SSOwat/access.lua

--
-- Load configuration
--
cookies = {}
local conf_file = assert(io.open(conf_path, "r"), "Configuration file is missing")
local conf = json.decode(conf_file:read("*all"))
local portal_url = conf["portal_scheme"].."://"..
                   conf["portal_domain"]..
                   ":"..conf["portal_port"]..
                   conf["portal_path"]
table.insert(conf["skipped_urls"], conf["portal_domain"]..conf["portal_path"])

-- Dummy intructions
ngx.header["X-SSO-WAT"] = "You've just been SSOed"

--
--  Useful functions
--
function is_in_table (t, v)
    for key, value in ipairs(t) do
        if value == v then return key end
    end
end

function string.starts (String, Start)
   return string.sub(String, 1, string.len(Start)) == Start
end

function string.ends (String, End)
   return End=='' or string.sub(String, -string.len(End)) == End
end

function cook (cookie_str)
    table.insert(cookies, cookie_str)
end

function set_auth_cookie (user, domain)
    local maxAge = 60 * 60 * 24 * 7 -- 1 week
    local expire = ngx.req.start_time() + maxAge
    local hash = ngx.md5(auth_key..
               "|" ..ngx.var.remote_addr..
               "|"..user..
               "|"..expire)
    local cookie_str = "; Domain=."..domain..
                       "; Path=/"..
                       "; Max-Age="..maxAge
    cook("SSOwAuthUser="..user..cookie_str)
    cook("SSOwAuthHash="..hash..cookie_str)
    cook("SSOwAuthExpire="..expire..cookie_str)
end

function set_token_cookie ()
    local token = tostring(math.random(111111, 999999))
    tokens[token] = token
    cook(
        "SSOwAuthToken="..token..
        "; Domain=."..conf["portal_domain"]..
        "; Path="..conf["portal_path"]..
        "; Max-Age=3600"
    )
end

function set_redirect_cookie (redirect_url)
    cook(
        "SSOwAuthRedirect="..redirect_url..
        "; Path="..conf["portal_path"]..
        "; Max-Age=3600"
    )
end

function delete_cookie ()
    expired_time = "Thu, Jan 01 1970 00:00:00 UTC;"
    for _, domain in ipairs(conf["domains"]) do
        local cookie_str = "; Domain=."..domain..
                           "; Path=/"..
                           "; Max-Age="..expired_time
        cook("SSOwAuthUser=;"    ..cookie_str)
        cook("SSOwAuthHash=;"    ..cookie_str)
        cook("SSOwAuthExpire=;"  ..cookie_str)
    end
end

function delete_onetime_cookie ()
    expired_time = "Thu, Jan 01 1970 00:00:00 UTC;"
    local cookie_str = "; Path="..conf["portal_path"]..
                       "; Max-Age="..expired_time
    cook("SSOwAuthToken=;"    ..cookie_str)
    cook("SSOwAuthRedirect=;" ..cookie_str)
end


function check_cookie ()

    -- Check if cookie is set
    if  ngx.var.cookie_SSOwAuthExpire and ngx.var.cookie_SSOwAuthExpire ~= ""
    and ngx.var.cookie_SSOwAuthHash   and ngx.var.cookie_SSOwAuthHash   ~= ""
    and ngx.var.cookie_SSOwAuthUser   and ngx.var.cookie_SSOwAuthUser   ~= ""
    then
        -- Check expire time
        if (ngx.req.start_time() <= tonumber(ngx.var.cookie_SSOwAuthExpire)) then
            -- Check hash
            local hash = ngx.md5(auth_key..
                    "|"..ngx.var.remote_addr..
                    "|"..ngx.var.cookie_SSOwAuthUser..
                    "|"..ngx.var.cookie_SSOwAuthExpire)
            return hash == ngx.var.cookie_SSOwAuthHash
        end
    end

    return false
end

function authenticate (user, password)
    connected = lualdap.open_simple (
        "localhost",
        "uid=".. user ..",ou=users,dc=yunohost,dc=org",
        password
    )

    if connected and not cache[user] then
        cache[user] = { password=password }
    end

    return connected
end

function set_headers (user)
    if not cache[user]["uid"] then
        ldap = lualdap.open_simple("localhost")
        for dn, attribs in ldap:search {
            base = "uid=".. user ..",ou=users,dc=yunohost,dc=org",
            scope = "base",
            sizelimit = 1,
            attrs = {"uid", "givenName", "sn", "cn", "homeDirectory", "mail"}
        } do
            for k,v in pairs(attribs) do cache[user][k] = v end
        end
    end

