#15 - when idCard service (https://github.com/citizenos/id-auth) is c…

…onfigured, dont trust X-SSL-Client-Cert header
citizenos · Aug 29, 2018 · 7b95c9e · 7b95c9e · moll · Aug 30, 2018
1 parent e10f089
commit 7b95c9e
Show file tree

Hide file tree

Showing 5 changed files with 7 additions and 9 deletions.
diff --git a/app.js b/app.js
@@ -43,7 +43,6 @@ if (app.get('env') === 'production' || app.get('env') === 'test') {
     app.set('trust proxy', true); // http://expressjs.com/guide/behind-proxies.html
 }
 
-
 app.use('/documentation', swaggerUi.serve, swaggerUi.setup(swaggerDocument));
 var prerender = require('prerender-node');
 prerender.set('prerenderServiceUrl', config.services.prerender.serviceUrl).set('prerenderToken', config.services.prerender.apiKey);

diff --git a/config/custom-environment-variables.json b/config/custom-environment-variables.json
@@ -29,6 +29,7 @@
       "token": "CITIZENOS_SERVICES_DIGIDOC_TOKEN"
     },
     "idCard": {
+      "serviceUrl": "CITIZENOS_SERVICES_IDCARD_SERVICE_URL",
       "apiKey": "CITIZENOS_SERVICES_IDCARD_APIKEY"
     },
     "smartId": {

diff --git a/config/default.json b/config/default.json
@@ -103,10 +103,6 @@
       "ssl": true,
       "rejectUnauthorized": true
     },
-    "idCard": {
-      "serviceUrl": "https://id.citizenos.com:8443/info",
-      "apiKey": null
-    },
     "smartId": {
       "hostname": "smartid.citizenos.com:8001",
       "authorizeToken": "m3EvIdswsiIpeOXqXb185fgoS9h0zpu5jrweZWLVGeVR5FoQpE",

diff --git a/config/test.json b/config/test.json
@@ -73,10 +73,6 @@
       "rejectUnauthorized": false,
       "apikey": "LUVORFBXdUhrb0RMLXhzekREcXpjR1NsU1BBeTZRWmJGRUR4blZpX3YzYjJRa3FZ"
     },
-    "idCard": {
-      "serviceUrl": "https://dev.id.citizenos.com:3002/info",
-      "apiKey": "ZWeCMMQSoIpOnavNnEo2daBjXbmG3PoEWgNnQ13EtZ9jF43gkInxok5fIioX"
-    },
     "smartId": {
       "hostname": "sid.demo.sk.ee",
       "apiPath": "/smart-id-rp/v1",

diff --git a/routes/api/auth.js b/routes/api/auth.js
@@ -569,6 +569,12 @@ module.exports = function (app) {
         var token = req.body.token; // Token to access the ID info service
         var cert = req.headers['x-ssl-client-cert'];
 
+        if (config.services.idCard && cert) {
+            logger.error('X-SSL-Client-Cert header is not allowed when ID-card service is enabled. IF you trust your proxy, sending the X-SSL-Client-Cert, delete the services.idCard from your configuration.');
+
+            return res.badRequest('X-SSL-Client-Cert header is not allowed when ID-card proxy service is enabled.');
+        }
+
         if (!token && !cert) {
             logger.warn('Missing required parameter "token" OR certificate in X-SSL-Client-Cert header. One must be provided!', req.path, req.headers);