search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
17.58k stars 5.35k forks source link

Redirect to Login for Unauthenticated Users in Application Settings/User Info #16675

Open robinlieb opened 9 months ago

robinlieb commented 9 months ago

Summary

Currently, the application does not redirect unauthenticated users to the login page when attempting to access settings or user information. This issue act as a follow up on #9758.

Motivation

Even through the current implementation does not leak sensitive data, it would make more sense to redirect from settings and user info to login as it is done for applications and all subpages in settings.

Proposal

Redirection to login (e.g. from /applications) is triggered when the frontend received a 401.

Currently the /settings endpoint returns information about the oidc config, which is needed for the login to determine the sso options. Therefore this endpoint can't be protected my auth. The /user-info in comparison returns an empty user object when no user is authenticated. This endpoint could return a 401 if no user is authenticated to trigger the redirect mechanism on frontend to the login page.

ledroide commented 4 months ago

I confirm this issue on /settings path. Also, when browsing unauthenticated to /applications path, during a half second before redirection to /login, it is possible to press Escape key and stay on Applications page.

An attacker could use this information to build a fake page that could carry out a phishing attack, for example.