    -- Set HTTP Auth header
    ngx.req.set_header("Authorization", "Basic "..ngx.encode_base64(
      cache[user]["uid"]..":"..cache[user]["password"]
    ))

    -- Set Additional headers
    for k, v in pairs(conf["additional_headers"]) do
        ngx.req.set_header(k, cache[user][v])
    end

end

function display_login_form ()
    local args = ngx.req.get_uri_args()
    ngx.req.set_header("Cache-Control", "no-cache")

    -- Redirected from another domain
    if args.r then
        local redirect_url = ngx.decode_base64(args.r)
        set_redirect_cookie(redirect_url)
        ngx.header["Cache-Control"] = "no-cache"
        return redirect(portal_url)
    end

    if args.action and args.action == 'logout' then
        -- Logout
        delete_cookie()
        return redirect(portal_url)
    elseif ngx.var.cookie_SSOwAuthToken
    and tokens[ngx.var.cookie_SSOwAuthToken]
    then
        -- Display normal form
        return
    else
        -- Set token
        set_token_cookie()
        return redirect(portal_url)
    end
end

function do_login ()
    ngx.req.read_body()
    local args = ngx.req.get_post_args()

    -- CSRF check
    local token = ngx.var.cookie_SSOwAuthToken

    if token and tokens[token] then
        tokens[token] = nil
        ngx.status = ngx.HTTP_CREATED

        if authenticate(args.user, args.password) then
            local redirect_url = ngx.var.cookie_SSOwAuthRedirect
            if not redirect_url then redirect_url = portal_url end
            connections[args.user] = {}
            connections[args.user]["redirect_url"] = redirect_url
            connections[args.user]["domains"] = {}
            for _, value in ipairs(conf["domains"]) do
                table.insert(connections[args.user]["domains"], value)
            end

            -- Connect to the first domain (self)
            return redirect(ngx.var.scheme.."://"..ngx.var.http_host.."/?ssoconnect="..args.user)
        end
    end
    return redirect(portal_url)
end

function redirect (url)
    ngx.header["Set-Cookie"] = cookies
    return ngx.redirect(url)
end

function pass ()
    delete_onetime_cookie()
    ngx.req.set_header("Set-Cookie", cookies)
    return
end

--
-- Routing
--

-- Connection
if ngx.var.request_method == "GET" then
    local args = ngx.req.get_uri_args()

    -- /?ssoconnect=user
    local user = args.ssoconnect
    if user and connections[user] then
        -- Set Authentication cookie
        set_auth_cookie(user, ngx.var.host)
        -- Remove domain from connection table
        domain_key = is_in_table(connections[user]["domains"], ngx.var.host)
        table.remove(connections[user]["domains"], domain_key)

        if table.getn(connections[user]["domains"]) == 0 then
            -- All the redirections has been made
            local redirect_url = connections[user]["redirect_url"]
            connections[user] = nil
            return redirect(ngx.unescape_uri(redirect_url))
        else
            -- Redirect to the next domain
            for _, domain in ipairs(connections[user]["domains"]) do
                return redirect(ngx.var.scheme.."://"..domain.."/?ssoconnect="..user)
            end
        end
    end
end

-- Portal
if ngx.var.host == conf["portal_domain"]
   and string.starts(ngx.var.uri, conf["portal_path"])
then
    if ngx.var.request_method == "GET" then
        return display_login_form()
    elseif ngx.var.request_method == "POST" then
        return do_login()
    end
end

