security-dashboards-plugin icon indicating copy to clipboard operation
security-dashboards-plugin copied to clipboard

Published 20 hours ago verified publisher icon opensearch-project

[BUG] Session Cookie not working in Proxy mode

Open panitaxx opened this issue 3 years ago • 0 comments
trafficstars

Describe the bug

The session cookie is not working in proxy mode because it does not gets validated.

To Reproduce Steps to reproduce the behavior:

  1. request any url using the user, roles and xff headers. take note of the cookie.
  2. request another url using the cookie with xff but without roles,user header -> 401

Expected behavior

Should be authorized

Plugins default plugins. security plugins.

Host/Environment (please complete the following information):

  • OS: docker ubuntu 20.04
  • Version 1.1.0

Additional context

There are two bugs in the validation of the cookie:

In this line:

https://github.com/opensearch-project/security-dashboards-plugin/blob/a48786e299d54ca4d5bc8d9ae016ed0590ef5849/server/auth/types/proxy/proxy_auth.ts#L94

should be:

      username: authInfo.user_name,

and in this line:

https://github.com/opensearch-project/security-dashboards-plugin/blob/a48786e299d54ca4d5bc8d9ae016ed0590ef5849/server/auth/types/proxy/proxy_auth.ts#L118

should be:

	      cookie.authType === this.authType &&

panitaxx avatar Nov 29 '21 13:11 panitaxx