Commit 69a97d06 authored by ale's avatar ale

Properly set the CORS origin

Handles the case where the SSOLoginServer URL has a path component.
parent 72888c4b
......@@ -55,6 +55,7 @@ extern module AP_MODULE_DECLARE_DATA sso_module;
typedef struct {
const char *login_server;
const char *login_server_origin;
const char *domain;
const char *service;
......@@ -100,6 +101,7 @@ static void *create_modsso_config(apr_pool_t *p, char *s) {
// Set default values.
newcfg->login_server = NULL;
newcfg->login_server_origin = NULL;
newcfg->service = NULL;
newcfg->domain = NULL;
newcfg->public_key = NULL;
......@@ -117,6 +119,8 @@ static void *merge_modsso_config(apr_pool_t *p, void *base, void *add) {
newcfg->login_server =
cadd->login_server ? cadd->login_server : cbase->login_server;
newcfg->login_server_origin =
cadd->login_server_origin ? cadd->login_server_origin : cbase->login_server_origin;
newcfg->service = cadd->service ? cadd->service : cbase->service;
newcfg->domain = cadd->domain ? cadd->domain : cbase->domain;
newcfg->public_key = cadd->public_key ? cadd->public_key : cbase->public_key;
......@@ -131,7 +135,22 @@ static void *merge_modsso_config(apr_pool_t *p, void *base, void *add) {
static const char *set_modsso_login_server(cmd_parms *parms, void *mconfig,
const char *arg) {
modsso_config *s_cfg = (modsso_config *)mconfig;
char *origin, *p;
// Ignore an eventual https:// prefix.
if (!strncmp(arg, "https://", 8)) {
arg += 8;
}
s_cfg->login_server = arg;
// The CORS Origin for the login server is obtained by stripping any
// path component from the URL.
origin = apr_pstrdup(parms->pool, arg);
if ((p = strchr(origin, '/')) != NULL) {
*p = '\0';
}
s_cfg->login_server_origin = apr_pstrcat(parms->pool, "https://", origin, NULL);
return NULL;
}
......@@ -398,9 +417,8 @@ static int mod_sso_method_handler(request_rec *r) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"sso: logout? \"%s\" \"%s\"", sso_logout_path, uri);
if (!strcmp(uri, sso_logout_path)) {
char *login_server_origin = apr_pstrcat(r->pool, "https://", s_cfg->login_server, NULL);
modsso_del_cookie(r, sso_cookie_name, service_path);
apr_table_setn(r->err_headers_out, "Access-Control-Allow-Origin", login_server_origin);
apr_table_setn(r->err_headers_out, "Access-Control-Allow-Origin", s_cfg->login_server_origin);
apr_table_setn(r->err_headers_out, "Access-Control-Allow-Credentials", "true");
apr_table_setn(r->err_headers_out, "Cache-Control", "no-cache");
return http_sendstring(r, "OK");
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment