NoLog.cz/etherpad
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity

webaccess: Enforce creation of req.session.user by authn plugins

Browse source 
The authorization logic determines whether the user has already
successfully authenticated by looking to see if `req.session.user`
exists. If an authentication plugin says that it successfully
authenticated the user but it did not create `req.session.user` then
authentication will re-run for every access, and authorization plugins
will be unable to determine whether the user has been authenticated.
Return a 500 internal server error to prevent these problems.
This commit is contained in:
Richard Hansen 2020-08-27 14:28:14 -04:00 committed by John McLear
parent 362b567276
commit 250e932f59
1 changed files with 5 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
src/node/hooks/express/webaccess.js
View file

@ -92,6 +92,11 @@ exports.checkAccess = (req, res, next) => {
settings.users[ctx.username].username = ctx.username;
req.session.user = settings.users[ctx.username];
}
if (req.session.user == null) {
httpLogger.error('authenticate hook failed to add user settings to session');
res.status(500).send('Internal Server Error');
return;
}
step3Authorize();
}));
};