Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Forbidden instead of Unauthenticated while using X-Requested-With with MellonEnable=Auth #55

Open
astik opened this issue Mar 8, 2021 · 1 comment

Comments

@astik
Copy link

astik commented Mar 8, 2021

Hi,
In the documentation it said for MellonEnable "Auth":

        #           There is a special handling of AJAX requests, that are
        #           identified by the "X-Requested-With: XMLHttpRequest" HTTP
        #           header. Since no user interaction can happen there,
        #           we always fail unauthenticated (not logged in) requests
        #           with a 403 Forbidden error without redirecting to the IdP.

Looking at the code in auth_mellon_handler.c:

        if(session == NULL || !session->logged_in) {
            /* We don't have a valid session. */

            // ...

            /*
             * If this is an AJAX request, we cannot proceed to the IdP,
             * Just fail early to save our resources
             */
            ajax_header = apr_table_get(r->headers_in, "X-Requested-With");
            if (ajax_header != NULL &&
                strcmp(ajax_header, "XMLHttpRequest") == 0) {
                    AM_LOG_RERROR(APLOG_MARK, APLOG_INFO, 0, r,
                      "Deny unauthenticated X-Requested-With XMLHttpRequest "
                      "(AJAX) request");
                    return HTTP_FORBIDDEN;
            }

My problem comes from HTTP_FORBIDDEN.
As far as i understand, if we reach the test for X-Requested-With header, it means we don't have a valid session, it means we are not authenticated.
AFAIK there is a semantic issue as forbidden means that we are authenticated still we can't go further. We should have a 401 status code and not a 403.
Having a 403 status code while being not authenticated is not good as it is difficult to split between real 403 (authorized but not allowed) and fake 403 (unauthorized).

For what i can tell, changing the return HTTP_FORBIDDEN to something like return HTTP_UNAUTHORIZED should do (still i have no idea where those constants are coming from, my days as a C developer are long gone =D)

@astik
Copy link
Author

astik commented Mar 8, 2021

To go further, in addition to the 401 / 403 returned code, having the URL for the login page would be great in a response header. That way the application that triggered the XHR request earlier could catches the 401/403, could analyses that it will need to redirect the user to a login page defined by the response header. The frontend would be totally agnostic of the middleware configuration which would be the only one to hold configuration of the auth server.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant