Commit 428e2d83 authored by o@immerda.ch's avatar o@immerda.ch
Browse files

address review

parent 9d76c4c0
Pipeline #8606 passed with stage
in 2 minutes and 47 seconds
...@@ -15,8 +15,9 @@ module ApiTokenHelpers ...@@ -15,8 +15,9 @@ module ApiTokenHelpers
end end
end end
def api_token_age(email, token) def api_token_age(email)
return Float::INFINITY unless token token = parsed_body['token']
return nil unless token.present?
catch :secretbox_open_err do catch :secretbox_open_err do
ticket = Base64.decode64(token) ticket = Base64.decode64(token)
return false unless ticket return false unless ticket
...@@ -31,7 +32,7 @@ module ApiTokenHelpers ...@@ -31,7 +32,7 @@ module ApiTokenHelpers
end end
end end
end end
Float::INFINITY nil
end end
def self.valid_api_token?(token, email, kind) def self.valid_api_token?(token, email, kind)
......
...@@ -12,21 +12,14 @@ class IApi < Sinatra::Base ...@@ -12,21 +12,14 @@ class IApi < Sinatra::Base
end end
end end
def valid_reissue_token(email)
if parsed_body['token'].present?
return api_token_age(email, parsed_body['token'])
end
false
end
post '/master_saml' do post '/master_saml' do
email = validate_email(parsed_body['email'].downcase) email = validate_email(parsed_body['email'].downcase)
saml_req = parsed_body['saml_request'] saml_req = parsed_body['saml_request']
info = SamlManager.sp_info(saml_req) info = SamlManager.sp_info(saml_req)
sps = application_specific_secret(info) sps = application_specific_secret(info)
skip_2fa = valid_reissue_token(email) && skip_2fa = api_token_age(email) &&
valid_reissue_token(email) < IApiConf.tfa_validity api_token_age(email) < IApiConf.tfa_validity
user = AuthManager.auth(email, parsed_body, user = AuthManager.auth(email, parsed_body,
false, false,
...@@ -93,10 +86,10 @@ class IApi < Sinatra::Base ...@@ -93,10 +86,10 @@ class IApi < Sinatra::Base
allowed = IApiConf.acl.is_allowed_to_access?(email, saml[:plain_issuer]) allowed = IApiConf.acl.is_allowed_to_access?(email, saml[:plain_issuer])
end end
if saml && allowed && valid_reissue_token(email) if saml && allowed && api_token_age(email)
valid = valid_reissue_token(email) < saml[:max_reissue_time] valid = api_token_age(email) < saml[:max_reissue_time]
valid_with_tfa = valid_with_tfa =
valid_reissue_token(email) < saml[:max_reissue_time_2fa] api_token_age(email) < saml[:max_reissue_time_2fa]
# if the user has webauthn and we are within the :max_reissue_time_2fa # if the user has webauthn and we are within the :max_reissue_time_2fa
# then we only ask for a challenge and not for the full password. # then we only ask for a challenge and not for the full password.
...@@ -154,8 +147,8 @@ class IApi < Sinatra::Base ...@@ -154,8 +147,8 @@ class IApi < Sinatra::Base
post '/handoff' do post '/handoff' do
email = validate_email(parsed_body['email'].downcase) email = validate_email(parsed_body['email'].downcase)
user = nil user = nil
skip_2fa = valid_reissue_token(email) && skip_2fa = api_token_age(email) &&
valid_reissue_token(email) < IApiConf.tfa_validity api_token_age(email) < IApiConf.tfa_validity
do_auth = -> do do_auth = -> do
user = AuthManager.auth(email, parsed_body, user = AuthManager.auth(email, parsed_body,
false, false,
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment