fix(microservice): allow forwarding auth header if cookie for auth is…

… also present Signed-off-by: Tristan Bastian <tristan.bastian@softwareag.com>
SoftwareAG · Mar 22, 2024 · 97d66b9 · 97d66b9
1 parent 8470a16
commit 97d66b9
Showing 1 changed file with 32 additions and 3 deletions.
diff --git a/backend/src/header-adjustment.ts b/backend/src/header-adjustment.ts
@@ -3,9 +3,10 @@ import { IncomingHttpHeaders } from "http";
 import { name, version } from "../package.json";
 
 export class HeaderAdjustment {
-  private static headersToRemove = ["authorization"];
+  private static headersToRemove = [];
   private static headerPrefix = "rca-http-header-";
   static adjust(headers: IncomingHttpHeaders, details: ConnectionDetails) {
+    this.adjustAuthorization(headers);
     const keysToAdd: IncomingHttpHeaders = {};
     for (const [key, value] of Object.entries(headers)) {
       if (this.headersToRemove.includes(key)) {
@@ -30,20 +31,48 @@ export class HeaderAdjustment {
       keysToAdd[newKey] = value;
     }
     Object.assign(headers, keysToAdd);
+  }
+
+  private static adjustAuthorization(headers: IncomingHttpHeaders) {
+    let hadCookieAuth = false;
     if (headers.cookie) {
-      headers.cookie = this.adjustCookie(headers.cookie);
+      const newCookieValue = this.adjustCookie(headers.cookie);
+      if (newCookieValue !== headers.cookie) {
+        hadCookieAuth = true;
+      }
+      headers.cookie = newCookieValue;
       if (headers.cookie === "") {
         delete headers.cookie;
       }
     }
+
+    if (!hadCookieAuth) {
+      // should not pass basic auth for c8y on
+      if (headers.authorization) {
+        delete headers.authorization;
+      }
+      return;
+    }
+
+    // we want to keep the authorization header if the actual auth was cookie based
+    // but we want to remove the fake basic auth header added by the microservice proxy
+    if (!headers.authorization?.startsWith('Basic ')) {
+      return;
+    }
+
+    const token = headers.authorization.replace(/^Basic\s/, "");
+    const decodedToken = Buffer.from(token, "base64").toString("utf-8");
+    if (decodedToken.endsWith(':<fake password>')) {
+      delete headers.authorization;
+    }
   }
 
   private static adjustCookie(currentCookieValue: string) {
     if (!currentCookieValue?.length) {
       return currentCookieValue;
     }
 
-    const cookieKeysToReplace = ["authorization", "XSRF-TOKEN", "ahoi"];
+    const cookieKeysToReplace = ["authorization", "XSRF-TOKEN"];
     return cookieKeysToReplace.reduceRight((prev, curr) => {
       return this.removeCookieByName(prev, curr);
     }, currentCookieValue);