From 9129a163377126d30b78ff39c94385f4245df7ae Mon Sep 17 00:00:00 2001
From: Frederic Guillot <fred@kanboard.net>
Date: Sat, 24 Oct 2015 09:30:27 -0400
Subject: [PATCH] Check for each request that reverse proxy user match user
 session

---
 ChangeLog                    |  1 +
 app/Auth/ReverseProxy.php    | 11 +++++++++++
 app/Model/Authentication.php |  5 ++++-
 config.default.php           |  4 ++--
 4 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index dd0fcf97a..91e09fcc4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,7 @@ Breaking changes:
 
 - Add namespace Kanboard (update your plugins)
 - Move Mailgun, Sendgrid, Postmark, Slack, Hipchat and Jabber to plugins
+- ReverseProxy authentication check for each request that the username match the user session
 
 New features:
 
diff --git a/app/Auth/ReverseProxy.php b/app/Auth/ReverseProxy.php
index abcdd449b..1910ad354 100644
--- a/app/Auth/ReverseProxy.php
+++ b/app/Auth/ReverseProxy.php
@@ -20,6 +20,17 @@ class ReverseProxy extends Base
      */
     const AUTH_NAME = 'ReverseProxy';
 
+    /**
+     * Get username from the reverse proxy
+     *
+     * @access public
+     * @return string
+     */
+    public function getUsername()
+    {
+        return isset($_SERVER[REVERSE_PROXY_USER_HEADER]) ? $_SERVER[REVERSE_PROXY_USER_HEADER] : '';
+    }
+
     /**
      * Authenticate the user with the HTTP header
      *
diff --git a/app/Model/Authentication.php b/app/Model/Authentication.php
index 116e07260..580c1e149 100644
--- a/app/Model/Authentication.php
+++ b/app/Model/Authentication.php
@@ -44,7 +44,10 @@ class Authentication extends Base
         if ($this->userSession->isLogged()) {
 
             // Check if the user session match an existing user
-            if (! $this->user->exists($this->userSession->getId())) {
+            $userNotFound = ! $this->user->exists($this->userSession->getId());
+            $reverseProxyWrongUser = REVERSE_PROXY_AUTH && $this->backend('reverseProxy')->getUsername() !== $_SESSION['user']['username'];
+
+            if ($userNotFound || $reverseProxyWrongUser) {
                 $this->backend('rememberMe')->destroy($this->userSession->getId());
                 $this->session->close();
                 return false;
diff --git a/config.default.php b/config.default.php
index 90400110f..77d457295 100644
--- a/config.default.php
+++ b/config.default.php
@@ -150,7 +150,7 @@ define('GITHUB_OAUTH_AUTHORIZE_URL', 'https://github.com/login/oauth/authorize')
 // Github oauth2 token url
 define('GITHUB_OAUTH_TOKEN_URL', 'https://github.com/login/oauth/access_token');
 
-// Github API url (don't forget the slash at the end)
+// Github API url (don't forget the trailing slash)
 define('GITHUB_API_URL', 'https://api.github.com/');
 
 // Enable/disable Gitlab authentication
@@ -168,7 +168,7 @@ define('GITLAB_OAUTH_AUTHORIZE_URL', 'https://gitlab.com/oauth/authorize');
 // Gitlab oauth2 token url
 define('GITLAB_OAUTH_TOKEN_URL', 'https://gitlab.com/oauth/token');
 
-// Gitlab API url endpoint (don't forget the slash at the end)
+// Gitlab API url endpoint (don't forget the trailing slash)
 define('GITLAB_API_URL', 'https://gitlab.com/api/v3/');
 
 // Enable/disable the reverse proxy authentication