Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow access in portail in other domain than main domain #136

Merged
merged 1 commit into from May 22, 2019

Conversation

Projects
None yet
3 participants
@Josue-T
Copy link
Contributor

commented May 17, 2019

Problem:

YunoHost/issues#1335

Solution

Allow to load the portail in other domain when the user is logged in.

@Josue-T Josue-T requested review from Psycojoker, zamentur, alexAubin and YunoHost/core-dev May 17, 2019

@opi

This comment has been minimized.

Copy link
Collaborator

commented May 18, 2019

Yeah, I guess you found it !

I removed my previous hacks (on ynh_portal.js and the nginx/iframe part), and your solution works fine !

Now when I'm logged in, https://sub.domain.tld/yunohost/sso/ brings me the portal, and when I'm logged out it returns a nice 404. Perfect !

@opi

opi approved these changes May 18, 2019

@alexAubin

This comment has been minimized.

Copy link
Member

commented May 18, 2019

That sounds sort of legit to me
Though I'm really wondering how that is_logged_in helper works in cross-domain context x_X
Will test and think about it a bit more

@opi

This comment has been minimized.

Copy link
Collaborator

commented May 18, 2019

Though I'm really wondering how that is_logged_in helper works in cross-domain context

Because the SSOWat auth cookie is explicitly set with Domain=.domain.tld (Source:

local cookie_str = "; Domain=."..domain..
)

https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Scope_of_cookies
"Domain specifies allowed hosts to receive the cookie. If unspecified, it defaults to the host of the current document location, excluding subdomains. If Domain is specified, then subdomains are always included."

@alexAubin

This comment has been minimized.

Copy link
Member

commented May 18, 2019

Interesting 👍

So I think it covers the case maindomain=foo.tld and subdomain=sub.foo.tld

But I doubt it covers the case maindomain=foo.tld and subdomain=bar.tld

(Also not sure about maindomain=portal.foo.tld and subdomain=sub.foo.tld)

@opi

This comment has been minimized.

Copy link
Collaborator

commented May 18, 2019

But I doubt it covers the case maindomain=foo.tld and subdomain=bar.tld

(Also not sure about maindomain=portal.foo.tld and subdomain=sub.foo.tld)

Never try these case, but does the portal button even work ?

@Josue-T

This comment has been minimized.

Copy link
Contributor Author

commented May 20, 2019

I need to say that this patch work only with the protected_url. So for all protected_url you need to be authenticated so it's the reason why it work.
And to understand why the cross domain authentication work the code is here :
https://github.com/YunoHost/SSOwat/blob/stretch-unstable/access.lua#L37-L57
https://github.com/YunoHost/SSOwat/blob/stretch-unstable/access.lua#L128-L140

I'm also working an other patch which as the same target than #119 but with an other way wish should work better.

@alexAubin

This comment has been minimized.

Copy link
Member

commented May 22, 2019

Yolomergin for 3.6 testing

@alexAubin alexAubin merged commit 8100c57 into stretch-unstable May 22, 2019

@alexAubin alexAubin deleted the fix_sso_botton_in_subdomain branch May 22, 2019

@alexAubin alexAubin added this to the 3.6.x milestone May 22, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.