Fix basic authentication and tests
parent
185419e09e
commit
7a13523004
|
@ -299,6 +299,9 @@ http {
|
|||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
||||
# This header is required for basic authentication.
|
||||
proxy_set_header Proxy-Authorization $http_authorization;
|
||||
|
||||
proxy_pass_request_body off;
|
||||
proxy_set_header Content-Length "";
|
||||
|
||||
|
|
|
@ -22,7 +22,7 @@ function redirectToSecondFactorPage(req: express.Request, res: express.Response)
|
|||
else
|
||||
res.redirect(Util.format("%s?%s=%s", Endpoints.SECOND_FACTOR_GET,
|
||||
Constants.REDIRECT_QUERY_PARAM,
|
||||
encodeURIComponent(redirectUrl)));
|
||||
redirectUrl));
|
||||
}
|
||||
|
||||
function redirectToService(req: express.Request, res: express.Response) {
|
||||
|
|
|
@ -75,7 +75,7 @@ export default function (vars: ServerVariables) {
|
|||
let newRedirectUrl = Endpoint.SECOND_FACTOR_GET;
|
||||
if (redirectUrl) {
|
||||
newRedirectUrl += "?" + Constants.REDIRECT_QUERY_PARAM + "="
|
||||
+ encodeURIComponent(redirectUrl);
|
||||
+ redirectUrl;
|
||||
}
|
||||
vars.logger.debug(req, "Redirect to '%s'", newRedirectUrl);
|
||||
res.send({
|
||||
|
|
|
@ -6,6 +6,7 @@ import { ServerVariables } from "../../ServerVariables";
|
|||
import GetWithSessionCookieMethod from "./get_session_cookie";
|
||||
import GetWithBasicAuthMethod from "./get_basic_auth";
|
||||
import Constants = require("../../../../../shared/constants");
|
||||
import ObjectPath = require("object-path");
|
||||
|
||||
import { AuthenticationSessionHandler }
|
||||
from "../../AuthenticationSessionHandler";
|
||||
|
@ -30,8 +31,9 @@ function verifyWithSelectedMethod(req: Express.Request, res: Express.Response,
|
|||
|
||||
function setRedirectHeader(req: Express.Request, res: Express.Response) {
|
||||
return function () {
|
||||
res.set("Redirect", encodeURIComponent("https://" + req.headers["host"] +
|
||||
req.headers["x-original-uri"]));
|
||||
const originalUrl = ObjectPath.get<Express.Request, string>(
|
||||
req, "headers.x-original-url");
|
||||
res.set("Redirect", originalUrl);
|
||||
return BluebirdPromise.resolve();
|
||||
};
|
||||
}
|
||||
|
|
|
@ -2,7 +2,7 @@ Feature: User has access restricted access to domains
|
|||
|
||||
@need-registered-user-john
|
||||
Scenario: User john has admin access
|
||||
When I visit "https://login.example.com:8080?rd=https%3A%2F%2Fhome.example.com%3A8080%2F"
|
||||
When I visit "https://login.example.com:8080?rd=https://home.example.com:8080/"
|
||||
And I login with user "john" and password "password"
|
||||
And I use "REGISTERED" as TOTP token handle
|
||||
And I click on "Sign in"
|
||||
|
@ -20,7 +20,7 @@ Feature: User has access restricted access to domains
|
|||
|
||||
@need-registered-user-bob
|
||||
Scenario: User bob has restricted access
|
||||
When I visit "https://login.example.com:8080?rd=https%3A%2F%2Fhome.example.com%3A8080%2F"
|
||||
When I visit "https://login.example.com:8080?rd=https://home.example.com:8080/"
|
||||
And I login with user "bob" and password "password"
|
||||
And I use "REGISTERED" as TOTP token handle
|
||||
And I click on "Sign in"
|
||||
|
@ -38,7 +38,7 @@ Feature: User has access restricted access to domains
|
|||
|
||||
@need-registered-user-harry
|
||||
Scenario: User harry has restricted access
|
||||
When I visit "https://login.example.com:8080?rd=https%3A%2F%2Fhome.example.com%3A8080%2F"
|
||||
When I visit "https://login.example.com:8080?rd=https://home.example.com:8080/"
|
||||
And I login with user "harry" and password "password"
|
||||
And I use "REGISTERED" as TOTP token handle
|
||||
And I click on "Sign in"
|
||||
|
|
|
@ -3,16 +3,16 @@ Feature: User is redirected when factors are already validated
|
|||
@need-registered-user-john
|
||||
Scenario: User has validated first factor and tries to access service protected by second factor. He is then redirect to second factor step.
