ThatGuyJack/nginx-proxy-manager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2025-05-01 19:42:29 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Enforce token auth for odic config PUT call

Browse Source
This commit is contained in:
Samuel Oechsler 2024-10-30 20:35:01 +01:00
parent 7ef52d8ed4
commit 1a030a6ddd
No known key found for this signature in database
4 changed files with 21 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
backend/lib/express/jwt-decode.js
View File

@ -4,9 +4,14 @@ module.exports = () => {
return function (req, res, next) { return function (req, res, next) {
res.locals.access = null; res.locals.access = null;
let access = new Access(res.locals.token || null); let access = new Access(res.locals.token || null);
// allow unauthenticated access to OIDC configuration
let anon_access = req.url === '/oidc-config' && !access.token.getUserId(); // Allow unauthenticated access to get the oidc configuration
access.load(anon_access) let oidc_access =
req.url === '/oidc-config' &&
req.method === 'GET' &&
!access.token.getUserId();
access.load(oidc_access)
.then(() => { .then(() => {
res.locals.access = access; res.locals.access = access;
next(); next();

10
backend/routes/oidc.js
View File

@ -1,11 +1,11 @@
const crypto = require('crypto'); const crypto = require('crypto');
const error = require('../../lib/error'); const error = require('../lib/error');
const express = require('express'); const express = require('express');
const jwtdecode = require('../../lib/express/jwt-decode'); const jwtdecode = require('../lib/express/jwt-decode');
const logger = require('../../logger').oidc; const logger = require('../logger').oidc;
const oidc = require('openid-client'); const oidc = require('openid-client');
const settingModel = require('../../models/setting'); const settingModel = require('../models/setting');
const internalToken = require('../../internal/token'); const internalToken = require('../internal/token');
let router = express.Router({ let router = express.Router({
caseSensitive: true, caseSensitive: true,

5
backend/routes/settings.js
View File

@ -72,13 +72,14 @@ router
}) })
.then((row) => { .then((row) => {
if (row.id === 'oidc-config') { if (row.id === 'oidc-config') {
// redact oidc configuration via api // Redact oidc configuration via api (unauthenticated get call)
let m = row.meta; let m = row.meta;
row.meta = { row.meta = {
name: m.name, name: m.name,
enabled: m.enabled === true && !!(m.clientID && m.clientSecret && m.issuerURL && m.redirectURL && m.name) enabled: m.enabled === true && !!(m.clientID && m.clientSecret && m.issuerURL && m.redirectURL && m.name)
}; };
// remove these temporary cookies used during oidc authentication
// Remove these temporary cookies used during oidc authentication
res.clearCookie('npm_oidc'); res.clearCookie('npm_oidc');
res.clearCookie('npm_oidc_error'); res.clearCookie('npm_oidc_error');
} }

7
frontend/js/app/api.js
View File

@ -59,8 +59,11 @@ function fetch(verb, path, data, options) {
}, },
beforeSend: function (xhr) { beforeSend: function (xhr) {
// allow unauthenticated access to OIDC configuration // Allow unauthenticated access to get the oidc configuration
if (path === 'settings/oidc-config') return; if (path === 'settings/oidc-config' && verb === "get") {
return;
}
xhr.setRequestHeader('Authorization', 'Bearer ' + (token ? token.t : null)); xhr.setRequestHeader('Authorization', 'Bearer ' + (token ? token.t : null));
}, },