Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Check user matches logout request before reporting logout success #619

Merged
merged 18 commits into from
Dec 1, 2021
Merged

Check user matches logout request before reporting logout success #619

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
df81d0f
Check user matches logout request before reporting logout success
cjbarth Jul 1, 2021
80fc3a2
Refactor user comparison based on PR feedback
cjbarth Jul 2, 2021
591a1d8
Adjust tests to match improved logic
cjbarth Jul 2, 2021
e845fc0
Merge remote-tracking branch 'upstream/master' into validate-logout
cjbarth Aug 27, 2021
461dfc4
Update lockfile
cjbarth Sep 20, 2021
cade87c
Add new verify function for handling logout
cjbarth Oct 1, 2021
dd54b26
Cleanup readme
cjbarth Oct 1, 2021
1ede2eb
Update issue templates
cjbarth Oct 1, 2021
e999000
Update tests to support separate login and logout callbacks
cjbarth Oct 27, 2021
9cc27c4
Merge remote-tracking branch 'upstream/master' into validate-logout
cjbarth Oct 27, 2021
0ba8425
New lockfile
cjbarth Oct 27, 2021
117308b
Trying to fix fsevents problem
cjbarth Oct 27, 2021
7424968
Pin beta package
cjbarth Oct 28, 2021
d013a82
Merge branch 'master' into validate-logout
cjbarth Nov 17, 2021
b0a05be
Merge remote-tracking branch 'upstream/master' into validate-logout
cjbarth Nov 29, 2021
63a5f63
Merge remote-tracking branch 'refs/remotes/upstream/master'
cjbarth Nov 29, 2021
4907edd
Fix package-lock.json
cjbarth Nov 29, 2021
02f0eac
Fix package-lock.json again
cjbarth Nov 29, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
78 changes: 47 additions & 31 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@
},
"dependencies": {
"debug": "^4.3.1",
"node-saml": "^4.0.0-beta.0",
"node-saml": "file:../node-saml",
cjbarth marked this conversation as resolved.
Show resolved Hide resolved
"passport-strategy": "^1.0.0",
"xml-crypto": "^2.1.2",
"xml-encryption": "^1.2.4",
Expand Down
86 changes: 53 additions & 33 deletions src/strategy.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,66 +53,83 @@ export abstract class AbstractStrategy extends PassportStrategy {
profile,
loggedOut,
}: {
profile?: Profile | null;
loggedOut?: boolean;
profile: Profile | null;
loggedOut: boolean;
}) => {
if (loggedOut) {
// Log out the current user no matter if we can verify the logged in user === logout requested user
req.logout();
if (profile) {

// Check to see if we are logging out the user that is currently logged in to craft a proper IdP response
if (profile != null) {
if (this._saml == null) {
throw new Error("Can't get logout response URL without a SAML provider defined.");
}

const RelayState =
(req.query && req.query.RelayState) || (req.body && req.body.RelayState);
return this._saml.getLogoutResponseUrl(profile, RelayState, options, redirectIfSuccess);
}
return this.pass();
}

const verified = (
err: Error | null,
user?: Record<string, unknown>,
info?: Record<string, unknown>
) => {
if (err) {
return this.error(err);
const RelayState = req.query?.RelayState || req.body?.RelayState;

if (
req.user != null &&
cjbarth marked this conversation as resolved.
Show resolved Hide resolved
req.user.ID === profile.ID &&
cjbarth marked this conversation as resolved.
Show resolved Hide resolved
req.user.issuer === profile.issuer &&
req.user.nameID === profile.nameID &&
cjbarth marked this conversation as resolved.
Show resolved Hide resolved
req.user.nameIDFormat === profile.nameIDFormat
) {
this._saml.getLogoutResponseUrl(profile, RelayState, options, true, redirectIfSuccess);
} else {
this._saml.getLogoutResponseUrl(profile, RelayState, options, false, redirectIfSuccess);
}
} else {
// If the `profile` object was null, this is just a logout acknowledgment, so we take no action
return this.pass();
}
} else {
const verified = (
err: Error | null,
user?: Record<string, unknown>,
info?: Record<string, unknown>
) => {
if (err) {
return this.error(err);
}