-- Skipped urls
for _, url in ipairs(conf["skipped_urls"]) do
    if string.starts(ngx.var.host..ngx.var.uri, url) then
        return pass
    end
end

-- Unprotected urls
for _, url in ipairs(conf["unprotected_urls"]) do
    if string.starts(ngx.var.host..ngx.var.uri, url) then
        if check_cookie() then
            set_headers(ngx.var.cookie_SSOwAuthUser)
        end
        return pass
    end
end

-- Cookie validation
if check_cookie() then
    set_headers(ngx.var.cookie_SSOwAuthUser)
    return pass
else
    delete_cookie()
end


-- Connect with HTTP Auth if credentials are brought
local auth_header = ngx.req.get_headers()["Authorization"]
if auth_header then
    _, _, b64_cred = string.find(auth_header, "^Basic%s+(.+)$")
    _, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$")
    if authenticate(user, password) then
        set_headers(user)
        return pass
    end
end

-- Else redirect to portal
local back_url = ngx.escape_uri(ngx.var.scheme .. "://" .. ngx.var.http_host .. ngx.var.uri)
if set_redirect_cookie(back_url) then
    -- From same domain
    return redirect(portal_url)
else
    -- From another domain
    return redirect(portal_url.."?r="..ngx.encode_base64(back_url))
end
Bugfixes 2013-10-15 13:58:16 +02:00			`--`
Init 2013-10-15 10:11:39 +02:00			`-- Load configuration`
Bugfixes 2013-10-15 13:58:16 +02:00			`--`
Handle multi-domain 2013-10-16 11:27:18 +02:00			`cookies = {}`
			`local conf_file = assert(io.open(conf_path, "r"), "Configuration file is missing")`
Bugfixes 2013-10-15 13:58:16 +02:00			`local conf = json.decode(conf_file:read("*all"))`
Init 2013-10-15 10:11:39 +02:00			`local portal_url = conf["portal_scheme"].."://"..`
Change main_domain to portal_domain 2013-10-16 15:54:58 +02:00			`conf["portal_domain"]..`
Init 2013-10-15 10:11:39 +02:00			`":"..conf["portal_port"]..`
			`conf["portal_path"]`
Change main_domain to portal_domain 2013-10-16 15:54:58 +02:00			`table.insert(conf["skipped_urls"], conf["portal_domain"]..conf["portal_path"])`
Init 2013-10-15 10:11:39 +02:00
			`-- Dummy intructions`
Update access.lua 2013-10-16 11:57:53 +02:00			`ngx.header["X-SSO-WAT"] = "You've just been SSOed"`
Init 2013-10-15 10:11:39 +02:00
Bugfixes 2013-10-15 13:58:16 +02:00			`--`
			`-- Useful functions`
			`--`
Handle multi-domain 2013-10-16 11:27:18 +02:00			`function is_in_table (t, v)`
			`for key, value in ipairs(t) do`
			`if value == v then return key end`
			`end`
			`end`

Init 2013-10-15 10:11:39 +02:00			`function string.starts (String, Start)`
			`return string.sub(String, 1, string.len(Start)) == Start`
			`end`

Bugfixes 2013-10-15 13:58:16 +02:00			`function string.ends (String, End)`
			`return End=='' or string.sub(String, -string.len(End)) == End`
			`end`

Handle multi-domain 2013-10-16 11:27:18 +02:00			`function cook (cookie_str)`
			`table.insert(cookies, cookie_str)`
			`end`

			`function set_auth_cookie (user, domain)`
Init 2013-10-15 10:11:39 +02:00			`local maxAge = 60 * 60 * 24 * 7 -- 1 week`
			`local expire = ngx.req.start_time() + maxAge`
			`local hash = ngx.md5(auth_key..`
			`"\|" ..ngx.var.remote_addr..`
			`"\|"..user..`
			`"\|"..expire)`
Handle multi-domain 2013-10-16 11:27:18 +02:00			`local cookie_str = "; Domain=."..domain..`
Bugfixes 2013-10-15 13:58:16 +02:00			`"; Path=/"..`
Init 2013-10-15 10:11:39 +02:00			`"; Max-Age="..maxAge`
Cookies bugfix and rename 2013-10-16 16:20:51 +02:00			`cook("SSOwAuthUser="..user..cookie_str)`
			`cook("SSOwAuthHash="..hash..cookie_str)`
			`cook("SSOwAuthExpire="..expire..cookie_str)`
Init 2013-10-15 10:11:39 +02:00			`end`

