Alexandre Aubin
|
b2fe0da547
|
Clarify code 400 return in edge case where there's no default portal redirection
|
2024-01-30 21:10:17 +01:00 |
|
Alexandre Aubin
|
e877b2ee85
|
Make some variables explicitly local
|
2024-01-30 20:55:16 +01:00 |
|
Alexandre Aubin
|
f6090f86d6
|
Have 'cookie_secret' as capslocked to make it ~obvious it's a global/constant
|
2024-01-30 20:52:23 +01:00 |
|
Alexandre Aubin
|
46d3b2420b
|
zzzzz
|
2024-01-30 20:24:08 +01:00 |
|
Alexandre Aubin
|
447fc0d587
|
auth header: unfortunately some apps such as nextcloud do need the password to be sent, so let's add more semantic to enable password only for some apps..
|
2024-01-30 19:40:28 +01:00 |
|
Alexandre Aubin
|
27f7faaf62
|
Replace the old perm_user_remote_user_var_in_nginx_conf with protect_against_basic_auth_spoofing such that every perm is protected against auth spoofing by default
|
2024-01-30 19:36:05 +01:00 |
|
Alexandre Aubin
|
d0683f01c4
|
Typo
|
2024-01-30 19:05:56 +01:00 |
|
Alexandre Aubin
|
0566f31c4b
|
Auth header : apparently doesn't work as expect if password is emtpy, so let's add a dummy char
|
2024-01-30 17:44:26 +01:00 |
|
Alexandre Aubin
|
e9a335eaf7
|
Simplify/optimize url/acl matching algorithm : drop support for legacy lua regexes, only use regexes for actual regexes, otherwise use a simple 'startswith' check
|
2023-12-23 20:39:07 +01:00 |
|
Alexandre Aubin
|
493ba581bb
|
Remove the part that injects the password inside the Authorization header ... in the vast majority of cases, only the username should be necessary and trusted by the app
|
2023-12-23 20:08:35 +01:00 |
|
Alexandre Aubin
|
f81ae9d5c5
|
Add a query string 'msg=access_denied' when denying access to a logged-in user, such that we may display it nicely on the frontend?
|
2023-11-28 19:59:13 +01:00 |
|
Alexandre Aubin
|
3336464481
|
auth: also confirm that the cookie was delivered for this domain (or parent)
|
2023-11-28 19:57:57 +01:00 |
|
Alexandre Aubin
|
6263195756
|
ew, /tabz/
|
2023-11-28 19:26:03 +01:00 |
|
Alexandre Aubin
|
31a325dc8c
|
Typoz
|
2023-11-28 19:14:19 +01:00 |
|
Alexandre Aubin
|
6223239e94
|
implement proper expiration/prolong mechanism for cookies
|
2023-11-28 19:14:19 +01:00 |
|
Alexandre Aubin
|
b0b128f53d
|
Remove unused 'redirected_regex' mechanism, + we don't need the label and show_tile property on acls
|
2023-10-07 17:49:49 +02:00 |
|
Alexandre Aubin
|
8d2acdd174
|
Fix the boring case where the cookie secret doesnt exist yet
|
2023-10-06 14:44:05 +02:00 |
|
Alexandre Aubin
|
769f5f9cfa
|
access.lua: add special 'default' key in 'domain_portal_urls' to handle case where we reach an unmanaged domain
|
2023-09-29 14:31:30 +02:00 |
|
Alexandre Aubin
|
cac360bee9
|
access.lua: move helper at the top with the other sugar stuff
|
2023-09-29 14:30:36 +02:00 |
|
Alexandre Aubin
|
99749decdc
|
access.lua: rework again ACL check because the previous code sometimes ended up with error 500 because of permission = nil
|
2023-09-29 14:30:14 +02:00 |
|
Alexandre Aubin
|
e04e601455
|
Merge remote-tracking branch 'origin/bookworm' into portal-api
|
2023-09-27 18:49:28 +02:00 |
|
Alexandre Aubin
|
46352e6a7f
|
fix cached_jwt_verify signature
|
2023-09-27 18:43:13 +02:00 |
|
selfhoster1312
|
5eff85928e
|
Cache JWT crypto work, only check auth on non-public routes
|
2023-09-02 19:39:07 +02:00 |
|
selfhoster1312
|
5fcfd9ede6
|
Do not 500 when a requested domain is not configured for SSOWat
|
2023-08-13 18:17:52 +02:00 |
|
Alexandre Aubin
|
1ac6388242
|
Misc fixes after tests on the battlefield
|
2023-07-18 01:26:56 +02:00 |
|
Alexandre Aubin
|
24b7630d3c
|
epic refactoring: refactor the 'portal url' logic, we shall now have a dict mapping domains to portal urls (which is anyway imposed by cookie management unless we reintroduce complex cross-domain authentication...)
