Fix Ajax responses when rejected (current system broken by CORS)

2020-04-08 11:38:00 +02:00 · 2020-04-08 11:38:00 +02:00 · f4976d85fa
commit f4976d85fa
parent 557fa3f74c
1 changed files with 12 additions and 0 deletions
--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/PSGI.pm
+++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/PSGI.pm
@ -144,6 +144,18 @@ sub _authAndTrace {
        }
    }
    elsif ( $res < 400 ) {
+        if ( $req->wantJSON ) {
+            my %h    = ( $req->spliceHdrs );
+            my $host = $req->env->{HTTP_HOST};
+            if (    $h{Location}
+                and $h{Location} =~ m#^\Q$self->{portal}\E#
+                and $h{Location} !~ m#^https?://$host# )
+            {
+                return [
+                    401, [ 'WWW-Authenticate' => 'SSO ' . $self->{portal} ], []
+                ];
+            }
+        }
        return [ $res, [ $req->spliceHdrs ], [] ];
    }
    else {