Skip to content

Commit

Permalink
#128 check if x-requested-with or accept is application/json.
Browse files Browse the repository at this point in the history 
If one of them is set then just show 403 forbidden instead of redirect to auth0 for login.
  • Loading branch information
@dniel
dniel committed Sep 25, 2019
1 parent 72d8fe7 commit 6f2c983
Showing 1 changed file with 22 additions and 11 deletions.
33 changes: 22 additions & 11 deletions src/main/kotlin/dniel/forwardauth/infrastructure/spring/AuthorizeController.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,17 +28,23 @@ class AuthorizeController(val authorizeHandler: AuthorizeHandler) {
fun authorize(@RequestHeader headers: MultiValueMap<String, String>,
@CookieValue("ACCESS_TOKEN", required = false) accessTokenCookie: String?,
@CookieValue("JWT_TOKEN", required = false) userinfoCookie: String?,
@RequestHeader("Accept") acceptContent: String?,
@RequestHeader("x-requested-with") requestedWithHeader: String?,
@RequestHeader("x-forwarded-host") forwardedHostHeader: String,
@RequestHeader("x-forwarded-proto") forwardedProtoHeader: String,
@RequestHeader("x-forwarded-uri") forwardedUriHeader: String,
@RequestHeader("x-forwarded-method") forwardedMethodHeader: String,
response: HttpServletResponse): ResponseEntity<Unit> {

printHeaders(headers)
return authenticateToken(accessTokenCookie, userinfoCookie, forwardedMethodHeader, forwardedHostHeader, forwardedProtoHeader, forwardedUriHeader, response)
return authenticateToken(acceptContent, requestedWithHeader,
accessTokenCookie, userinfoCookie, forwardedMethodHeader,
forwardedHostHeader, forwardedProtoHeader, forwardedUriHeader, response)
}

private fun authenticateToken(accessToken: String?, idToken: String?, method: String, host: String, protocol: String, uri: String, response: HttpServletResponse): ResponseEntity<Unit> {
private fun authenticateToken(acceptContent: String?, requestedWithHeader: String?, accessToken: String?,
idToken: String?, method: String, host: String, protocol: String,
uri: String, response: HttpServletResponse): ResponseEntity<Unit> {
val command: AuthorizeHandler.AuthorizeCommand = AuthorizeHandler.AuthorizeCommand(accessToken, idToken, protocol, host, uri, method)
val authorizeResult = LoggingHandler(authorizeHandler).handle(command)

Expand All @@ -55,15 +61,20 @@ class AuthorizeController(val authorizeHandler: AuthorizeHandler) {
it is AuthorizeHandler.AuthEvent.NeedRedirectEvent
} as AuthorizeHandler.AuthEvent.NeedRedirectEvent?
if (redirectEvent != null) {
// add the nonce value to the request to be able to retrieve ut again on the singin endpoint.
val nonceCookie = Cookie("AUTH_NONCE", redirectEvent.nonce.value)
nonceCookie.domain = redirectEvent.cookieDomain
nonceCookie.maxAge = 60
nonceCookie.isHttpOnly = true
nonceCookie.path = "/"
response.addCookie(nonceCookie)
LOGGER.debug("Redirect to ${redirectEvent.authorizeUrl}")
return ResponseEntity.status(HttpStatus.TEMPORARY_REDIRECT).location(redirectEvent.authorizeUrl).build()
if ((acceptContent != null && acceptContent == "application/json") ||
requestedWithHeader != null && requestedWithHeader == "XMLHttpRequest") {
return ResponseEntity.status(HttpStatus.FORBIDDEN).build()
} else {
// add the nonce value to the request to be able to retrieve ut again on the singin endpoint.
val nonceCookie = Cookie("AUTH_NONCE", redirectEvent.nonce.value)
nonceCookie.domain = redirectEvent.cookieDomain
nonceCookie.maxAge = 60
nonceCookie.isHttpOnly = true
nonceCookie.path = "/"
response.addCookie(nonceCookie)
LOGGER.debug("Redirect to ${redirectEvent.authorizeUrl}")
return ResponseEntity.status(HttpStatus.TEMPORARY_REDIRECT).location(redirectEvent.authorizeUrl).build()
}
}

// 3. check authorization.
Expand Down

0 comments on commit 6f2c983

Please sign in to comment.