Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

POC: be able to bypass permissions using an admin token #181

wants to merge 2 commits into
base: dev
Choose a base branch


Copy link

@alexAubin alexAubin commented Mar 1, 2021

Soooo today I got fed up of seeing again stuff about having to "unprotect" an app to be able to run some curl requests, then having to protect-it-again-but-we-dont-really-know-if-it-was-protected-or-not-in-the-first-place

That turns a bunch of things that should have been simple into a complex mess.

So instead I'm investigating the idea of :

  • being able to define an admin token to bypass permissions restrictions using a header, let's call it SSOwat-Admin-Token
  • in ynh_local_curl, we temporarily add such a token and inject the corresponding header in the request
  • no need to tweak permission before/after ynh_local_curl anymoar
  • ???

To test this PR:

  • Pull the corresponding branch, restart nginx
  • install -m 400 -o www-data <(echo secret_token) /etc/ssowat/admin_token
  • install an app in private mode. In my case I installed hextris
  • try curling the page without any auth, this should show the ssowat portal title: curl -s -L https://yolo.test/hextris --insecure | grep title
  • try adding --header "SSOwat-Admin-Token: secret_token"

@alexAubin alexAubin changed the title POC: be able to access pages using an admin token POC: be able to bypass permissions using an admin token Mar 1, 2021
helpers.lua Show resolved Hide resolved
helpers.lua Show resolved Hide resolved
@alexAubin alexAubin added this to In progress in 4.3.x via automation Apr 9, 2021
@alexAubin alexAubin removed this from In progress in 4.3.x Sep 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet
2 participants