From 631b201229a902771a520e33cfc947e4d14e4dda Mon Sep 17 00:00:00 2001 From: Clement Michaud Date: Sat, 21 Jan 2017 20:33:55 +0100 Subject: [PATCH] Remove _auth query path and update nginx config so that every authentication request is proxified under /auth/ --- nginx_conf/nginx.conf | 12 +----------- src/lib/server.js | 14 +++++++------- src/public_html/login.js | 12 ++++++------ test/integration/test_server.js | 6 +++--- test/unitary/test_data_persistence.js | 10 +++++----- test/unitary/test_server.js | 20 ++++++++++---------- 6 files changed, 32 insertions(+), 42 deletions(-) diff --git a/nginx_conf/nginx.conf b/nginx_conf/nginx.conf index be07e207..1541fdfa 100644 --- a/nginx_conf/nginx.conf +++ b/nginx_conf/nginx.conf @@ -37,16 +37,6 @@ http { return 302 https://localhost:8080/auth/login?redirect=$request_uri; } - location = /verify { - internal; - # proxy_pass_request_body off; - proxy_set_header X-Original-URI $request_uri; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - - proxy_pass http://auth/_verify; - } - location /auth/ { proxy_set_header X-Original-URI $request_uri; proxy_set_header Host $http_host; @@ -56,7 +46,7 @@ http { } location = /secret.html { - auth_request /verify; + auth_request /auth/verify; auth_request_set $user $upstream_http_x_remote_user; proxy_set_header X-Forwarded-User $user; diff --git a/src/lib/server.js b/src/lib/server.js index 3c01a297..ee02d70e 100644 --- a/src/lib/server.js +++ b/src/lib/server.js @@ -51,15 +51,15 @@ function run(config, ldap_client, u2f, fn) { app.get ('/login', routes.login); app.get ('/logout', routes.logout); - app.get ('/_verify', routes.verify); + app.get ('/verify', routes.verify); - app.post ('/_auth/1stfactor', routes.first_factor); - app.post ('/_auth/2ndfactor/totp', routes.second_factor.totp); + app.post ('/1stfactor', routes.first_factor); + app.post ('/2ndfactor/totp', routes.second_factor.totp); - app.get ('/_auth/2ndfactor/u2f/register_request', routes.second_factor.u2f.register_request); - app.post ('/_auth/2ndfactor/u2f/register', routes.second_factor.u2f.register); - app.get ('/_auth/2ndfactor/u2f/sign_request', routes.second_factor.u2f.sign_request); - app.post ('/_auth/2ndfactor/u2f/sign', routes.second_factor.u2f.sign); + app.get ('/2ndfactor/u2f/register_request', routes.second_factor.u2f.register_request); + app.post ('/2ndfactor/u2f/register', routes.second_factor.u2f.register); + app.get ('/2ndfactor/u2f/sign_request', routes.second_factor.u2f.sign_request); + app.post ('/2ndfactor/u2f/sign', routes.second_factor.u2f.sign); return app.listen(config.port, function(err) { console.log('Listening on %d...', config.port); diff --git a/src/public_html/login.js b/src/public_html/login.js index a264d6ae..55df039d 100644 --- a/src/public_html/login.js +++ b/src/public_html/login.js @@ -79,7 +79,7 @@ function finishSecondFactorU2f(url, responseData, fn) { } function startSecondFactorU2fSigning(fn, timeout) { - $.get('/auth/_auth/2ndfactor/u2f/sign_request', {}, null, 'json') + $.get('/auth/2ndfactor/u2f/sign_request', {}, null, 'json') .done(function(signResponse) { var registeredKeys = signResponse.registeredKeys; $.notify('Please touch the token', 'information'); @@ -101,7 +101,7 @@ function startSecondFactorU2fSigning(fn, timeout) { fn(response); } else { // response['sessionId'] = sessionIds[response.keyHandle]; - finishSecondFactorU2f('/auth/_auth/2ndfactor/u2f/sign', response, fn); + finishSecondFactorU2f('/auth/2ndfactor/u2f/sign', response, fn); } }, timeout @@ -113,7 +113,7 @@ function startSecondFactorU2fSigning(fn, timeout) { } function startSecondFactorU2fRegister(fn, timeout) { - $.get('/auth/_auth/2ndfactor/u2f/register_request', {}, null, 'json') + $.get('/auth/2ndfactor/u2f/register_request', {}, null, 'json') .done(function(startRegisterResponse) { console.log(startRegisterResponse); $.notify('Please touch the token', 'information'); @@ -126,7 +126,7 @@ function startSecondFactorU2fRegister(fn, timeout) { fn(response.errorCode); } else { // response['sessionId'] = startRegisterResponse.clientData; - finishSecondFactorU2f('/auth/_auth/2ndfactor/u2f/register', response, fn); + finishSecondFactorU2f('/auth/2ndfactor/u2f/register', response, fn); } }, timeout @@ -135,7 +135,7 @@ function startSecondFactorU2fRegister(fn, timeout) { } function validateSecondFactorTotp(token, fn) { - $.post('/auth/_auth/2ndfactor/totp', { + $.post('/auth/2ndfactor/totp', { token: token, }) .done(function() { @@ -148,7 +148,7 @@ function validateSecondFactorTotp(token, fn) { function validateFirstFactor(username, password, fn) { - $.post('/auth/_auth/1stfactor', { + $.post('/auth/1stfactor', { username: username, password: password, }) diff --git a/test/integration/test_server.js b/test/integration/test_server.js index d3b3fb63..29d6a7da 100644 --- a/test/integration/test_server.js +++ b/test/integration/test_server.js @@ -62,7 +62,7 @@ describe('test the server', function() { }); it('should fail the first_factor login', function() { - return postPromised(BASE_URL + '/auth/_auth/1stfactor', { + return postPromised(BASE_URL + '/auth/1stfactor', { form: { username: 'admin', password: 'bad_password' @@ -80,7 +80,7 @@ describe('test the server', function() { encoding: 'base32' }); - return postPromised(BASE_URL + '/auth/_auth/1stfactor', { + return postPromised(BASE_URL + '/auth/1stfactor', { form: { username: 'admin', password: 'password', @@ -88,7 +88,7 @@ describe('test the server', function() { }) .then(function(response) { assert.equal(response.statusCode, 204); - return postPromised(BASE_URL + '/auth/_auth/2ndfactor/totp', { + return postPromised(BASE_URL + '/auth/2ndfactor/totp', { form: { token: token } }); }) diff --git a/test/unitary/test_data_persistence.js b/test/unitary/test_data_persistence.js index 774d28fd..615ed627 100644 --- a/test/unitary/test_data_persistence.js +++ b/test/unitary/test_data_persistence.js @@ -118,7 +118,7 @@ describe('test data persistence', function() { function execute_first_factor(jar) { return request.postAsync({ - url: BASE_URL + '/_auth/1stfactor', + url: BASE_URL + '/1stfactor', jar: jar, form: { username: 'test_ok', @@ -129,12 +129,12 @@ describe('test data persistence', function() { function execute_u2f_registration(jar) { return request.getAsync({ - url: BASE_URL + '/_auth/2ndfactor/u2f/register_request', + url: BASE_URL + '/2ndfactor/u2f/register_request', jar: jar }) .then(function(res) { return request.postAsync({ - url: BASE_URL + '/_auth/2ndfactor/u2f/register', + url: BASE_URL + '/2ndfactor/u2f/register', jar: jar, form: { s: 'test' @@ -145,12 +145,12 @@ describe('test data persistence', function() { function execute_u2f_authentication(jar) { return request.getAsync({ - url: BASE_URL + '/_auth/2ndfactor/u2f/sign_request', + url: BASE_URL + '/2ndfactor/u2f/sign_request', jar: jar }) .then(function() { return request.postAsync({ - url: BASE_URL + '/_auth/2ndfactor/u2f/sign', + url: BASE_URL + '/2ndfactor/u2f/sign', jar: jar, form: { s: 'test' diff --git a/test/unitary/test_server.js b/test/unitary/test_server.js index 672d5a60..404577f2 100644 --- a/test/unitary/test_server.js +++ b/test/unitary/test_server.js @@ -81,7 +81,7 @@ describe('test the server', function() { function test_authentication() { it('should return status code 401 when user is not authenticated', function() { - return request.getAsync({ url: BASE_URL + '/_verify' }) + return request.getAsync({ url: BASE_URL + '/verify' }) .then(function(response) { assert.equal(response.statusCode, 401); return Promise.resolve(); @@ -98,7 +98,7 @@ describe('test the server', function() { .then(function(res) { assert.equal(res.statusCode, 200, 'get login page failed'); return request.postAsync({ - url: BASE_URL + '/_auth/1stfactor', + url: BASE_URL + '/1stfactor', jar: j, form: { username: 'test_ok', @@ -109,7 +109,7 @@ describe('test the server', function() { .then(function(res) { assert.equal(res.statusCode, 204, 'first factor failed'); return request.postAsync({ - url: BASE_URL + '/_auth/2ndfactor/totp', + url: BASE_URL + '/2ndfactor/totp', jar: j, form: { token: real_token @@ -118,7 +118,7 @@ describe('test the server', function() { }) .then(function(res) { assert.equal(res.statusCode, 204, 'second factor failed'); - return request.getAsync({ url: BASE_URL + '/_verify', jar: j }) + return request.getAsync({ url: BASE_URL + '/verify', jar: j }) }) .then(function(res) { assert.equal(res.statusCode, 204, 'verify failed'); @@ -141,7 +141,7 @@ describe('test the server', function() { .then(function(res) { assert.equal(res.statusCode, 200, 'get login page failed'); return request.postAsync({ - url: BASE_URL + '/_auth/1stfactor', + url: BASE_URL + '/1stfactor', jar: j, form: { username: 'test_ok', @@ -152,14 +152,14 @@ describe('test the server', function() { .then(function(res) { assert.equal(res.statusCode, 204, 'first factor failed'); return request.getAsync({ - url: BASE_URL + '/_auth/2ndfactor/u2f/register_request', + url: BASE_URL + '/2ndfactor/u2f/register_request', jar: j }); }) .then(function(res) { assert.equal(res.statusCode, 200, 'second factor, start register failed'); return request.postAsync({ - url: BASE_URL + '/_auth/2ndfactor/u2f/register', + url: BASE_URL + '/2ndfactor/u2f/register', jar: j, form: { s: 'test' @@ -169,14 +169,14 @@ describe('test the server', function() { .then(function(res) { assert.equal(res.statusCode, 204, 'second factor, finish register failed'); return request.getAsync({ - url: BASE_URL + '/_auth/2ndfactor/u2f/sign_request', + url: BASE_URL + '/2ndfactor/u2f/sign_request', jar: j }); }) .then(function(res) { assert.equal(res.statusCode, 200, 'second factor, start sign failed'); return request.postAsync({ - url: BASE_URL + '/_auth/2ndfactor/u2f/sign', + url: BASE_URL + '/2ndfactor/u2f/sign', jar: j, form: { s: 'test' @@ -185,7 +185,7 @@ describe('test the server', function() { }) .then(function(res) { assert.equal(res.statusCode, 204, 'second factor, finish sign failed'); - return request.getAsync({ url: BASE_URL + '/_verify', jar: j }) + return request.getAsync({ url: BASE_URL + '/verify', jar: j }) }) .then(function(res) { assert.equal(res.statusCode, 204, 'verify failed');