Bugfixes 2013-10-15 13:58:16 +02:00			`function set_token_cookie ()`
			`local token = tostring(math.random(111111, 999999))`
			`tokens[token] = token`
Handle multi-domain 2013-10-16 11:27:18 +02:00			`cook(`
Cookies bugfix and rename 2013-10-16 16:20:51 +02:00			`"SSOwAuthToken="..token..`
			`"; Domain=."..conf["portal_domain"]..`
Bugfixes 2013-10-15 13:58:16 +02:00			`"; Path="..conf["portal_path"]..`
			`"; Max-Age=3600"`
Handle multi-domain 2013-10-16 11:27:18 +02:00			`)`
Bugfixes 2013-10-15 13:58:16 +02:00			`end`

			`function set_redirect_cookie (redirect_url)`
Handle multi-domain 2013-10-16 11:27:18 +02:00			`cook(`
Cookies bugfix and rename 2013-10-16 16:20:51 +02:00			`"SSOwAuthRedirect="..redirect_url..`
Bugfixes 2013-10-15 13:58:16 +02:00			`"; Path="..conf["portal_path"]..`
			`"; Max-Age=3600"`
Handle multi-domain 2013-10-16 11:27:18 +02:00			`)`
Bugfixes 2013-10-15 13:58:16 +02:00			`end`

Init 2013-10-15 10:11:39 +02:00			`function delete_cookie ()`
Cookies bugfix and rename 2013-10-16 16:20:51 +02:00			`expired_time = "Thu, Jan 01 1970 00:00:00 UTC;"`
			`for _, domain in ipairs(conf["domains"]) do`
			`local cookie_str = "; Domain=."..domain..`
			`"; Path=/"..`
			`"; Max-Age="..expired_time`
			`cook("SSOwAuthUser=;" ..cookie_str)`
			`cook("SSOwAuthHash=;" ..cookie_str)`
			`cook("SSOwAuthExpire=;" ..cookie_str)`
			`end`
Bugfixes 2013-10-15 13:58:16 +02:00			`end`

			`function delete_onetime_cookie ()`
Cookies bugfix and rename 2013-10-16 16:20:51 +02:00			`expired_time = "Thu, Jan 01 1970 00:00:00 UTC;"`
			`local cookie_str = "; Path="..conf["portal_path"]..`
			`"; Max-Age="..expired_time`
			`cook("SSOwAuthToken=;" ..cookie_str)`
			`cook("SSOwAuthRedirect=;" ..cookie_str)`
Init 2013-10-15 10:11:39 +02:00			`end`

Bugfixes 2013-10-15 13:58:16 +02:00
Init 2013-10-15 10:11:39 +02:00			`function check_cookie ()`
Handle multi-domain 2013-10-16 11:27:18 +02:00
Init 2013-10-15 10:11:39 +02:00			`-- Check if cookie is set`
Cookies bugfix and rename 2013-10-16 16:20:51 +02:00			`if ngx.var.cookie_SSOwAuthExpire and ngx.var.cookie_SSOwAuthExpire ~= ""`
			`and ngx.var.cookie_SSOwAuthHash and ngx.var.cookie_SSOwAuthHash ~= ""`
			`and ngx.var.cookie_SSOwAuthUser and ngx.var.cookie_SSOwAuthUser ~= ""`
Init 2013-10-15 10:11:39 +02:00			`then`
Cookies bugfix and rename 2013-10-16 16:20:51 +02:00			`-- Check expire time`
			`if (ngx.req.start_time() <= tonumber(ngx.var.cookie_SSOwAuthExpire)) then`
			`-- Check hash`
			`local hash = ngx.md5(auth_key..`
			`"\|"..ngx.var.remote_addr..`
			`"\|"..ngx.var.cookie_SSOwAuthUser..`
			`"\|"..ngx.var.cookie_SSOwAuthExpire)`
			`return hash == ngx.var.cookie_SSOwAuthHash`
			`end`
Init 2013-10-15 10:11:39 +02:00			`end`

