mirror of
https://github.com/netzbegruenung/user_saml.git
synced 2024-04-28 07:14:52 +02:00
Add CSRF token and track AuthnRequestID
Fixes https://github.com/nextcloud/user_saml/issues/11
This commit is contained in:
Lukas Reschke
parent
99bbde20dc
commit
0e66028025
|
|
@ -47,7 +47,8 @@ OC_User::handleApacheAuth();
|
|||
// Redirect all requests to the login page to the SAML login
|
||||
$currentUrl = explode('?', $_SERVER['REQUEST_URI'], 2)[0];
|
||||
if($currentUrl === '/server/index.php/login' && !OC_User::isLoggedIn()) {
|
||||
header('Location: '.$urlGenerator->linkToRouteAbsolute('user_saml.SAML.login'));
|
||||
$csrfToken = \OC::$server->getCsrfTokenManager()->getToken();
|
||||
header('Location: '.$urlGenerator->linkToRouteAbsolute('user_saml.SAML.login') .'?requesttoken='. urlencode($csrfToken->getEncryptedValue()));
|
||||
exit();
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -56,11 +56,14 @@ class SAMLController extends Controller {
|
|||
|
||||
/**
|
||||
* @PublicPage
|
||||
* @NoCSRFRequired
|
||||
* @UseSession
|
||||
*/
|
||||
public function login() {
|
||||
$auth = new \OneLogin_Saml2_Auth($this->SAMLSettings->getOneLoginSettingsArray());
|
||||
$auth->login(\OC::$server->getURLGenerator()->getAbsoluteURL('/'));
|
||||
$ssoUrl = $auth->login(null, array(), false, false, true);
|
||||
$this->session->set('user_saml.AuthNRequestID', $auth->getLastRequestID());
|
||||
return new Http\RedirectResponse($ssoUrl);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -87,8 +90,13 @@ class SAMLController extends Controller {
|
|||
* @UseSession
|
||||
*/
|
||||
public function assertionConsumerService() {
|
||||
$AuthNRequestID = $this->session->get('AuthNRequestID');
|
||||
if(is_null($AuthNRequestID) || $AuthNRequestID === '') {
|
||||
return;
|
||||
}
|
||||
|
||||
$auth = new \OneLogin_Saml2_Auth($this->SAMLSettings->getOneLoginSettingsArray());
|
||||
$auth->processResponse(null);
|
||||
$auth->processResponse($this->session->get('AuthNRequestID'));
|
||||
|
||||
$errors = $auth->getErrors();
|
||||
|
||||
|
|
@ -111,7 +119,6 @@ class SAMLController extends Controller {
|
|||
|
||||
/**
|
||||
* @PublicPage
|
||||
* @NoCSRFRequired
|
||||
*/
|
||||
public function singleLogoutService() {
|
||||
$auth = new \OneLogin_Saml2_Auth($this->SAMLSettings->getOneLoginSettingsArray());
|
||||
|
|
|
|||
|
|
@ -155,7 +155,7 @@ class UserBackend implements IApacheBackend, UserInterface, IUserBackend {
|
|||
*/
|
||||
public function getLogoutAttribute() {
|
||||
// FIXME: Detect if SLO is configured
|
||||
return 'href="'.$this->urlGenerator->linkToRouteAbsolute('user_saml.SAML.singleLogoutService').'"';
|
||||
return 'href="'.$this->urlGenerator->linkToRouteAbsolute('user_saml.SAML.singleLogoutService').'?requesttoken='.urlencode(\OC::$server->getCsrfTokenManager()->getToken()->getEncryptedValue()).'"';
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
Loading…
Reference in a new issue