search

georchestra / georchestra-gateway

GNU General Public License v3.0
0 stars 5 forks source link

Redirect behavior differences on ?login when header-authentication (sec-*) is enabled and is not enabled #132

Closed edevosc2c closed 1 month ago

edevosc2c commented 2 months ago

On ?login, for example for /geonetwork/?login, gateway does not redirect the same way between when header-authentication (sec-*) is enabled and is not enabled.

georchestra:
  gateway:
    security:
      header-authentication:
        enabled: true

It seems like when header-authentication (sec-*) is enabled, gateway will redirect to /login only if it finds text/html in the Accept header. If it doesn't, it will try to force basic auth to the client.

Example on INRAE with header-authentication (sec-*) is enabled

With no Accept header

edevos@wrk67:~$ curl -I "https://geodata.dev.inrae.fr/geonetwork/?login"
HTTP/2 401 
cache-control: no-cache, no-store, max-age=0, must-revalidate
expires: 0
pragma: no-cache
referrer-policy: no-referrer
strict-transport-security: max-age=31536000 ; includeSubDomains
www-authenticate: Basic realm="Realm"
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1 ; mode=block
date: Mon, 24 Jun 2024 10:48:45 GMT

With "text/html" in the Accept header

edevos@wrk67:~$ curl -I -H "accept: text/html" https://geodata.dev.inrae.fr/geonetwork/?login
HTTP/2 302 
cache-control: no-cache, no-store, max-age=0, must-revalidate
expires: 0
location: /login
pragma: no-cache
referrer-policy: no-referrer
strict-transport-security: max-age=31536000 ; includeSubDomains
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1 ; mode=block
date: Tue, 25 Jun 2024 15:48:22 GMT

Example on MEL with header-authentication (sec-*) is not enabled

With no Accept header

edevos@wrk67:~$ curl -I "https://data.lillemetropole.fr/geonetwork/?login"
HTTP/2 302 
cache-control: no-cache, no-store, max-age=0, must-revalidate
expires: 0
location: /login
pragma: no-cache
referrer-policy: no-referrer
strict-transport-security: max-age=31536000 ; includeSubDomains
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1 ; mode=block
date: Tue, 25 Jun 2024 15:50:21 GMT

With "text/html" in the Accept header

edevos@wrk67:~$ curl -I -H "accept: text/html" https://data.lillemetropole.fr/geonetwork/?login
HTTP/2 302 
cache-control: no-cache, no-store, max-age=0, must-revalidate
expires: 0
location: /login
pragma: no-cache
referrer-policy: no-referrer
strict-transport-security: max-age=31536000 ; includeSubDomains
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1 ; mode=block
date: Tue, 25 Jun 2024 15:50:46 GMT

Due to this redirection behavior, this breaks geonetwork metadata visualization page. The user receives an authentication popup dialog and has to decline it in order to have the page fully loaded.

image

groldan commented 1 month ago

I couldn't find a relationship between the georchestra.gateway.security.header-authentication.enabled configuration and the reported defect. With 1.0.0, the defect is visible regardless of the mentioned configuration setting.

I've created the following pull requests that as far as I can tell fixes it for good:

Looking forward to your comments.