FIX: Avoid forging of CouchDB proxy auth.

Hypertopic / AAAforREST

An HTTP reverse proxy to bring authentication, authorization and accounting to RESTful applications

GNU Affero General Public License v3.0

6 stars 5 forks source link

Closed franck-eyraud closed 9 years ago

franck-eyraud commented 9 years ago

This gives protection for now.

Comment : if forwardedLoginHeader is not used, but upstream server is configured with proxy auth, then the server is still exposed.

so I'd suggest a protectedHeaders list because we could also meet other cases, and/or use the salted token.

franck-eyraud commented 9 years ago

This new pull request #31 is a better response.