Properly set the CORS origin

Handles the case where the SSOLoginServer URL has a path component.

Properly set the CORS origin
Handles the case where the SSOLoginServer URL has a path component.
69a97d06 · ale · 72888c4b · 69a97d06
Commit 69a97d06 authored Nov 16, 2018 by ale
--- a/src/mod_sso/mod_sso.c
+++ b/src/mod_sso/mod_sso.c
@@ -55,6 +55,7 @@ extern module AP_MODULE_DECLARE_DATA sso_module;

 typedef struct {
  const char *login_server;
+  const char *login_server_origin;
  const char *domain;
  const char *service;

@@ -100,6 +101,7 @@ static void *create_modsso_config(apr_pool_t *p, char *s) {

  // Set default values.
  newcfg->login_server = NULL;
+  newcfg->login_server_origin = NULL;
  newcfg->service = NULL;
  newcfg->domain = NULL;
  newcfg->public_key = NULL;
@@ -117,6 +119,8 @@ static void *merge_modsso_config(apr_pool_t *p, void *base, void *add) {

  newcfg->login_server =
      cadd->login_server ? cadd->login_server : cbase->login_server;
+  newcfg->login_server_origin =
+      cadd->login_server_origin ? cadd->login_server_origin : cbase->login_server_origin;
  newcfg->service = cadd->service ? cadd->service : cbase->service;
  newcfg->domain = cadd->domain ? cadd->domain : cbase->domain;
  newcfg->public_key = cadd->public_key ? cadd->public_key : cbase->public_key;
@@ -131,7 +135,22 @@ static void *merge_modsso_config(apr_pool_t *p, void *base, void *add) {
 static const char *set_modsso_login_server(cmd_parms *parms, void *mconfig,
                                           const char *arg) {
  modsso_config *s_cfg = (modsso_config *)mconfig;
+  char *origin, *p;
+
+  // Ignore an eventual https:// prefix.
+  if (!strncmp(arg, "https://", 8)) {
+    arg += 8;
+  }
  s_cfg->login_server = arg;
+
+  // The CORS Origin for the login server is obtained by stripping any
+  // path component from the URL.
+  origin = apr_pstrdup(parms->pool, arg);
+  if ((p = strchr(origin, '/')) != NULL) {
+    *p = '\0';
+  }
+  s_cfg->login_server_origin = apr_pstrcat(parms->pool, "https://", origin, NULL);
+
  return NULL;
 }

@@ -398,9 +417,8 @@ static int mod_sso_method_handler(request_rec *r) {
  ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
               "sso: logout? \"%s\" \"%s\"", sso_logout_path, uri);
  if (!strcmp(uri, sso_logout_path)) {
-    char *login_server_origin = apr_pstrcat(r->pool, "https://", s_cfg->login_server, NULL);
    modsso_del_cookie(r, sso_cookie_name, service_path);
-    apr_table_setn(r->err_headers_out, "Access-Control-Allow-Origin", login_server_origin);
+    apr_table_setn(r->err_headers_out, "Access-Control-Allow-Origin", s_cfg->login_server_origin);
    apr_table_setn(r->err_headers_out, "Access-Control-Allow-Credentials", "true");
    apr_table_setn(r->err_headers_out, "Cache-Control", "no-cache");
    return http_sendstring(r, "OK");