|
2023-07-15 21:27:40 +02:00 |
|
Alexandre Aubin
|
93ee6371ae
|
refactoring: drop the complex redirection check which was meant to check the callback URLs ... this is to be handled in the future new portal (or whatever is going to implement the callback redirection logic)
|
2023-07-15 21:22:27 +02:00 |
|
Alexandre Aubin
|
02952d0202
|
Moar epic refactoring ... merge 'helpers.lua' inside 'access.lua' to reduce complexity ...
|
2023-07-15 19:51:31 +02:00 |
|
Alexandre Aubin
|
df094ea0e3
|
Cleanup unused stuff
|
2023-07-13 16:41:17 +02:00 |
|
Alexandre Aubin
|
ea0bc8a89c
|
portalapi: propagate changes on the new API, decrypt the AES256-encrypted password found in user cookie to be able to construct the basic auth headers
|
2023-07-11 22:41:09 +02:00 |
|
Alexandre Aubin
|
8faa8057f0
|
security: rework previous fixes to use the new use_remote_user_var_in_nginx_conf in ssowat conf introduced in yunohost 11.1.2
|
2023-01-10 00:03:25 +01:00 |
|
selfhoster1312
|
5e378e5c2b
|
Authentication headers are ONLY set when user is logged in and has access to app
Prevents impersonating users on public applications where the auth headers were not cleared
|
2023-01-09 15:47:45 +01:00 |
|
Alexandre Aubin
|
d0dba1fd2e
|
Epic refactoring for new portal API etc
|
2021-12-26 17:01:56 +01:00 |
|
ljf
|
ca2a605dce
|
[fix] Typo json
|
2021-06-29 18:57:06 +02:00 |
|
ljf
|
89d78ab312
|
[enh] Avoid to list hidden files
|
2021-06-29 18:50:05 +02:00 |
|
ljf
|
b3741580da
|
[fix] dash filename, mime types, ynh_userinfo.json
|
2021-06-29 18:34:40 +02:00 |
|
Kay0u
|
384889ae11
|
match the beginning of url permissions
|
2021-01-20 01:28:08 +01:00 |
|
Titoko
|
1747da0571
|
Update access.lua
|
2020-12-17 20:12:22 +01:00 |
|
Alexandre Aubin
|
06f1f30226
|
Update access.lua
Co-authored-by: Kayou <pierre@kayou.io>
|
2020-09-21 14:40:37 +02:00 |
|
Alexandre Aubin
|
41ed91bbcb
|
Misc cosmetics / debug tweaks
|
2020-09-20 18:00:49 +02:00 |
|
Alexandre Aubin
|
dcbf66d4e4
|
Rework/simplify code that effectively apply the permission
|
2020-09-20 18:00:37 +02:00 |
|
Alexandre Aubin
|
a11d8f0d87
|
Move identification of relevant permission from helpers.lua to access.lua
|
2020-09-20 17:58:26 +02:00 |
|
Alexandre Aubin
|
abc38bbffe
|
Move handling of login through HTTP headers to is_logged_in helper
|
2020-09-20 17:53:18 +02:00 |
|
Alexandre Aubin
|
b2b9b9c8e3
|
Refactor/move handling of portal assets
|
2020-09-20 17:47:24 +02:00 |
|
Kay0u
|
41ac2e5bf8
|
Merge remote-tracking branch 'origin/dev' into permission_protection
|
2020-09-01 20:56:20 +02:00 |
|
Kay0u
|
b5a1d8dfed
|
find recursively relative to the theme directory
|
2020-06-18 15:20:11 +02:00 |
|
Kay0u
|
20de3f5f37
|
fix theme loading
|
2020-06-18 14:49:26 +02:00 |
|
Kay0u
|
720e35df4e
|
do not reauth if we are already logged in
|
2020-05-21 22:56:52 +02:00 |
|
Kay0u
|
24b3f7dc3a
|
HTTP Auth before permissions managment
|
2020-05-21 21:53:04 +02:00 |
|
Kay0u
|
400f88e6ca
|
fix the redirect loop \o/
|
2020-05-21 21:51:55 +02:00 |
|