#65: Set headers X-Remote-User and Remote-Groups

2017-08-19 11:45:26 +02:00 · 2017-08-19 11:45:26 +02:00 · 9d1d10596f
parent 7be61d7357
commit 9d1d10596f
8 changed files with 15 additions and 1986 deletions
--- a/doc/api_data.js
+++ b/doc/api_data.js
--- a/doc/api_data.json
+++ b/doc/api_data.json
--- a/doc/api_project.js
+++ b/doc/api_project.js
@ -1,15 +1 @@
-define({
-  "title": "Authelia API documentation",
-  "name": "authelia",
-  "version": "2.1.3",
-  "description": "2FA Single Sign-On server for nginx using LDAP, TOTP and U2F",
-  "sampleUrl": false,
-  "defaultVersion": "0.0.0",
-  "apidoc": "0.3.0",
-  "generator": {
-    "name": "apidoc",
-    "time": "2017-06-11T20:41:36.025Z",
-    "url": "http://apidocjs.com",
-    "version": "0.17.6"
-  }
-});
+define({
  "title": "Authelia API documentation",
  "name": "authelia",
  "version": "3.2.0",
  "description": "2FA Single Sign-On server for nginx using LDAP, TOTP and U2F",
  "sampleUrl": false,
  "defaultVersion": "0.0.0",
  "apidoc": "0.3.0",
  "generator": {
    "name": "apidoc",
    "time": "2017-08-19T09:41:58.170Z",
    "url": "http://apidocjs.com",
    "version": "0.17.6"
  }
});
--- a/doc/api_project.json
+++ b/doc/api_project.json
@ -1,15 +1 @@
-{
-  "title": "Authelia API documentation",
-  "name": "authelia",
-  "version": "2.1.3",
-  "description": "2FA Single Sign-On server for nginx using LDAP, TOTP and U2F",
-  "sampleUrl": false,
-  "defaultVersion": "0.0.0",
-  "apidoc": "0.3.0",
-  "generator": {
-    "name": "apidoc",
-    "time": "2017-06-11T20:41:36.025Z",
-    "url": "http://apidocjs.com",
-    "version": "0.17.6"
-  }
-}
+{
  "title": "Authelia API documentation",
  "name": "authelia",
  "version": "3.2.0",
  "description": "2FA Single Sign-On server for nginx using LDAP, TOTP and U2F",
  "sampleUrl": false,
  "defaultVersion": "0.0.0",
  "apidoc": "0.3.0",
  "generator": {
    "name": "apidoc",
    "time": "2017-08-19T09:41:58.170Z",
    "url": "http://apidocjs.com",
    "version": "0.17.6"
  }
}
--- a/example/nginx/nginx.conf
+++ b/example/nginx/nginx.conf
@ -78,12 +78,10 @@ http {
        location = /secret.html {
            auth_request /auth_verify;
            
-            auth_request_set $user $upstream_http_x_remote_user;
+            auth_request_set $user $upstream_http_remote_user;
            proxy_set_header X-Forwarded-User $user;
            auth_request_set $groups $upstream_http_remote_groups;
            proxy_set_header Remote-Groups $groups;
-            auth_request_set $expiry $upstream_http_remote_expiry;
-            proxy_set_header Remote-Expiry $expiry;
        }
    }
 }
--- a/src/server/endpoints.ts
+++ b/src/server/endpoints.ts
@ -274,7 +274,10 @@ export const SECOND_FACTOR_GET = "/secondfactor";
 * @apiError (Error 401) status The user is not authenticated.
 *
 * @apiDescription Verify that the user is authenticated, i.e., the two
- * factors have been validated
+ * factors have been validated.
+ * If the user is authenticated the response headers Remote-User and Remote-Groups
+ * are set. Remote-User contains the user id of the currently logged in user and Remote-Groups
+ * a comma separated list of assigned groups.
 */
 export const VERIFY_GET = "/verify";

--- a/src/server/lib/routes/verify/get.ts
+++ b/src/server/lib/routes/verify/get.ts
@ -1,9 +1,7 @@

-import { Winston } from "winston";
 import objectPath = require("object-path");
 import BluebirdPromise = require("bluebird");
 import express = require("express");
-import { AccessController } from "../../access_control/AccessController";
 import exceptions = require("../../Exceptions");
 import winston = require("winston");
 import AuthenticationValidator = require("../../AuthenticationValidator");
@ -35,6 +33,9 @@ function verify_filter(req: express.Request, res: express.Response): BluebirdPro
      if (!authSession.first_factor || !authSession.second_factor)
        return BluebirdPromise.reject(new exceptions.AccessDeniedError("First or second factor not validated"));

+      res.setHeader("Remote-User", username);
+      res.setHeader("Remote-Groups", groups.join(","));
+
      return BluebirdPromise.resolve();
    });
 }
--- a/test/unit/server/routes/verify/get.test.ts
+++ b/test/unit/server/routes/verify/get.test.ts
@ -41,9 +41,12 @@ describe("test authentication token verification", function () {
    authSession.first_factor = true;
    authSession.second_factor = true;
    authSession.userid = "myuser";
+    authSession.groups = ["mygroup", "othergroup"];

    return VerifyGet.default(req as express.Request, res as any)
      .then(function () {
+        sinon.assert.calledWithExactly(res.setHeader, "Remote-User", "myuser");
+        sinon.assert.calledWithExactly(res.setHeader, "Remote-Groups", "mygroup,othergroup");
        assert.equal(204, res.status.getCall(0).args[0]);
      });
  });