jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

proxyAuth: add supportsBearerAuth flag

Browse Source 
required for firefly-iii
This commit is contained in:
Girish Ramakrishnan
2022-08-25 16:12:41 +02:00
parent e21f39bc0b
commit a584fad278
1 changed files with 14 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
src/proxyauth.js
View File

@@ -50,15 +50,23 @@ function jwtVerify(req, res, next) {
});
}
async function basicAuthVerify(req, res, next) {
async function authorizationHeader(req, res, next) {
const appId = req.headers['x-app-id'] || '';
const credentials = basicAuth(req);
if (!appId || !credentials) return next();
if (!appId) return next();
if (!req.headers.authorization) return next();
const [error, app] = await safe(apps.get(appId));
if (error) return next(new HttpError(503, error.message));
if (!app) return next(new HttpError(503, 'Error getting app'));
if (!app.manifest.addons.proxyAuth.basicAuth) return next();
// if app supports bearer auth, pass it through to the app
if (req.headers.authorization.startsWith('Bearer ') && app.manifest.addons.proxyAuth.supportsBearerAuth) return next(new HttpSuccess(200, {}));
const credentials = basicAuth(req);
if (!credentials) return next();
if (!app.manifest.addons.proxyAuth.basicAuth) return next(); // this is a flag because this allows auth to bypass 2FA
const verifyFunc = credentials.name.indexOf('@') !== -1 ? users.verifyWithEmail : users.verifyWithUsername;
const [verifyError, user] = await safe(verifyFunc(credentials.name, credentials.pass, appId));
@@ -139,7 +147,7 @@ function auth(req, res, next) {
res.set('x-remote-email', req.user.email);
res.set('x-remote-name', req.user.displayName);
return next(new HttpSuccess(200, {}));
next(new HttpSuccess(200, {}));
}
// endpoint called by login page, username and password posted as JSON body
@@ -243,7 +251,7 @@ function initializeAuthwallExpressSync() {
.use(middleware.lastMile());
router.get ('/login', loginPage);
router.get ('/auth', jwtVerify, basicAuthVerify, auth); // called by nginx before accessing protected page
router.get ('/auth', jwtVerify, authorizationHeader, auth); // called by nginx before accessing protected page
router.post('/login', json, passwordAuth, authorize);
router.get ('/logout', logoutPage);
router.post('/logout', json, logoutPage);