diff --git a/example/nginx/nginx.conf b/example/nginx/nginx.conf index 65c8d501..9d5f0ebe 100644 --- a/example/nginx/nginx.conf +++ b/example/nginx/nginx.conf @@ -75,14 +75,11 @@ http { auth_request_set $redirect $upstream_http_redirect; proxy_set_header Redirect $redirect; - auth_request_set $user $upstream_http_x_remote_user; + auth_request_set $user $upstream_http_remote_user; proxy_set_header X-Forwarded-User $user; auth_request_set $groups $upstream_http_remote_groups; proxy_set_header Remote-Groups $groups; - - auth_request_set $expiry $upstream_http_remote_expiry; - proxy_set_header Remote-Expiry $expiry; error_page 401 =302 https://auth.test.local:8080?redirect=$redirect; error_page 403 = https://auth.test.local:8080/error/403; diff --git a/src/server/endpoints.ts b/src/server/endpoints.ts index 7412aa96..852c9a79 100644 --- a/src/server/endpoints.ts +++ b/src/server/endpoints.ts @@ -274,7 +274,10 @@ export const SECOND_FACTOR_GET = "/secondfactor"; * @apiError (Error 401) status The user is not authenticated. * * @apiDescription Verify that the user is authenticated, i.e., the two - * factors have been validated + * factors have been validated. + * If the user is authenticated the response headers Remote-User and Remote-Groups + * are set. Remote-User contains the user id of the currently logged in user and Remote-Groups + * a comma separated list of assigned groups. */ export const VERIFY_GET = "/verify"; diff --git a/src/server/lib/routes/verify/get.ts b/src/server/lib/routes/verify/get.ts index 45b7974b..d0a53fab 100644 --- a/src/server/lib/routes/verify/get.ts +++ b/src/server/lib/routes/verify/get.ts @@ -1,9 +1,7 @@ -import { Winston } from "winston"; import objectPath = require("object-path"); import BluebirdPromise = require("bluebird"); import express = require("express"); -import { AccessController } from "../../access_control/AccessController"; import exceptions = require("../../Exceptions"); import winston = require("winston"); import AuthenticationValidator = require("../../AuthenticationValidator"); @@ -39,6 +37,9 @@ function verify_filter(req: express.Request, res: express.Response): BluebirdPro if (!authSession.first_factor || !authSession.second_factor) return BluebirdPromise.reject(new exceptions.AccessDeniedError("First or second factor not validated")); + res.setHeader("Remote-User", username); + res.setHeader("Remote-Groups", groups.join(",")); + return BluebirdPromise.resolve(); }); } diff --git a/test/unit/server/routes/verify/get.test.ts b/test/unit/server/routes/verify/get.test.ts index 6aeb6a34..9de9fd11 100644 --- a/test/unit/server/routes/verify/get.test.ts +++ b/test/unit/server/routes/verify/get.test.ts @@ -45,9 +45,12 @@ describe("test authentication token verification", function () { authSession.first_factor = true; authSession.second_factor = true; authSession.userid = "myuser"; + authSession.groups = ["mygroup", "othergroup"]; return VerifyGet.default(req as express.Request, res as any); }) .then(function () { + sinon.assert.calledWithExactly(res.setHeader, "Remote-User", "myuser"); + sinon.assert.calledWithExactly(res.setHeader, "Remote-Groups", "mygroup,othergroup"); assert.equal(204, res.status.getCall(0).args[0]); }); });