Use string interpolation everywhere, harden host checks
This commit is contained in:
parent
327aabaf46
commit
f2dd8d8335
|
@ -19,7 +19,7 @@ public class AuthHelpers {
|
||||||
var client = new HttpClient();
|
var client = new HttpClient();
|
||||||
client.DefaultRequestHeaders.Add("cookie", $"authelia_session={HttpUtility.UrlDecode(cookie)}");
|
client.DefaultRequestHeaders.Add("cookie", $"authelia_session={HttpUtility.UrlDecode(cookie)}");
|
||||||
client.DefaultRequestHeaders.Add("x-forwarded-proto", "https");
|
client.DefaultRequestHeaders.Add("x-forwarded-proto", "https");
|
||||||
client.DefaultRequestHeaders.Add("Host", Vars.AutheliaSubdomain + "." + Vars.UpstreamPrimaryDomain);
|
client.DefaultRequestHeaders.Add("Host", $"{Vars.AutheliaSubdomain}.{Vars.UpstreamPrimaryDomain}");
|
||||||
var response = client.GetAsync($"http://127.0.0.1:9091/api/verify");
|
var response = client.GetAsync($"http://127.0.0.1:9091/api/verify");
|
||||||
return response.Result;
|
return response.Result;
|
||||||
}
|
}
|
||||||
|
@ -32,7 +32,7 @@ public class AuthHelpers {
|
||||||
client.DefaultRequestHeaders.Add(header.Key, (IEnumerable<string?>)header.Value);
|
client.DefaultRequestHeaders.Add(header.Key, (IEnumerable<string?>)header.Value);
|
||||||
}
|
}
|
||||||
|
|
||||||
client.DefaultRequestHeaders.Host = headers["Host"] + ".amdp." + Vars.UpstreamPrimaryDomain;
|
client.DefaultRequestHeaders.Host = $"{headers["Host"]}.amdp.{Vars.UpstreamPrimaryDomain}";
|
||||||
|
|
||||||
if (!string.IsNullOrWhiteSpace(cookie))
|
if (!string.IsNullOrWhiteSpace(cookie))
|
||||||
client.DefaultRequestHeaders.Add("cookie", $"authelia_session={HttpUtility.UrlDecode(cookie)}");
|
client.DefaultRequestHeaders.Add("cookie", $"authelia_session={HttpUtility.UrlDecode(cookie)}");
|
||||||
|
|
|
@ -12,7 +12,7 @@ public class CookieProxyController : Controller {
|
||||||
[Route("/api/cookieproxy_stage_one")]
|
[Route("/api/cookieproxy_stage_one")]
|
||||||
public IActionResult StageOne([FromQuery] string dstDomain, [FromQuery] string tgt) {
|
public IActionResult StageOne([FromQuery] string dstDomain, [FromQuery] string tgt) {
|
||||||
// Check if we are on the correct domain
|
// Check if we are on the correct domain
|
||||||
if (Request.Host.Host != Vars.AuthProxySubdomain + "." + Vars.UpstreamPrimaryDomain)
|
if (Request.Host.Host != $"{Vars.AuthProxySubdomain}.{Vars.UpstreamPrimaryDomain}")
|
||||||
return StatusCode(StatusCodes.Status421MisdirectedRequest);
|
return StatusCode(StatusCodes.Status421MisdirectedRequest);
|
||||||
|
|
||||||
if (!Request.Cookies.ContainsKey("authelia_session")
|
if (!Request.Cookies.ContainsKey("authelia_session")
|
||||||
|
@ -34,7 +34,7 @@ public class CookieProxyController : Controller {
|
||||||
[Route("/api/cookieproxy_stage_two")]
|
[Route("/api/cookieproxy_stage_two")]
|
||||||
public IActionResult StageTwo([FromQuery] string dstDomain, [FromQuery] string tgt, [FromForm] string cookie) {
|
public IActionResult StageTwo([FromQuery] string dstDomain, [FromQuery] string tgt, [FromForm] string cookie) {
|
||||||
// Check if we are on an allowed domain
|
// Check if we are on an allowed domain
|
||||||
if (!Request.Host.Host.StartsWith(Vars.AuthProxySubdomain + ".") || !Vars.PermittedDomains.Any(p => Request.Host.Host.EndsWith("." + p)))
|
if (Vars.PermittedDomains.All(p => Request.Host.Host != $"{Vars.AuthProxySubdomain}.{p}"))
|
||||||
return StatusCode(StatusCodes.Status421MisdirectedRequest);
|
return StatusCode(StatusCodes.Status421MisdirectedRequest);
|
||||||
|
|
||||||
if (string.IsNullOrWhiteSpace(dstDomain)
|
if (string.IsNullOrWhiteSpace(dstDomain)
|
||||||
|
|
|
@ -10,13 +10,13 @@ public class LogoutController : Controller {
|
||||||
[Produces("text/html")]
|
[Produces("text/html")]
|
||||||
public ActionResult Post([FromQuery] string rd) {
|
public ActionResult Post([FromQuery] string rd) {
|
||||||
// Check if we are on an allowed domain
|
// Check if we are on an allowed domain
|
||||||
if (!Request.Host.Host.StartsWith(Vars.AuthProxySubdomain + ".") || !Vars.PermittedDomains.Any(p => Request.Host.Host.EndsWith("." + p)))
|
if (Vars.PermittedDomains.All(p => Request.Host.Host != $"{Vars.AuthProxySubdomain}.{p}"))
|
||||||
