Skip to content

Commit 6f2c983

Browse files
dnieldniel
committed
#128 check if x-requested-with or accept is application/json.
If one of them is set then just show 403 forbidden instead of redirect to auth0 for login.
1 parent 72d8fe7 commit 6f2c983

File tree

1 file changed

+22
-11
lines changed

1 file changed

+22
-11
lines changed

src/main/kotlin/dniel/forwardauth/infrastructure/spring/AuthorizeController.kt

Lines changed: 22 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -28,17 +28,23 @@ class AuthorizeController(val authorizeHandler: AuthorizeHandler) {
2828
fun authorize(@RequestHeader headers: MultiValueMap<String, String>,
2929
@CookieValue("ACCESS_TOKEN", required = false) accessTokenCookie: String?,
3030
@CookieValue("JWT_TOKEN", required = false) userinfoCookie: String?,
31+
@RequestHeader("Accept") acceptContent: String?,
32+
@RequestHeader("x-requested-with") requestedWithHeader: String?,
3133
@RequestHeader("x-forwarded-host") forwardedHostHeader: String,
3234
@RequestHeader("x-forwarded-proto") forwardedProtoHeader: String,
3335
@RequestHeader("x-forwarded-uri") forwardedUriHeader: String,
3436
@RequestHeader("x-forwarded-method") forwardedMethodHeader: String,
3537
response: HttpServletResponse): ResponseEntity<Unit> {
3638

3739
printHeaders(headers)
38-
return authenticateToken(accessTokenCookie, userinfoCookie, forwardedMethodHeader, forwardedHostHeader, forwardedProtoHeader, forwardedUriHeader, response)
40+
return authenticateToken(acceptContent, requestedWithHeader,
41+
accessTokenCookie, userinfoCookie, forwardedMethodHeader,
42+
forwardedHostHeader, forwardedProtoHeader, forwardedUriHeader, response)
3943
}
4044

41-
private fun authenticateToken(accessToken: String?, idToken: String?, method: String, host: String, protocol: String, uri: String, response: HttpServletResponse): ResponseEntity<Unit> {
45+
private fun authenticateToken(acceptContent: String?, requestedWithHeader: String?, accessToken: String?,
46+
idToken: String?, method: String, host: String, protocol: String,
47+
uri: String, response: HttpServletResponse): ResponseEntity<Unit> {
4248
val command: AuthorizeHandler.AuthorizeCommand = AuthorizeHandler.AuthorizeCommand(accessToken, idToken, protocol, host, uri, method)
4349
val authorizeResult = LoggingHandler(authorizeHandler).handle(command)
4450

@@ -55,15 +61,20 @@ class AuthorizeController(val authorizeHandler: AuthorizeHandler) {
5561
it is AuthorizeHandler.AuthEvent.NeedRedirectEvent
5662
} as AuthorizeHandler.AuthEvent.NeedRedirectEvent?
5763
if (redirectEvent != null) {
58-
// add the nonce value to the request to be able to retrieve ut again on the singin endpoint.
59-
val nonceCookie = Cookie("AUTH_NONCE", redirectEvent.nonce.value)
60-
nonceCookie.domain = redirectEvent.cookieDomain
61-
nonceCookie.maxAge = 60
62-
nonceCookie.isHttpOnly = true
63-
nonceCookie.path = "/"
64-
response.addCookie(nonceCookie)
65-
LOGGER.debug("Redirect to ${redirectEvent.authorizeUrl}")
66-
return ResponseEntity.status(HttpStatus.TEMPORARY_REDIRECT).location(redirectEvent.authorizeUrl).build()
64+
if ((acceptContent != null && acceptContent == "application/json") ||
65+
requestedWithHeader != null && requestedWithHeader == "XMLHttpRequest") {
66+
return ResponseEntity.status(HttpStatus.FORBIDDEN).build()
67+
} else {
68+
// add the nonce value to the request to be able to retrieve ut again on the singin endpoint.
69+
val nonceCookie = Cookie("AUTH_NONCE", redirectEvent.nonce.value)
70+
nonceCookie.domain = redirectEvent.cookieDomain
71+
nonceCookie.maxAge = 60
72+
nonceCookie.isHttpOnly = true
73+
nonceCookie.path = "/"
74+
response.addCookie(nonceCookie)
75+
LOGGER.debug("Redirect to ${redirectEvent.authorizeUrl}")
76+
return ResponseEntity.status(HttpStatus.TEMPORARY_REDIRECT).location(redirectEvent.authorizeUrl).build()
77+
}
6778
}
6879

6980
// 3. check authorization.

0 commit comments

Comments
 (0)