|
||||
When I visit "https://single_factor.example.com:8080/secret.html"
|
||||
And I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fsingle_factor.example.com%3A8080%2Fsecret.html"
|
||||
And I'm redirected to "https://login.example.com:8080/?rd=https://single_factor.example.com:8080/secret.html"
|
||||
And I login with user "john" and password "password"
|
||||
And I'm redirected to "https://single_factor.example.com:8080/secret.html"
|
||||
And I visit "https://public.example.com:8080/secret.html"
|
||||
Then I'm redirected to "https://login.example.com:8080/secondfactor?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
|
||||
Then I'm redirected to "https://login.example.com:8080/secondfactor?rd=https://public.example.com:8080/secret.html"
|
||||
|
||||
@need-registered-user-john
|
||||
Scenario: User who has validated second factor and access auth portal should be redirected to "Already logged in page" and redirected to default URL declared in configuration
|
||||
When I visit "https://public.example.com:8080/secret.html"
|
||||
And I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
|
||||
And I'm redirected to "https://login.example.com:8080/?rd=https://public.example.com:8080/secret.html"
|
||||
And I login with user "john" and password "password"
|
||||
And I use "REGISTERED" as TOTP token handle
|
||||
And I click on "Sign in"
|
||||
|
@ -25,7 +25,7 @@ Feature: User is redirected when factors are already validated
|
|||
@need-registered-user-john
|
||||
Scenario: User who has validated second factor and access auth portal with rediction param should be redirected to that URL
|
||||
When I visit "https://public.example.com:8080/secret.html"
|
||||
And I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
|
||||
And I'm redirected to "https://login.example.com:8080/?rd=https://public.example.com:8080/secret.html"
|
||||
And I login with user "john" and password "password"
|
||||
And I use "REGISTERED" as TOTP token handle
|
||||
And I click on "Sign in"
|
||||
|
|
|
@ -19,7 +19,7 @@ Feature: Authentication scenarii
|
|||
And I login with user "john" and password "password"
|
||||
And I register a TOTP secret called "Sec0"
|
||||
When I visit "https://admin.example.com:8080/secret.html"
|
||||
And I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html"
|
||||
And I'm redirected to "https://login.example.com:8080/?rd=https://admin.example.com:8080/secret.html"
|
||||
And I login with user "john" and password "password"
|
||||
And I use "Sec0" as TOTP token handle
|
||||
And I click on "Sign in"
|
||||
|
@ -27,7 +27,7 @@ Feature: Authentication scenarii
|
|||
|
||||
Scenario: User fails TOTP second factor
|
||||
When I visit "https://admin.example.com:8080/secret.html"
|
||||
And I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html"
|
||||
And I'm redirected to "https://login.example.com:8080/?rd=https://admin.example.com:8080/secret.html"
|
||||
And I login with user "john" and password "password"
|
||||
And I use "BADTOKEN" as TOTP token
|
||||
And I click on "Sign in"
|
||||
|
|
|
@ -2,7 +2,7 @@ Feature: User is correctly redirected
|
|||
|
||||
Scenario: User is redirected to authelia when he is not authenticated
|
||||
When I visit "https://public.example.com:8080"
|
||||
Then I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2F"
|
||||
Then I'm redirected to "https://login.example.com:8080/?rd=https://public.example.com:8080/"
|
||||
|
||||
@need-registered-user-john
|
||||
Scenario: User is redirected to home page after several authentication tries
|
||||
|
@ -22,7 +22,7 @@ Feature: User is correctly redirected
|
|||
|
||||
Scenario: Redirection URL is propagated from restricted page to first factor
|
||||
When I visit "https://public.example.com:8080/secret.html"
|
||||
Then I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
|
||||
Then I'm redirected to "https://login.example.com:8080/?rd=https://public.example.com:8080/secret.html"
|
||||
|
||||
Scenario: Redirection URL is propagated from first factor to second factor
|
||||
Given I visit "https://login.example.com:8080/"
|
||||
|
@ -30,7 +30,7 @@ Feature: User is correctly redirected
|
|||
And I register a TOTP secret called "Sec0"
|
||||
When I visit "https://public.example.com:8080/secret.html"
|
||||
And I login with user "john" and password "password"
|
||||
Then I'm redirected to "https://login.example.com:8080/secondfactor?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
|
||||
Then I'm redirected to "https://login.example.com:8080/secondfactor?rd=https://public.example.com:8080/secret.html"
|
||||
|
||||
Scenario: Redirection URL is used to send user from second factor to target page
|
||||
Given I visit "https://login.example.com:8080/"
|
||||
|
@ -67,4 +67,4 @@ Feature: User is correctly redirected
|
|||
When I visit "https://admin.example.com:8080/secret.html"
|
||||
Then I'm redirected to "https://login.example.com:8080/error/403"
