Check for each request that reverse proxy user match user session

2015-10-24 09:30:27 -04:00 · 2015-10-24 09:30:27 -04:00 · 9129a16337
parent 9aca556fc6
commit 9129a16337
4 changed files with 18 additions and 3 deletions
--- a/1
+++ b/1
@ -5,6 +5,7 @@ Breaking changes:

 - Add namespace Kanboard (update your plugins)
 - Move Mailgun, Sendgrid, Postmark, Slack, Hipchat and Jabber to plugins
+- ReverseProxy authentication check for each request that the username match the user session

 New features:

--- a/app/Auth/ReverseProxy.php
+++ b/app/Auth/ReverseProxy.php
@ -20,6 +20,17 @@ class ReverseProxy extends Base
     */
    const AUTH_NAME = 'ReverseProxy';

+    /**
+     * Get username from the reverse proxy
+     *
+     * @access public
+     * @return string
+     */
+    public function getUsername()
+    {
+        return isset($_SERVER[REVERSE_PROXY_USER_HEADER]) ? $_SERVER[REVERSE_PROXY_USER_HEADER] : '';
+    }
+
    /**
     * Authenticate the user with the HTTP header
     *
--- a/app/Model/Authentication.php
+++ b/app/Model/Authentication.php
@ -44,7 +44,10 @@ class Authentication extends Base
        if ($this->userSession->isLogged()) {

            // Check if the user session match an existing user
-            if (! $this->user->exists($this->userSession->getId())) {
+            $userNotFound = ! $this->user->exists($this->userSession->getId());
+            $reverseProxyWrongUser = REVERSE_PROXY_AUTH && $this->backend('reverseProxy')->getUsername() !== $_SESSION['user']['username'];
+
+            if ($userNotFound || $reverseProxyWrongUser) {
                $this->backend('rememberMe')->destroy($this->userSession->getId());
                $this->session->close();
                return false;
--- a/config.default.php
+++ b/config.default.php
@ -150,7 +150,7 @@ define('GITHUB_OAUTH_AUTHORIZE_URL', 'https://github.com/login/oauth/authorize')
 // Github oauth2 token url
 define('GITHUB_OAUTH_TOKEN_URL', 'https://github.com/login/oauth/access_token');

-// Github API url (don't forget the slash at the end)
+// Github API url (don't forget the trailing slash)
 define('GITHUB_API_URL', 'https://api.github.com/');

 // Enable/disable Gitlab authentication
@ -168,7 +168,7 @@ define('GITLAB_OAUTH_AUTHORIZE_URL', 'https://gitlab.com/oauth/authorize');
 // Gitlab oauth2 token url
 define('GITLAB_OAUTH_TOKEN_URL', 'https://gitlab.com/oauth/token');

-// Gitlab API url endpoint (don't forget the slash at the end)
+// Gitlab API url endpoint (don't forget the trailing slash)
 define('GITLAB_API_URL', 'https://gitlab.com/api/v3/');

 // Enable/disable the reverse proxy authentication