diff options
| -rw-r--r-- | ChangeLog | 1 | ||||
| -rw-r--r-- | app/Auth/ReverseProxy.php | 11 | ||||
| -rw-r--r-- | app/Model/Authentication.php | 5 | ||||
| -rw-r--r-- | config.default.php | 4 |
4 files changed, 18 insertions, 3 deletions
@@ -5,6 +5,7 @@ Breaking changes: - Add namespace Kanboard (update your plugins) - Move Mailgun, Sendgrid, Postmark, Slack, Hipchat and Jabber to plugins +- ReverseProxy authentication check for each request that the username match the user session New features: diff --git a/app/Auth/ReverseProxy.php b/app/Auth/ReverseProxy.php index abcdd449..1910ad35 100644 --- a/app/Auth/ReverseProxy.php +++ b/app/Auth/ReverseProxy.php @@ -21,6 +21,17 @@ class ReverseProxy extends Base const AUTH_NAME = 'ReverseProxy'; /** + * Get username from the reverse proxy + * + * @access public + * @return string + */ + public function getUsername() + { + return isset($_SERVER[REVERSE_PROXY_USER_HEADER]) ? $_SERVER[REVERSE_PROXY_USER_HEADER] : ''; + } + + /** * Authenticate the user with the HTTP header * * @access public diff --git a/app/Model/Authentication.php b/app/Model/Authentication.php index 116e0726..580c1e14 100644 --- a/app/Model/Authentication.php +++ b/app/Model/Authentication.php @@ -44,7 +44,10 @@ class Authentication extends Base if ($this->userSession->isLogged()) { // Check if the user session match an existing user - if (! $this->user->exists($this->userSession->getId())) { + $userNotFound = ! $this->user->exists($this->userSession->getId()); + $reverseProxyWrongUser = REVERSE_PROXY_AUTH && $this->backend('reverseProxy')->getUsername() !== $_SESSION['user']['username']; + + if ($userNotFound || $reverseProxyWrongUser) { $this->backend('rememberMe')->destroy($this->userSession->getId()); $this->session->close(); return false; diff --git a/config.default.php b/config.default.php index 90400110..77d45729 100644 --- a/config.default.php +++ b/config.default.php @@ -150,7 +150,7 @@ define('GITHUB_OAUTH_AUTHORIZE_URL', 'https://github.com/login/oauth/authorize') // Github oauth2 token url define('GITHUB_OAUTH_TOKEN_URL', 'https://github.com/login/oauth/access_token'); -// Github API url (don't forget the slash at the end) +// Github API url (don't forget the trailing slash) define('GITHUB_API_URL', 'https://api.github.com/'); // Enable/disable Gitlab authentication @@ -168,7 +168,7 @@ define('GITLAB_OAUTH_AUTHORIZE_URL', 'https://gitlab.com/oauth/authorize'); // Gitlab oauth2 token url define('GITLAB_OAUTH_TOKEN_URL', 'https://gitlab.com/oauth/token'); -// Gitlab API url endpoint (don't forget the slash at the end) +// Gitlab API url endpoint (don't forget the trailing slash) define('GITLAB_API_URL', 'https://gitlab.com/api/v3/'); // Enable/disable the reverse proxy authentication |