|
||||
And I sleep for 5 seconds
|
||||
And I'm redirected to "https://home.example.com:8080/"
|
||||
And I'm redirected to "https://home.example.com:8080/"
|
||||
|
|
|
@ -20,7 +20,7 @@ Feature: Authelia regulates authentication to avoid brute force
|
|||
|
||||
@need-registered-user-blackhat
|
||||
Scenario: User is unbanned after a configured amount of time
|
||||
Given I visit "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
|
||||
Given I visit "https://login.example.com:8080/?rd=https://public.example.com:8080/secret.html"
|
||||
And I set field "username" to "blackhat"
|
||||
And I set field "password" to "bad-password"
|
||||
And I click on "Sign in"
|
||||
|
@ -36,4 +36,4 @@ Feature: Authelia regulates authentication to avoid brute force
|
|||
And I click on "Sign in"
|
||||
And I use "REGISTERED" as TOTP token handle
|
||||
And I click on "Sign in"
|
||||
Then I'm redirected to "https://public.example.com:8080/secret.html"
|
||||
Then I'm redirected to "https://public.example.com:8080/secret.html"
|
||||
|
|
|
@ -8,8 +8,8 @@ Feature: Authelia keeps user sessions despite the application restart
|
|||
@need-registered-user-john
|
||||
Scenario: Secrets are stored even when Authelia restarts
|
||||
When the application restarts
|
||||
And I visit "https://admin.example.com:8080/secret.html" and get redirected "https://login.example.com:8080/?rd=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html"
|
||||
And I visit "https://admin.example.com:8080/secret.html" and get redirected "https://login.example.com:8080/?rd=https://admin.example.com:8080/secret.html"
|
||||
And I login with user "john" and password "password"
|
||||
And I use "REGISTERED" as TOTP token handle
|
||||
And I click on "Sign in"
|
||||
Then I'm redirected to "https://admin.example.com:8080/secret.html"
|
||||
Then I'm redirected to "https://admin.example.com:8080/secret.html"
|
||||
|
|
|
@ -6,7 +6,7 @@ Feature: Session is closed after a certain amount of time
|
|||
Given I have access to "https://public.example.com:8080/secret.html"
|
||||
When I sleep for 6 seconds
|
||||
And I visit "https://public.example.com:8080/secret.html"
|
||||
Then I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
|
||||
Then I'm redirected to "https://login.example.com:8080/?rd=https://public.example.com:8080/secret.html"
|
||||
|
||||
@need-authenticated-user-john
|
||||
Scenario: An authenticated user is disconnected after session expiration period
|
||||
|
@ -17,4 +17,4 @@ Feature: Session is closed after a certain amount of time
|
|||
And I visit "https://public.example.com:8080/secret.html"
|
||||
And I sleep for 4 seconds
|
||||
And I visit "https://public.example.com:8080/secret.html"
|
||||
Then I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
|
||||
Then I'm redirected to "https://login.example.com:8080/?rd=https://public.example.com:8080/secret.html"
|
||||
|
|
|
@ -1,15 +1,15 @@
|
|||
Feature: User can access certain subdomains with single factor
|
||||
|
||||
Scenario: User is redirected to service after first factor if allowed
|
||||
When I visit "https://login.example.com:8080/?rd=https%3A%2F%2Fsingle_factor.example.com%3A8080%2Fsecret.html"
|
||||
When I visit "https://login.example.com:8080/?rd=https://single_factor.example.com:8080/secret.html"
|
||||
And I login with user "john" and password "password"
|
||||
Then I'm redirected to "https://single_factor.example.com:8080/secret.html"
|
||||
|
||||
Scenario: Redirection after first factor fails if single_factor not allowed. It redirects user to first factor.
|
||||
When I visit "https://login.example.com:8080/?rd=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html"
|
||||
When I visit "https://login.example.com:8080/?rd=https://admin.example.com:8080/secret.html"
|
||||
And I login with user "john" and password "password"
|
||||
Then I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html"
|
||||
Then I'm redirected to "https://login.example.com:8080/?rd=https://admin.example.com:8080/secret.html"
|
||||
|
||||
Scenario: User can login using basic authentication
|
||||
When I request "https://single_factor.example.com:8080/secret.html" with username "john" and password "password" using basic authentication
|
||||
Then I receive the secret page
|
||||
Then I receive the secret page
|
||||
|
|
|
@ -3,7 +3,7 @@ Feature: Server is configured as a single factor only server
|
|||
|
||||
@need-registered-user-john
|
||||
Scenario: User is redirected to service after first factor if allowed
|
||||
When I visit "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
|
||||
When I visit "https://login.example.com:8080/?rd=https://public.example.com:8080/secret.html"
|
||||
And I login with user "john" and password "password"
|
||||
Then I'm redirected to "https://public.example.com:8080/secret.html"
|
||||
|
||||
|
|
Loading…
Reference in New Issue