Skip to content

Commit

Permalink
fix(microservice): allow forwarding auth header if cookie for auth is…
Browse files Browse the repository at this point in the history
… also present

Signed-off-by: Tristan Bastian <tristan.bastian@softwareag.com>
  • Loading branch information
reey committed Mar 22, 2024
1 parent 8470a16 commit 97d66b9
Showing 1 changed file with 32 additions and 3 deletions.
35 changes: 32 additions & 3 deletions backend/src/header-adjustment.ts
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,10 @@ import { IncomingHttpHeaders } from "http";
import { name, version } from "../package.json";

export class HeaderAdjustment {
private static headersToRemove = ["authorization"];
private static headersToRemove = [];
private static headerPrefix = "rca-http-header-";
static adjust(headers: IncomingHttpHeaders, details: ConnectionDetails) {
this.adjustAuthorization(headers);
const keysToAdd: IncomingHttpHeaders = {};
for (const [key, value] of Object.entries(headers)) {
if (this.headersToRemove.includes(key)) {
Expand All @@ -30,20 +31,48 @@ export class HeaderAdjustment {
keysToAdd[newKey] = value;
}
Object.assign(headers, keysToAdd);
}

private static adjustAuthorization(headers: IncomingHttpHeaders) {
let hadCookieAuth = false;
if (headers.cookie) {
headers.cookie = this.adjustCookie(headers.cookie);
const newCookieValue = this.adjustCookie(headers.cookie);
if (newCookieValue !== headers.cookie) {
hadCookieAuth = true;
}
headers.cookie = newCookieValue;
if (headers.cookie === "") {
delete headers.cookie;
}
}

if (!hadCookieAuth) {
// should not pass basic auth for c8y on
if (headers.authorization) {
delete headers.authorization;
}
return;
}

// we want to keep the authorization header if the actual auth was cookie based
// but we want to remove the fake basic auth header added by the microservice proxy
if (!headers.authorization?.startsWith('Basic ')) {
return;
}

const token = headers.authorization.replace(/^Basic\s/, "");
const decodedToken = Buffer.from(token, "base64").toString("utf-8");
if (decodedToken.endsWith(':<fake password>')) {
delete headers.authorization;
}
}

private static adjustCookie(currentCookieValue: string) {
if (!currentCookieValue?.length) {
return currentCookieValue;
}

const cookieKeysToReplace = ["authorization", "XSRF-TOKEN", "ahoi"];
const cookieKeysToReplace = ["authorization", "XSRF-TOKEN"];
return cookieKeysToReplace.reduceRight((prev, curr) => {
return this.removeCookieByName(prev, curr);
}, currentCookieValue);
Expand Down

0 comments on commit 97d66b9

Please sign in to comment.