diff --git a/src/proxyauth.js b/src/proxyauth.js index cbe091852..9679ddc9f 100644 --- a/src/proxyauth.js +++ b/src/proxyauth.js @@ -1,7 +1,5 @@ 'use strict'; -const blobs = require('./blobs.js'); - // heavily inspired from https://gock.net/blog/2020/nginx-subrequest-authentication-server/ and https://github.com/andygock/auth-server exports = module.exports = { @@ -12,6 +10,7 @@ exports = module.exports = { const apps = require('./apps.js'), assert = require('assert'), basicAuth = require('basic-auth'), + blobs = require('./blobs.js'), constants = require('./constants.js'), debug = require('debug')('box:proxyAuth'), ejs = require('ejs'), @@ -41,12 +40,12 @@ function jwtVerify(req, res, next) { jwt.verify(token, gTokenSecret, function (error, decoded) { if (error) { - debug('jwtVerify: clearing token', error); - res.clearCookie('authToken'); - return next(new HttpError(403, 'Malformed token or bad signature')); + debug('jwtVerify: malformed token or bad signature', error.message); + req.user = null; + } else { + req.user = decoded.user || null; } - req.user = decoded.user || null; next(); }); } @@ -116,6 +115,7 @@ function isBrowser(req) { // called by nginx to authorize any protected route. this route must return only 2xx or 401/403 (http://nginx.org/en/docs/http/ngx_http_auth_request_module.html) function auth(req, res, next) { if (!req.user) { + res.clearCookie('authToken'); if (isBrowser(req)) return next(new HttpError(401, 'Unauthorized')); // the header has to be generated here and cannot be set in nginx config - https://forum.nginx.org/read.php?2,171461,171469#msg-171469 @@ -241,7 +241,7 @@ function initializeAuthwallExpressSync() { .use(middleware.lastMile()); router.get ('/login', loginPage); - router.get ('/auth', jwtVerify, basicAuthVerify, auth); + router.get ('/auth', jwtVerify, basicAuthVerify, auth); // called by nginx before accessing protected page router.post('/login', json, passwordAuth, authorize); router.get ('/logout', logoutPage); router.post('/logout', json, logout);