return StatusCode(StatusCodes.Status421MisdirectedRequest);
|
return StatusCode(StatusCodes.Status421MisdirectedRequest);
|
||||||
|
|
||||||
if (string.IsNullOrWhiteSpace(rd))
|
if (string.IsNullOrWhiteSpace(rd))
|
||||||
rd = "/";
|
rd = "/";
|
||||||
|
|
||||||
Response.Cookies.Delete(Vars.CookieName, new CookieOptions { Secure = true, SameSite = SameSiteMode.Lax, HttpOnly = true, Domain = Request.Host.Host.Replace(Vars.AuthProxySubdomain + ".", "")});
|
Response.Cookies.Delete(Vars.CookieName, new CookieOptions { Secure = true, SameSite = SameSiteMode.Lax, HttpOnly = true, Domain = Request.Host.Host.Replace($"{Vars.AuthProxySubdomain}.", "")});
|
||||||
Response.ContentType = "text/html";
|
Response.ContentType = "text/html";
|
||||||
Response.Redirect(rd);
|
Response.Redirect(rd);
|
||||||
return Content($"Cookie cleared. Redirecting... <a href=\"{rd}\">Click here if you are not redirected automatically</a>", "text/html");
|
return Content($"Cookie cleared. Redirecting... <a href=\"{rd}\">Click here if you are not redirected automatically</a>", "text/html");
|
||||||
|
|
|
@ -9,7 +9,7 @@ namespace AutheliaMultiDomainProxy.Controllers;
|
||||||
public class RedirectController : Controller {
|
public class RedirectController : Controller {
|
||||||
public IActionResult Get([FromQuery] string dstDomain, [FromQuery] string tgt) {
|
public IActionResult Get([FromQuery] string dstDomain, [FromQuery] string tgt) {
|
||||||
// Check if we are on an allowed domain
|
// Check if we are on an allowed domain
|
||||||
if (!Vars.PermittedDomains.Any(p => Request.Host.Host.EndsWith("." + p))) {
|
if (!Vars.PermittedDomains.Any(p => Request.Host.Host.EndsWith($".{p}"))) {
|
||||||
Response.StatusCode = 421;
|
Response.StatusCode = 421;
|
||||||
return StatusCode(StatusCodes.Status421MisdirectedRequest);
|
return StatusCode(StatusCodes.Status421MisdirectedRequest);
|
||||||
}
|
}
|
||||||
|
|
|
@ -8,7 +8,7 @@ namespace AutheliaMultiDomainProxy.Controllers;
|
||||||
public class VerifyController : Controller {
|
public class VerifyController : Controller {
|
||||||
public string Get() {
|
public string Get() {
|
||||||
// Check if we are on an allowed domain
|
// Check if we are on an allowed domain
|
||||||
if (!Vars.PermittedDomains.Any(p => Request.Host.Host.EndsWith("." + p))) {
|
if (!Vars.PermittedDomains.Any(p => Request.Host.Host.EndsWith($".{p}"))) {
|
||||||
Response.StatusCode = 421;
|
Response.StatusCode = 421;
|
||||||
return "421 Misdirected Request";
|
return "421 Misdirected Request";
|
||||||
}
|
}
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
@model IndexModel
|
@model IndexModel
|
||||||
@{
|
@{
|
||||||
// Check if we are on an allowed domain
|
// Check if we are on an allowed domain
|
||||||
if (!Request.Host.Host.StartsWith(Vars.AuthProxySubdomain + ".") || !Vars.PermittedDomains.Any(p => Request.Host.Host.EndsWith("." + p))) {
|
if (Vars.PermittedDomains.All(p => Request.Host.Host != $"{Vars.AuthProxySubdomain}.{p}"))
|
||||||
Layout = null;
|
Layout = null;
|
||||||
Response.Clear();
|
Response.Clear();
|
||||||
Response.StatusCode = StatusCodes.Status421MisdirectedRequest;
|
Response.StatusCode = StatusCodes.Status421MisdirectedRequest;
|
||||||
|
@ -32,6 +32,6 @@
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
<p>You are currently <span class="badge bg-danger">not authenticated</span></p>
|
<p>You are currently <span class="badge bg-danger">not authenticated</span></p>
|
||||||
<a href="https://@Vars.AutheliaSubdomain.@Vars.UpstreamPrimaryDomain/?rd=@(HttpUtility.UrlEncode($"https://{Vars.AuthProxySubdomain}.{Vars.UpstreamPrimaryDomain}/api/cookieproxy_stage_one?dstDomain={Request.Host.Host.Replace(Vars.AuthProxySubdomain + ".", "")}&tgt=https://{Request.Host.Host}"))" class="btn btn-success">Log in</a>
|
<a href="https://@Vars.AutheliaSubdomain.@Vars.UpstreamPrimaryDomain/?rd=@HttpUtility.UrlEncode($"https://{Vars.AuthProxySubdomain}.{Vars.UpstreamPrimaryDomain}/api/cookieproxy_stage_one?dstDomain={Request.Host.Host.Replace($"{Vars.AuthProxySubdomain}.", "")}&tgt=https://{Request.Host.Host}")" class="btn btn-success">Log in</a>
|
||||||
}
|
}
|
||||||
</div>
|
</div>
|
||||||
|
|
Loading…
Reference in a new issue