if (!user) {
return this.fail(info, 401);
}
if (!user) {
return this.fail(info, 401);
}

this.success(user, info);
};
this.success(user, info);
};

if (this._passReqToCallback) {
(this._verify as VerifyWithRequest)(req, profile, verified);
} else {
(this._verify as VerifyWithoutRequest)(profile, verified);
if (this._passReqToCallback) {
(this._verify as VerifyWithRequest)(req, profile, verified);
} else {
(this._verify as VerifyWithoutRequest)(profile, verified);
}
}
};

const redirectIfSuccess = (err: Error | null, url?: string | null) => {
const redirectIfSuccess = (err: Error | null, url?: string) => {
if (err) {
this.error(err);
} else if (url == null) {
this.error(new Error("Invalid logout redirect URL."));
} else {
this.redirect(url!);
this.redirect(url);
}
};

if (req.query && (req.query.SAMLResponse || req.query.SAMLRequest)) {
if (req.query?.SAMLResponse || req.query?.SAMLRequest) {
const originalQuery = url.parse(req.url).query;
this._saml
.validateRedirectAsync(req.query, originalQuery)
.then(validateCallback)
.catch((err) => this.error(err));
} else if (req.body && req.body.SAMLResponse) {
} else if (req.body?.SAMLResponse) {
this._saml
.validatePostResponseAsync(req.body)
.then(validateCallback)
.catch((err) => this.error(err));
} else if (req.body && req.body.SAMLRequest) {
} else if (req.body?.SAMLRequest) {
this._saml
.validatePostRequestAsync(req.body)
.then(validateCallback)
Expand All @@ -130,8 +147,8 @@ export abstract class AbstractStrategy extends PassportStrategy {
const host = req.headers && req.headers.host;
if (this._saml.options.authnRequestBinding === "HTTP-POST") {
const data = await this._saml.getAuthorizeFormAsync(RelayState, host);
const res = req.res!;
res.send(data);
const res = req.res;
res?.send(data);
} else {
// Defaults to HTTP-Redirect
this.redirect(await this._saml.getAuthorizeUrlAsync(RelayState, host, options));
Expand Down Expand Up @@ -191,6 +208,9 @@ export abstract class AbstractStrategy extends PassportStrategy {
error(err: Error): void {
super.error(err);
}
redirect(url: string, status?: number): void {
super.redirect(url, status);
}
}

export class Strategy extends AbstractStrategy {
Expand Down
19 changes: 10 additions & 9 deletions test/capturedSamlRequests.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -893,8 +893,15 @@ export const logoutChecks: CapturedCheck[] = [
"samlp:StatusCode": [
{
$: {
Value: "urn:oasis:names:tc:SAML:2.0:status:Success",
Value: "urn:oasis:names:tc:SAML:2.0:status:Requester",
},
"samlp:StatusCode": [
{
$: {
Value: "urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal",
},
},
],
},
],
},
Expand Down Expand Up @@ -1034,13 +1041,7 @@ describe("captured SAML requests /", function () {

passport.use(strategy);

let userSerialized = false;
passport.serializeUser(function (user, done) {
userSerialized = true;
done(null, user);
});

app.post("/login", passport.authenticate("saml"), function (req, res) {
app.post("/logout", passport.authenticate("saml"), function (req, res) {
res.status(200).send("200 OK");
});

Expand All @@ -1058,7 +1059,7 @@ describe("captured SAML requests /", function () {

server = app.listen(3033, function () {
const requestOpts = {
url: "http://localhost:3033/login",
url: "http://localhost:3033/logout",
method: "post",
form: check.samlRequest,
};
Expand Down
Loading