Fix domain for auth cookie

The domain was incorrectly extracted from the request. It must be
using the `Host` header at last, trying now `X-Forwarded-For` and
`X-Forwarded-Host` first.
This commit is contained in:
Eike Kettner 2020-09-28 00:28:31 +02:00
parent ee3ae0a402
commit 67e1ba05f4
2 changed files with 33 additions and 3 deletions

View File

@ -0,0 +1,29 @@
package docspell.restserver.http4s
import org.http4s._
import org.http4s.headers._
import org.http4s.util.CaseInsensitiveString
/** Obtain the host name of the client from the request.
*/
object ClientHost {
def get[F[_]](req: Request[F]): Option[String] =
xForwardedFor(req)
.orElse(xForwardedHost(req))
.orElse(host(req))
private def host[F[_]](req: Request[F]): Option[String] =
req.headers.get(Host).map(_.host)
private def xForwardedFor[F[_]](req: Request[F]): Option[String] =
req.headers
.get(`X-Forwarded-For`)
.flatMap(_.values.head)
.flatMap(inet => Option(inet.getHostName).orElse(Option(inet.getHostAddress)))
private def xForwardedHost[F[_]](req: Request[F]): Option[String] =
req.headers
.get(CaseInsensitiveString("X-Forwarded-Host"))
.map(_.value)
}

View File

@ -7,6 +7,7 @@ import docspell.backend.auth._
import docspell.restapi.model._
import docspell.restserver._
import docspell.restserver.auth._
import docspell.restserver.http4s.ClientHost
import org.http4s._
import org.http4s.circe.CirceEntityDecoder._
@ -23,7 +24,7 @@ object LoginRoutes {
for {
up <- req.as[UserPass]
res <- S.loginUserPass(cfg.auth)(Login.UserPass(up.account, up.password))
remote = req.from.map(_.getHostName())
remote = ClientHost.get(req)
resp <- makeResponse(dsl, cfg, remote, res, up.account)
} yield resp
}
@ -37,10 +38,10 @@ object LoginRoutes {
case req @ POST -> Root / "session" =>
Authenticate
.authenticateRequest(S.loginSession(cfg.auth))(req)
.flatMap(res => makeResponse(dsl, cfg, req.from.map(_.getHostName), res, ""))
.flatMap(res => makeResponse(dsl, cfg, ClientHost.get(req), res, ""))
case req @ POST -> Root / "logout" =>
Ok().map(_.addCookie(CookieData.deleteCookie(cfg, req.from.map(_.getHostName))))
Ok().map(_.addCookie(CookieData.deleteCookie(cfg, ClientHost.get(req))))
}
}