Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix bypassed authentication for /config API #321

Merged
merged 1 commit into from
Nov 3, 2023
Merged

Fix bypassed authentication for /config API #321

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions origin_ui/origin.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -239,6 +239,9 @@ func getUser(ctx *gin.Context) (string, error) {
return parsed.Subject(), nil
}

// Authenticate user by checking if the auth cookie is present and set the user identity to ctx
// However, this won't stop the handler chain and return with 401 if the auth cookie
// is missing. It's the next handler's job to check if ctx has a non-empty "User" field
func authHandler(ctx *gin.Context) {
user, err := getUser(ctx)
if err != nil {
Expand Down Expand Up @@ -326,6 +329,11 @@ func resetLoginHandler(ctx *gin.Context) {
}

func getConfig(ctx *gin.Context) {
user := ctx.GetString("User")
if user == "" {
ctx.JSON(401, gin.H{"error": "Authentication required to visit this API"})
return
}
config, err := param.GetUnmarshaledConfig()
if err != nil {
ctx.JSON(500, gin.H{"error": "Failed to get the unmarshaled config"})
Expand Down
Loading