Sutty/trabajo-afectivo
5
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Disabled session cookies for basic auth and token access. Added X-Failure header for failed login information.

Browse source
This commit is contained in:
Martin Edenhofer 2016-08-01 01:30:25 +02:00
parent f83c65bcb4
commit 3d81d6d600
1 changed files with 96 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

124
app/controllers/application_controller.rb
View file

@ -232,9 +232,19 @@ class ApplicationController < ActionController::Base
# already logged in, early exit # already logged in, early exit
if session.id && session[:user_id] if session.id && session[:user_id]
logger.debug 'session based auth check' logger.debug 'session based auth check'
userdata = User.lookup(id: session[:user_id]) user = User.lookup(id: session[:user_id])
current_user_set(userdata)
logger.debug "session based auth for '#{userdata.login}'" # check scopes / permission check
# auth_param[:permission]
#if auth_param[:permission] && !user.permission?(auth_param[:permission])
# return {
# auth: false,
# message: 'No permission!',
# }
#end
current_user_set(user)
logger.debug "session based auth for '#{user.login}'"
return { return {
auth: true auth: true
} }
@ -243,9 +253,9 @@ class ApplicationController < ActionController::Base
error_message = 'authentication failed' error_message = 'authentication failed'
# check sso based authentication # check sso based authentication
sso_userdata = User.sso(params) sso_user = User.sso(params)
if sso_userdata if sso_user
if check_maintenance_only(sso_userdata) if check_maintenance_only(sso_user)
return { return {
auth: false, auth: false,
message: 'Maintenance mode enabled!', message: 'Maintenance mode enabled!',
@ -259,6 +269,7 @@ class ApplicationController < ActionController::Base
# check http basic based authentication # check http basic based authentication
authenticate_with_http_basic do |username, password| authenticate_with_http_basic do |username, password|
request.session_options[:skip] = true # do not send a session cookie
logger.debug "http basic auth check '#{username}'" logger.debug "http basic auth check '#{username}'"
if Setting.get('api_password_access') == false if Setting.get('api_password_access') == false
return { return {
@ -266,17 +277,17 @@ class ApplicationController < ActionController::Base
message: 'API password access disabled!', message: 'API password access disabled!',
} }
end end
userdata = User.authenticate(username, password) user = User.authenticate(username, password)
next if !userdata next if !user
if check_maintenance_only(userdata) if check_maintenance_only(user)
return { return {
auth: false, auth: false,
message: 'Maintenance mode enabled!', message: 'Maintenance mode enabled!',
} }
end end
current_user_set(userdata) current_user_set(user)
user_device_log(userdata, 'basic_auth') user_device_log(user, 'basic_auth')
logger.debug "http basic auth for '#{userdata.login}'" logger.debug "http basic auth for '#{user.login}'"
return { return {
auth: true auth: true
} }
@ -285,21 +296,22 @@ class ApplicationController < ActionController::Base
# check http token action based authentication # check http token action based authentication
if auth_param[:token_action] if auth_param[:token_action]
authenticate_with_http_token do |token, _options| authenticate_with_http_token do |token, _options|
logger.debug "token action auth check '#{token}'" request.session_options[:skip] = true # do not send a session cookie
userdata = Token.check( logger.debug "http token action auth check '#{token}'"
user = Token.check(
action: auth_param[:token_action], action: auth_param[:token_action],
name: token, name: token,
) )
next if !userdata next if !user
if check_maintenance_only(userdata) if check_maintenance_only(user)
return { return {
auth: false, auth: false,
message: 'Maintenance mode enabled!', message: 'Maintenance mode enabled!',
} }
end end
current_user_set(userdata) current_user_set(user)
user_device_log(userdata, 'token_auth') user_device_log(user, 'token_auth')
logger.debug "token action auth for '#{userdata.login}'" logger.debug "http token action auth for '#{user.login}'"
return { return {
auth: true auth: true
} }
@ -308,32 +320,84 @@ class ApplicationController < ActionController::Base
# check http token based authentication # check http token based authentication
authenticate_with_http_token do |token, _options| authenticate_with_http_token do |token, _options|
logger.debug "token auth check '#{token}'" logger.debug "http token auth check '#{token}'"
request.session_options[:skip] = true # do not send a session cookie
if Setting.get('api_token_access') == false if Setting.get('api_token_access') == false
return { return {
auth: false, auth: false,
message: 'API token access disabled!', message: 'API token access disabled!',
} }
end end
userdata = Token.check( user = Token.check(
action: 'api', action: 'api',
name: token, name: token,
) )
next if !userdata next if !user
if check_maintenance_only(userdata) if check_maintenance_only(user)
return { return {
auth: false, auth: false,
message: 'Maintenance mode enabled!', message: 'Maintenance mode enabled!',
} }
end end
current_user_set(userdata)
user_device_log(userdata, 'token_auth') # permission check
logger.debug "token auth for '#{userdata.login}'" # auth_param[:permission]
current_user_set(user)
user_device_log(user, 'token_auth')
logger.debug "http token auth for '#{user.login}'"
return { return {
auth: true auth: true
} }
end end
=begin
# check oauth2 token based authentication
token = Doorkeeper::OAuth::Token.from_bearer_authorization(request)
if token
request.session_options[:skip] = true # do not send a session cookie
logger.debug "oauth2 token auth check '#{token}'"
access_token = Doorkeeper::AccessToken.by_token(token)
# check expire
if access_token.expires_in && (access_token.created_at + access_token.expires_in) < Time.zone.now
return {
auth: false,
message: 'OAuth2 token is expired!',
}
end
user = User.find(access_token.resource_owner_id)
if !user || user.active == false
return {
auth: false,
message: 'OAuth2 resource owner inactive!',
}
end
if check_maintenance_only(user)
return {
auth: false,
message: 'Maintenance mode enabled!',
}
end
# check scopes / permission check
# auth_param[:permission]
if access_token.scopes.empty?
return {
auth: false,
message: 'OAuth2 scope missing for token!',
}
end
current_user_set(user)
user_device_log(user, 'token_auth')
logger.debug "oauth token auth for '#{user.login}'"
return {
auth: true
}
end
=end
logger.debug error_message logger.debug error_message
{ {
auth: false, auth: false,
@ -462,7 +526,7 @@ class ApplicationController < ActionController::Base
def model_destory_render(object, params) def model_destory_render(object, params)
generic_object = object.find(params[:id]) generic_object = object.find(params[:id])
generic_object.destroy generic_object.destroy!
model_destory_render_item() model_destory_render_item()
end end
@ -601,8 +665,12 @@ class ApplicationController < ActionController::Base
end end
def unauthorized(e) def unauthorized(e)
error = model_match_error(e.message)
if error && error[:error]
response.headers['X-Failure'] = error[:error_human] || error[:error]
end
respond_to do |format| respond_to do |format|
format.json { render json: model_match_error(e.message), status: :unauthorized } format.json { render json: error, status: :unauthorized }
format.any { format.any {
@exception = e @exception = e
@traceback = !Rails.env.production? @traceback = !Rails.env.production?