mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
Use x-original-url instead of host to deduce domain to check permissions for
This commit is contained in:
Clement Michaud
parent
4be299d6eb
commit
bc72f5c508
|
|
@ -74,11 +74,15 @@ http {
|
||||||
|
|
||||||
location /auth_verify {
|
location /auth_verify {
|
||||||
internal;
|
internal;
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
proxy_set_header X-Original-URI $request_uri;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Original-URI $request_uri;
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
||||||
proxy_set_header Content-Length "";
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
|
||||||
|
proxy_pass_request_body off;
|
||||||
|
proxy_set_header Content-Length "";
|
||||||
|
|
||||||
proxy_pass $upstream_verify;
|
proxy_pass $upstream_verify;
|
||||||
}
|
}
|
||||||
|
|
@ -137,11 +141,15 @@ http {
|
||||||
|
|
||||||
location /auth_verify {
|
location /auth_verify {
|
||||||
internal;
|
internal;
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
proxy_set_header X-Original-URI $request_uri;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Original-URI $request_uri;
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
||||||
proxy_set_header Content-Length "";
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
|
||||||
|
proxy_pass_request_body off;
|
||||||
|
proxy_set_header Content-Length "";
|
||||||
|
|
||||||
proxy_pass $upstream_verify;
|
proxy_pass $upstream_verify;
|
||||||
}
|
}
|
||||||
|
|
@ -183,11 +191,15 @@ http {
|
||||||
|
|
||||||
location /auth_verify {
|
location /auth_verify {
|
||||||
internal;
|
internal;
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
proxy_set_header X-Original-URI $request_uri;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Original-URI $request_uri;
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
||||||
proxy_set_header Content-Length "";
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
|
||||||
|
proxy_pass_request_body off;
|
||||||
|
proxy_set_header Content-Length "";
|
||||||
|
|
||||||
proxy_pass $upstream_verify;
|
proxy_pass $upstream_verify;
|
||||||
}
|
}
|
||||||
|
|
@ -229,11 +241,15 @@ http {
|
||||||
|
|
||||||
location /auth_verify {
|
location /auth_verify {
|
||||||
internal;
|
internal;
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
proxy_set_header X-Original-URI $request_uri;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Original-URI $request_uri;
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
||||||
proxy_set_header Content-Length "";
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
|
||||||
|
proxy_pass_request_body off;
|
||||||
|
proxy_set_header Content-Length "";
|
||||||
|
|
||||||
proxy_pass $upstream_verify;
|
proxy_pass $upstream_verify;
|
||||||
}
|
}
|
||||||
|
|
@ -276,12 +292,15 @@ http {
|
||||||
|
|
||||||
location /auth_verify {
|
location /auth_verify {
|
||||||
internal;
|
internal;
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
proxy_set_header X-Original-URI $request_uri;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Original-URI $request_uri;
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
||||||
proxy_set_header Content-Length "";
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header Proxy-Authorization $http_authorization;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
|
||||||
|
proxy_pass_request_body off;
|
||||||
|
proxy_set_header Content-Length "";
|
||||||
|
|
||||||
proxy_pass $upstream_verify;
|
proxy_pass $upstream_verify;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,10 +1,20 @@
|
||||||
|
|
||||||
import express = require("express");
|
import express = require("express");
|
||||||
import { AuthenticationSessionHandler } from "../../AuthenticationSessionHandler";
|
import { AuthenticationSessionHandler } from "../../AuthenticationSessionHandler";
|
||||||
|
import Constants = require("../../../../../shared/constants");
|
||||||
|
import { ServerVariables } from "../../ServerVariables";
|
||||||
|
|
||||||
export default function(req: express.Request, res: express.Response) {
|
function getRedirectParam(req: express.Request) {
|
||||||
const redirect_param = req.query.redirect;
|
return req.query[Constants.REDIRECT_QUERY_PARAM] != "undefined"
|
||||||
const redirect_url = redirect_param || "/";
|
? req.query[Constants.REDIRECT_QUERY_PARAM]
|
||||||
AuthenticationSessionHandler.reset(req);
|
: undefined;
|
||||||
res.redirect(redirect_url);
