Added debugging logging output to track down

*domain mismatches *session cookie issues
2024-09-14 22:47:21 +07:00 · 2019-05-29 07:37:51 -06:00 · 2019-05-29 07:37:51 -06:00 · 21d55a027d
commit 21d55a027d
parent 80b1428849
4 changed files with 30 additions and 6 deletions
--- a/server/src/lib/AuthenticationSessionHandler.ts
+++ b/server/src/lib/AuthenticationSessionHandler.ts
@ -34,6 +34,8 @@ export class AuthenticationSessionHandler {
    }

    if (!req.session.auth) {
+      logger.debug(req, "Session %s has no authentication information. Its internal id is: %s its current cookie is: %s",
+          req.sessionID, req.session.id, JSON.stringify(req.session.cookie));
      logger.debug(req, "Authentication session %s was undefined. Resetting..." +
        " If it's unexpected, make sure you are visiting the expected domain.", req.sessionID);
      AuthenticationSessionHandler.reset(req);
--- a/server/src/lib/BelongToDomain.ts
+++ b/server/src/lib/BelongToDomain.ts
@ -1,8 +1,18 @@
 import { DomainExtractor } from "./DomainExtractor";
+import { IRequestLogger } from "./logging/IRequestLogger";
+import express = require("express");

-export function BelongToDomain(url: string, domain: string): boolean {
+export function BelongToDomain(url: string, domain: string, logger: IRequestLogger, req: express.Request): boolean {
  const urlDomain =  DomainExtractor.fromUrl(url);
-  if (!urlDomain) return false;
+  if (!urlDomain) {
+    logger.debug(req, "Unable to extract domain from url %s the url doesn't parse correctly.", url);
+    return false;
+  }
+  logger.debug(req,  "Extracted domain %s from url %s", urlDomain, url);
  const idx = urlDomain.indexOf(domain);
+  logger.debug(req,  "Found protected domain: %s in url extracted domain: %s at index: %s",
+      domain, urlDomain, idx);
+  logger.debug(req, "protected domain size: %s url extracted domain size: %s", domain.length, urlDomain.length);
+  logger.debug(req, "domain match url extracted: %s", idx + domain.length == urlDomain.length);
  return idx + domain.length == urlDomain.length;
 }
--- a/server/src/lib/routes/firstfactor/post.ts
+++ b/server/src/lib/routes/firstfactor/post.ts
@ -46,7 +46,7 @@ export default function (vars: ServerVariables) {
      })
      .then(function (groupsAndEmails: GroupsAndEmails) {
        vars.logger.info(req,
-          "LDAP binding successful. Retrieved information about user are %s",
+          "Backend lookup successful. Retrieved information about user %s are %s", username,
          JSON.stringify(groupsAndEmails));
        authSession.userid = username;
        authSession.keep_me_logged_in = keepMeLoggedIn;
@ -66,12 +66,14 @@ export default function (vars: ServerVariables) {
        const targetUrl = GetHeader(req, "x-target-url");

        if (!targetUrl) {
+          vars.logger.debug(req, "Sending status 204 due to missing header 'x-target-url'");
          res.status(204);
          res.send();
          return BluebirdPromise.resolve();
        }

-        if (BelongToDomain(targetUrl, vars.config.session.domain)) {
+        if (BelongToDomain(targetUrl, vars.config.session.domain, vars.logger, req)) {
+          vars.logger.debug(req, "%s was found to be in domain %s", targetUrl, vars.config.session.domain);
          const resource = URLDecomposer.fromUrl(targetUrl);
          const resObject: Object = {
            domain: resource.domain,
@ -84,15 +86,23 @@ export default function (vars: ServerVariables) {
          };

          const authorizationLevel = vars.authorizer.authorization(resObject, subject, req.ip);
+          vars.logger.debug(req, "calculated authorization level: %s from resObject: %s subject: %s and ip: %s",
+              authorizationLevel, JSON.stringify(resObject), JSON.stringify(subject), req.ip);
+
          if (authorizationLevel <= AuthorizationLevel.ONE_FACTOR) {
            if (IsRedirectionSafe(vars, new URLParse(targetUrl))) {
+              vars.logger.debug(req, "sending redirect to: %s", targetUrl);
              res.json({redirect: targetUrl});
              return BluebirdPromise.resolve();
            } else {
              res.json({error: "You're authenticated but cannot be automatically redirected to an unsafe URL."});
              return BluebirdPromise.resolve();
            }
+          } else {
+            vars.logger.debug(req, "Current authorization level %s indicates no further action for %s", authorizationLevel, username);
          }
+        } else {
+          vars.logger.debug(req, "%s was not found to be in domain %s", targetUrl, vars.config.session.domain);
        }

        res.status(204);
--- a/server/src/lib/routes/verify/Get.ts
+++ b/server/src/lib/routes/verify/Get.ts
@ -17,9 +17,10 @@ async function verifyWithSelectedMethod(req: Express.Request, res: Express.Respo
  vars: ServerVariables, authSession: AuthenticationSession | undefined)
  : Promise<void> {
  if (HasHeader(req, Constants.HEADER_PROXY_AUTHORIZATION)) {
+    vars.logger.debug(req, "Got PROXY_AUTHORIZATION header checking basic auth");
    await GetBasicAuth(req, res, vars);
-  }
-  else {
+  } else {
+    vars.logger.debug(req, "Checking session cookie");
    await GetSessionCookie(req, res, vars, authSession);
  }
 }
@ -49,6 +50,7 @@ async function unsafeGet(vars: ServerVariables, req: Express.Request, res: Expre
    }

    // Reply with an error.
+    vars.logger.error(req, "Got an error state when processing verify. Error was: %s", err.toString());
    throw err;
  }
 }