-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
#15 - when idCard service (https://github.com/citizenos/id-auth) is c…
…onfigured, dont trust X-SSL-Client-Cert header
- Loading branch information
Showing
5 changed files
with
7 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
7b95c9e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I strongly recommend you get
cert
from the header only if the proxy setting is unset. That'd be more whitelist-y than throwing an error, a blacklist approach. The latter are always waiting to be accidentally sidestepped.7b95c9e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@moll Rephrasing just in case - use the
cert
when Express'strust proxy
is set totrue
? Seems logical.Which reminds me right now it's environment based, but I guess we should let it be configurable?
https://github.com/citizenos/citizenos-api/blob/master/app.js#L43
7b95c9e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nah, I meant the
idCard
proxy setting. Express's proxy setting istrue
probably everywhere, as even Heroku has a proxy in front of your app.7b95c9e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, I agree. The main point is that the "if" is easy to disappear and then the code becomes vulnerable.
It makes sense to make 2 totally different code paths depending if cert is to be used or not.