Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign redirect requests for CAS #5452

Merged
merged 3 commits into from
May 14, 2024
Merged

Sign redirect requests for CAS #5452

merged 3 commits into from
May 14, 2024

Conversation

jrjohnson
Copy link
Member

We were allowing a cookie, which can be user defined, to redirect users after CAS authentication. This could potentially be tampered with or set by a bad actor.

By signing these cookies and validating them we remove this possibility and ensure that whatever is supplied in the cookie was created by us.

@jrjohnson
Sign redirect requests for CAS
6d63e64 
We were allowing a cookie, which can be user defined, to redirect users
after CAS authentication. This could potentially be tampered with or set
by a bad actor.

By signing these cookies and validating them we remove this possibility
and ensure that whatever is supplied in the cookie was created by us.
@jrjohnson
Remove useless redirect when no account exists
3489191 
This wasn't doing anything as the frontend catches the unauthenticated
response and sends the user to the login page. When no account exists
there isn't any of the application a user can actually visit.
@jrjohnson
Use the real serializer
d0edecd 
There is no need to do this ourselves and it's weird and hokey anyway.
@jrjohnson jrjohnson added the safe to deploy mark as from a trusted source and OK to deploy label May 13, 2024
@github-actions GitHub Actions
Copy link
Contributor

PR deployed to docker for all containers, you can access with the tag preview-pr-5452

michaelchadwick
michaelchadwick reviewed May 14, 2024
View reviewed changes
src/Service/CasAuthentication.php
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there any other places where this cookie is used that would need updating like this?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I couldn't find any, and it's in that constant so it should have been easy to surface. It's internal entirely to this script and just a way to reliably move data through the CAS redirect process without storing anything on the machine.

@jrjohnson jrjohnson marked this pull request as ready for review May 14, 2024 16:43
@dartajax dartajax merged commit 4687ac6 into ilios:master May 14, 2024
43 checks passed
@jrjohnson jrjohnson deleted the validate-redirects branch May 14, 2024 18:04
@sentry-io Sentry.io
Copy link

sentry-io bot commented May 15, 2024

Suspect Issues

This pull request was deployed and Sentry observed the following issues:

Did you find this useful? React with a 👍 or 👎

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michaelchadwick michaelchadwick michaelchadwick approved these changes

@stopfstedt stopfstedt Awaiting requested review from stopfstedt stopfstedt is a code owner

Assignees

@dartajax dartajax

Labels
safe to deploy mark as from a trusted source and OK to deploy
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jrjohnson @michaelchadwick @dartajax