|
}
|
||||||
|
|
||||||
|
export default function (vars: ServerVariables) {
|
||||||
|
return function(req: express.Request, res: express.Response) {
|
||||||
|
const redirect_param = getRedirectParam(req);
|
||||||
|
const redirect_url = redirect_param || "/";
|
||||||
|
AuthenticationSessionHandler.reset(req);
|
||||||
|
res.redirect(redirect_url);
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
@ -129,7 +129,7 @@ export class RestApi {
|
||||||
RequireValidatedFirstFactor.middleware(vars.logger),
|
RequireValidatedFirstFactor.middleware(vars.logger),
|
||||||
SecondFactorGet.default(vars));
|
SecondFactorGet.default(vars));
|
||||||
|
|
||||||
app.get(Endpoints.LOGOUT_GET, LogoutGet.default);
|
app.get(Endpoints.LOGOUT_GET, LogoutGet.default(vars));
|
||||||
|
|
||||||
app.get(Endpoints.VERIFY_GET, VerifyGet.default(vars));
|
app.get(Endpoints.VERIFY_GET, VerifyGet.default(vars));
|
||||||
app.post(Endpoints.FIRST_FACTOR_POST, FirstFactorPost.default(vars));
|
app.post(Endpoints.FIRST_FACTOR_POST, FirstFactorPost.default(vars));
|
||||||
|
|
|
||||||
|
|
@ -27,7 +27,7 @@ describe("test /api/verify endpoint", function () {
|
||||||
redirect: "undefined"
|
redirect: "undefined"
|
||||||
};
|
};
|
||||||
AuthenticationSessionHandler.reset(req as any);
|
AuthenticationSessionHandler.reset(req as any);
|
||||||
req.headers.host = "secret.example.com";
|
req.headers["x-original-url"] = "https://secret.example.com/";
|
||||||
const s = ServerVariablesMockBuilder.build(false);
|
const s = ServerVariablesMockBuilder.build(false);
|
||||||
mocks = s.mocks;
|
mocks = s.mocks;
|
||||||
vars = s.variables;
|
vars = s.variables;
|
||||||
|
|
@ -130,7 +130,7 @@ describe("test /api/verify endpoint", function () {
|
||||||
authSession.first_factor = true;
|
authSession.first_factor = true;
|
||||||
authSession.second_factor = true;
|
authSession.second_factor = true;
|
||||||
authSession.userid = "myuser";
|
authSession.userid = "myuser";
|
||||||
req.headers.host = "test.example.com";
|
req.headers["x-original-url"] = "https://test.example.com/";
|
||||||
mocks.accessController.isAccessAllowedMock.returns(false);
|
mocks.accessController.isAccessAllowedMock.returns(false);
|
||||||
|
|
||||||
return test_unauthorized_403({
|
return test_unauthorized_403({
|
||||||
|
|
@ -147,7 +147,7 @@ describe("test /api/verify endpoint", function () {
|
||||||
|
|
||||||
describe("given user tries to access a single factor endpoint", function () {
|
describe("given user tries to access a single factor endpoint", function () {
|
||||||
beforeEach(function () {
|
beforeEach(function () {
|
||||||
req.headers["host"] = "redirect.url";
|
req.headers["x-original-url"] = "https://redirect.url/";
|
||||||
mocks.config.authentication_methods.per_subdomain_methods = {
|
mocks.config.authentication_methods.per_subdomain_methods = {
|
||||||
"redirect.url": "single_factor"
|
"redirect.url": "single_factor"
|
||||||
};
|
};
|
||||||
|
|
@ -238,7 +238,7 @@ describe("test /api/verify endpoint", function () {
|
||||||
mocks.ldapAuthenticator.authenticateStub.rejects(new Error(
|
mocks.ldapAuthenticator.authenticateStub.rejects(new Error(
|
||||||
"Invalid credentials"));
|
"Invalid credentials"));
|
||||||
req.headers["proxy-authorization"] = "Basic am9objpwYXNzd29yZA==";
|
req.headers["proxy-authorization"] = "Basic am9objpwYXNzd29yZA==";
|
||||||
req.query["redirect"] = REDIRECT_URL;
|
req.query["rd"] = REDIRECT_URL;
|
||||||
|
|
||||||
return VerifyGet.default(vars)(req as express.Request, res as any)
|
return VerifyGet.default(vars)(req as express.Request, res as any)
|
||||||
.then(function () {
|
.then(function () {
|
||||||
|
|
|
||||||
|
|
@ -18,16 +18,4 @@ describe("test DomainExtractor", function () {
|
||||||
Assert.equal(domain, "www.example.com");
|
Assert.equal(domain, "www.example.com");
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
describe("test fromHostHeader", function () {
|
|
||||||
it("should return domain when default port is used", function () {
|
|
||||||
const domain = DomainExtractor.fromHostHeader("www.example.com");
|
|
||||||
Assert.equal(domain, "www.example.com");
|
|
||||||
});
|
|
||||||
|
|
||||||
it("should return domain when non default port is used", function () {
|
|
||||||
const domain = DomainExtractor.fromHostHeader("www.example.com:8080");
|
|
||||||
Assert.equal(domain, "www.example.com");
|
|
||||||
});
|
|
||||||
});
|
|
||||||
});
|
});
|
||||||
Loading…
Reference in New Issue
Block a user