Merge pull request #202 from Digital-Engineering/development

fixed csrf issue
idaholab · Jan 23, 2023 · 6ddce67 · 6ddce67
2 parents 0fc7b99 + c56024f
commit 6ddce67
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 6 deletions.
diff --git a/src/http_server/authentication/local.ts b/src/http_server/authentication/local.ts
@@ -46,7 +46,7 @@ export function LocalAuthMiddleware(req: express.Request, resp: express.Response
         return;
     }
 
-    passport.authenticate('local', (err, user, info) => {
+    passport.authenticate('local', {keepSessionInfo: true}, (err, user, info) => {
         if (err) {
             return resp.redirect(buildUrl('/oauth', {queryParams: {error: `${err}`}}));
         }

diff --git a/src/http_server/middleware.ts b/src/http_server/middleware.ts
@@ -101,11 +101,11 @@ export function authenticateRoute(): any {
         // basic assumes we are sending the username/password each request. In this
         // case we don't rely on the session for any login/user information
         case 'basic': {
-            return passport.authenticate('basic', {session: true});
+            return passport.authenticate('basic', {session: true, keepSessionInfo: true});
         }
 
         case 'token': {
-            return passport.authenticate('jwt', {session: false});
+            return passport.authenticate('jwt', {session: false, keepSessionInfo: true});
         }
 
         default: {

diff --git a/src/http_server/routes/access_management/oauth_routes.ts b/src/http_server/routes/access_management/oauth_routes.ts
@@ -323,7 +323,6 @@ export default class OAuthRoutes {
     }
 
     private static loginPage(req: Request, res: Response, next: NextFunction) {
-        req.logout((err: any) => {}); // in case a previous user logged into a session
         const oauthRequest = oauthRepo.authorizationFromRequest(req);
 
         return res.render('login', {
@@ -360,18 +359,20 @@ export default class OAuthRoutes {
                 passport.authenticate('saml', {
                     failureRedirect: '/unauthorized',
                     failureFlash: true,
+                    keepSessionInfo: true,
                 })(req, res);
             });
         } else {
             passport.authenticate('saml', {
                 failureRedirect: '/unauthorized',
                 failureFlash: true,
+                keepSessionInfo: true,
             })(req, res);
         }
     }
 
     private static saml(req: Request, res: Response, next: NextFunction) {
-        passport.authenticate('saml', (err, user, info) => {
+        passport.authenticate('saml', {keepSessionInfo: true}, (err, user, info) => {
             if (err) {
                 res.redirect(buildUrl('/oauth', {queryParams: {error: `${err}`}}));
                 return;
@@ -402,7 +403,7 @@ export default class OAuthRoutes {
     }
 
     private static logout(req: Request, res: Response, next: NextFunction) {
-        req.logout((err: any) => {});
+        req.logout({keepSessionInfo: true}, (err: any) => {});
 
         if (req.query.redirect_uri) {
             return res.redirect(req.query.redirect_uri as string);