From fd610864eac5e5254b0ecb4d32c4a997be1a8bb6 Mon Sep 17 00:00:00 2001 From: Yadd Date: Thu, 3 Mar 2022 18:54:55 +0100 Subject: [PATCH] Don't export id in Ajax response for authenticated users (#2709) --- .../lib/Lemonldap/NG/Portal/Lib/SAML.pm | 2 +- .../lib/Lemonldap/NG/Portal/Main/Run.pm | 38 ++++++++++--------- 2 files changed, 22 insertions(+), 18 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SAML.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SAML.pm index 5773b192b..5ca8f4730 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SAML.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SAML.pm @@ -1606,7 +1606,7 @@ sub buildLogoutRequestMsg { sub setSessionFromDump { my ( $self, $profile, $dump ) = @_; - $self->logger->debug("Loading Session dump: $dump"); + $self->logger->debug("Loading Session dump: $dump") if $dump; eval { Lasso::Profile::set_session_from_dump( $profile, $dump ); }; diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm index 38b8fab6f..ccde483b6 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm @@ -159,6 +159,7 @@ sub postLogin { sub authenticatedRequest { my ( $self, $req ) = @_; + $req->data->{alreadyAuthenticated} = 1; return $self->do( $req, [ @@ -311,19 +312,13 @@ sub do { ); } else { - return $self->sendJSONresponse( - $req, - { - result => 1, - error => $err, - id => $req->id, - ( - $req->sessionInfo->{_httpSession} - ? ( id_http => $req->sessionInfo->{_httpSession} ) - : () - ) - } - ); + my $res = { result => 1, error => $err }; + unless ( $req->data->{alreadyAuthenticated} ) { + $res->{id} = $req->id; + $res->{id_http} = $req->sessionInfo->{_httpSession} + if $req->sessionInfo->{_httpSession}; + } + return $self->sendJSONresponse( $req, $res ); } } else { @@ -458,7 +453,8 @@ sub getApacheSession { $self->logger->debug("Session $args{kind} $id not found"); return; } - $self->logger->debug("Get session $id from Portal::Main::Run") if ($id); + $self->logger->debug("Get session $id from Portal::Main::Run") + if ($id); $self->logger->debug( "Check session validity -> " . $self->conf->{timeoutActivity} . "s" ) if ( $self->conf->{timeoutActivity} ); @@ -490,7 +486,9 @@ sub getApacheSession { sub getPersistentSession { my ( $self, $uid, $info ) = @_; - return unless ( defined $uid and !$self->conf->{disablePersistentStorage} ); + return + unless ( defined $uid + and !$self->conf->{disablePersistentStorage} ); # Compute persistent identifier my $pid = getPSessionID($uid); @@ -1052,7 +1050,11 @@ sub tplParams { SAMESITE => getSameSite( $self->conf ), SKIN_BG => $self->conf->{portalSkinBackground}, CUSTOM_CSS => $self->conf->{portalCustomCss}, - ( $self->customParameters ? ( %{ $self->customParameters } ) : () ), + ( + $self->customParameters + ? ( %{ $self->customParameters } ) + : () + ), %templateParams ); } @@ -1163,7 +1165,9 @@ sub sendJSONresponse { # If this is a cross-domain request from the portal itself # (Ajax SSL to a different VHost) # we allow CORS - if ( $req->origin and index( $self->conf->{portal}, $req->origin ) == 0 ) { + if ( $req->origin + and index( $self->conf->{portal}, $req->origin ) == 0 ) + { $self->logger->debug('AJAX request from portal, allowing CORS'); push @{ $res->[1] }, "Access-Control-Allow-Origin" => $req->origin,