diff --git a/client/package-lock.json b/client/package-lock.json index 92db0de..7bf33d4 100644 --- a/client/package-lock.json +++ b/client/package-lock.json @@ -8811,6 +8811,11 @@ "resolved": "https://registry.npmjs.org/js-base64/-/js-base64-2.5.1.tgz", "integrity": "sha512-M7kLczedRMYX4L8Mdh4MzyAMM9O5osx+4FcOQuTvr3A9F2D9S5JXheN0ewNbrvK2UatkTRhL5ejGmGSjNMiZuw==" }, + "js-cookie": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/js-cookie/-/js-cookie-2.2.0.tgz", + "integrity": "sha1-Gywnmm7s44ChIWi5JIUmWzWx7/s=" + }, "js-levenshtein": { "version": "1.1.6", "resolved": "https://registry.npmjs.org/js-levenshtein/-/js-levenshtein-1.1.6.tgz", diff --git a/client/package.json b/client/package.json index fc5c989..af81aa2 100644 --- a/client/package.json +++ b/client/package.json @@ -6,6 +6,7 @@ "dependencies": { "ansi-to-react": "^5.0.0", "js-base64": "^2.5.1", + "js-cookie": "^2.2.0", "lodash": "^4.17.11", "moment": "^2.24.0", "node-sass": "^4.11.0", diff --git a/client/src/services/apiProxy.js b/client/src/services/apiProxy.js index 4f4d873..85cfb65 100644 --- a/client/src/services/apiProxy.js +++ b/client/src/services/apiProxy.js @@ -1,3 +1,4 @@ +import * as cookie from 'js-cookie'; import log from '../utils/log'; const {host, href, hash, search} = window.location; @@ -6,6 +7,12 @@ const isDev = process.env.NODE_ENV !== 'production'; const BASE_HTTP_URL = isDev && host === 'localhost:4653' ? 'http://localhost:4654' : nonHashedUrl; const BASE_WS_URL = BASE_HTTP_URL.replace('http', 'ws'); +const authorizationCookie = cookie.get('Authorization'); +if (authorizationCookie) { + setToken(authorizationCookie); + cookie.remove('Authorization'); +} + export function getToken() { return localStorage.authToken; } @@ -36,7 +43,7 @@ export async function request(path, params, autoLogoutOnAuthError = true) { const opts = Object.assign({headers: {}}, params); const token = getToken(); - if (token) opts.headers.Authorization = `Bearer ${token}`; + if (token) opts.headers.Authorization = token; const url = combinePath(BASE_HTTP_URL, path); const response = await fetch(url, opts); diff --git a/client/src/views/auth.js b/client/src/views/auth.js index bf5801a..ada47ad 100644 --- a/client/src/views/auth.js +++ b/client/src/views/auth.js @@ -97,7 +97,7 @@ async function oidcLogin(code, returnedState) { async function login(token, redirectUri) { try { - setToken(token); + setToken(`Bearer ${token}`); await api.testAuth(); if (redirectUri) { diff --git a/server/index.js b/server/index.js index 61c4904..dc1cfd9 100644 --- a/server/index.js +++ b/server/index.js @@ -44,7 +44,7 @@ const app = express(); app.disable('x-powered-by'); // for security reasons, best not to tell attackers too much about our backend app.use(logging); if (NODE_ENV !== 'production') app.use(cors()); -app.use('/', express.static('public')); +app.use('/', preAuth, express.static('public')); app.get('/oidc', getOidc); app.post('/oidc', postOidc); app.use('/*', proxy(proxySettings)); @@ -53,6 +53,18 @@ app.use(handleErrors); http.createServer(app).listen(4654); console.log('Server started'); +function preAuth(req, res, next) { + const auth = req.header('Authorization'); + + // If the request already contains an authorization header, pass it through to the client (as a cookie) + if (auth) { + res.cookie('Authorization', auth, {maxAge: 60, httpOnly: false}); + console.log('Authorization header found. Passing through to client.'); + } + + next(); +} + function logging(req, res, next) { res.once('finish', () => console.log(req.method, req.url, res.statusCode)); next();