +01:00
Alexandre Aubin
d0683f01c4 Typo 2024-01-30 19:05:56 +01:00
Alexandre Aubin
0566f31c4b Auth header : apparently doesn't work as expect if password is emtpy, so let's add a dummy char 2024-01-30 17:44:26 +01:00
Alexandre Aubin
e9a335eaf7 Simplify/optimize url/acl matching algorithm : drop support for legacy lua regexes, only use regexes for actual regexes, otherwise use a simple 'startswith' check 2023-12-23 20:39:07 +01:00
Alexandre Aubin
493ba581bb Remove the part that injects the password inside the Authorization header ... in the vast majority of cases, only the username should be necessary and trusted by the app 2023-12-23 20:08:35 +01:00
Alexandre Aubin
f81ae9d5c5 Add a query string 'msg=access_denied' when denying access to a logged-in user, such that we may display it nicely on the frontend? 2023-11-28 19:59:13 +01:00
Alexandre Aubin
3336464481 auth: also confirm that the cookie was delivered for this domain (or parent) 2023-11-28 19:57:57 +01:00
Alexandre Aubin
6263195756 ew, /tabz/ 2023-11-28 19:26:03 +01:00
Alexandre Aubin
31a325dc8c Typoz 2023-11-28 19:14:19 +01:00
Alexandre Aubin
6223239e94 implement proper expiration/prolong mechanism for cookies 2023-11-28 19:14:19 +01:00
Alexandre Aubin
b0b128f53d Remove unused 'redirected_regex' mechanism, + we don't need the label and show_tile property on acls 2023-10-07 17:49:49 +02:00
Alexandre Aubin
8d2acdd174 Fix the boring case where the cookie secret doesnt exist yet 2023-10-06 14:44:05 +02:00
Alexandre Aubin
769f5f9cfa access.lua: add special 'default' key in 'domain_portal_urls' to handle case where we reach an unmanaged domain 2023-09-29 14:31:30 +02:00
Alexandre Aubin
cac360bee9 access.lua: move helper at the top with the other sugar stuff 2023-09-29 14:30:36 +02:00
Alexandre Aubin
99749decdc access.lua: rework again ACL check because the previous code sometimes ended up with error 500 because of permission = nil 2023-09-29 14:30:14 +02:00
Alexandre Aubin
e04e601455 Merge remote-tracking branch 'origin/bookworm' into portal-api 2023-09-27 18:49:28 +02:00
Alexandre Aubin
46352e6a7f
fix cached_jwt_verify signature 2023-09-27 18:43:13 +02:00
selfhoster1312
5eff85928e Cache JWT crypto work, only check auth on non-public routes 2023-09-02 19:39:07 +02:00
selfhoster1312
5fcfd9ede6 Do not 500 when a requested domain is not configured for SSOWat 2023-08-13 18:17:52 +02:00
Alexandre Aubin
1ac6388242 Misc fixes after tests on the battlefield 2023-07-18 01:26:56 +02:00
Alexandre Aubin
24b7630d3c epic refactoring: refactor the 'portal url' logic, we shall now have a dict mapping domains to portal urls (which is anyway imposed by cookie management unless we reintroduce complex cross-domain authentication...) 2023-07-15 21:27:40 +02:00
Alexandre Aubin
93ee6371ae refactoring: drop the complex redirection check which was meant to check the callback URLs ... this is to be handled in the future new portal (or whatever is going to implement the callback redirection logic) 2023-07-15 21:22:27 +02:00
Alexandre Aubin
02952d0202 Moar epic refactoring ... merge 'helpers.lua' inside 'access.lua' to reduce complexity ... 2023-07-15 19:51:31 +02:00
Alexandre Aubin
df094ea0e3 Cleanup unused stuff 2023-07-13 16:41:17 +02:00
Alexandre Aubin
ea0bc8a89c portalapi: propagate changes on the new API, decrypt the AES256-encrypted password found in user cookie to be able to construct the basic auth headers 2023-07-11 22:41:09 +02:00
Alexandre Aubin
8faa8057f0 security: rework previous fixes to use the new use_remote_user_var_in_nginx_conf in ssowat conf introduced in yunohost 11.1.2 2023-01-10 00:03:25 +01:00
selfhoster1312
5e378e5c2b Authentication headers are ONLY set when user is logged in and has access to app
Prevents impersonating users on public applications where the auth headers were not cleared
2023-01-09 15:47:45 +01:00
Alexandre Aubin
d0dba1fd2e Epic refactoring for new portal API etc 2021-12-26 17:01:56 +01:00
ljf
ca2a605dce [fix] Typo json 2021-06-29 18:57:06 +02:00
ljf
89d78ab312 [enh] Avoid to list hidden files 2021-06-29 18:50:05 +02:00
ljf
b3741580da [fix] dash filename, mime types, ynh_userinfo.json 2021-06-29 18:34:40 +02:00
Kay0u
384889ae11
match the beginning of url permissions 2021-01-20 01:28:08 +01:00
Titoko
1747da0571 Update access.lua 2020-12-17 20:12:22 +01:00
Alexandre Aubin
06f1f30226
Update access.lua
Co-authored-by: Kayou <pierre@kayou.io>
2020-09-21 14:40:37 +02:00
Alexandre Aubin
41ed91bbcb Misc cosmetics / debug tweaks 2020-09-20 18:00:49 +02:00
Alexandre Aubin
dcbf66d4e4 Rework/simplify code that effectively apply the permission 2020-09-20 18:00:37 +02:00
Alexandre Aubin
a11d8f0d87 Move identification of relevant permission from helpers.lua to access.lua 2020-09-20 17:58:26 +02:00
Alexandre Aubin
abc38bbffe Move handling of login through HTTP headers to is_logged_in helper 2020-09-20 17:53:18 +02:00
Alexandre Aubin
b2b9b9c8e3 Refactor/move handling of portal assets 2020-09-20 17:47:24 +02:00
Kay0u
41ac2e5bf8
Merge remote-tracking branch 'origin/dev' into permission_protection 2020-09-01 20:56:20 +02:00
Kay0u
b5a1d8dfed
find recursively relative to the theme directory 2020-06-18 15:20:11 +02:00
Kay0u
20de3f5f37
fix theme loading 2020-06-18 14:49:26 +02:00