Cookies bugfix and rename 2013-10-16 16:20:51 +02:00			`return false`
Init 2013-10-15 10:11:39 +02:00			`end`

			`function authenticate (user, password)`
Handle multi-domain 2013-10-16 11:27:18 +02:00			`connected = lualdap.open_simple (`
Init 2013-10-15 10:11:39 +02:00			`"localhost",`
Bugfixes 2013-10-15 13:58:16 +02:00			`"uid=".. user ..",ou=users,dc=yunohost,dc=org",`
			`password`
Init 2013-10-15 10:11:39 +02:00			`)`
Handle multi-domain 2013-10-16 11:27:18 +02:00
			`if connected and not cache[user] then`
			`cache[user] = { password=password }`
			`end`

			`return connected`
Init 2013-10-15 10:11:39 +02:00			`end`

			`function set_headers (user)`
Handle multi-domain 2013-10-16 11:27:18 +02:00			`if not cache[user]["uid"] then`
			`ldap = lualdap.open_simple("localhost")`
			`for dn, attribs in ldap:search {`
			`base = "uid=".. user ..",ou=users,dc=yunohost,dc=org",`
			`scope = "base",`
			`sizelimit = 1,`
Add some informations to header 2013-10-16 16:47:48 +02:00			`attrs = {"uid", "givenName", "sn", "cn", "homeDirectory", "mail"}`
Handle multi-domain 2013-10-16 11:27:18 +02:00			`} do`
			`for k,v in pairs(attribs) do cache[user][k] = v end`
Init 2013-10-15 10:11:39 +02:00			`end`
			`end`
Handle multi-domain 2013-10-16 11:27:18 +02:00
Put additional headers in conf 2013-10-16 18:16:41 +02:00			`-- Set HTTP Auth header`
Request headers bugfix 2013-10-16 17:30:08 +02:00			`ngx.req.set_header("Authorization", "Basic "..ngx.encode_base64(`
			`cache[user]["uid"]..":"..cache[user]["password"]`
			`))`
Put additional headers in conf 2013-10-16 18:16:41 +02:00
			`-- Set Additional headers`
			`for k, v in pairs(conf["additional_headers"]) do`
			`ngx.req.set_header(k, cache[user][v])`
			`end`

Init 2013-10-15 10:11:39 +02:00			`end`

			`function display_login_form ()`
			`local args = ngx.req.get_uri_args()`
Avoid caching problems 2013-10-16 18:00:51 +02:00			`ngx.req.set_header("Cache-Control", "no-cache")`
Init 2013-10-15 10:11:39 +02:00
Handle multi-domain 2013-10-16 11:27:18 +02:00			`-- Redirected from another domain`
			`if args.r then`
			`local redirect_url = ngx.decode_base64(args.r)`
			`set_redirect_cookie(redirect_url)`
Avoid caching problems 2013-10-16 18:00:51 +02:00			`ngx.header["Cache-Control"] = "no-cache"`
Handle multi-domain 2013-10-16 11:27:18 +02:00			`return redirect(portal_url)`
			`end`

Init 2013-10-15 10:11:39 +02:00			`if args.action and args.action == 'logout' then`
			`-- Logout`
			`delete_cookie()`
Handle multi-domain 2013-10-16 11:27:18 +02:00			`return redirect(portal_url)`
Cookies bugfix and rename 2013-10-16 16:20:51 +02:00			`elseif ngx.var.cookie_SSOwAuthToken`
			`and tokens[ngx.var.cookie_SSOwAuthToken]`
			`then`
Init 2013-10-15 10:11:39 +02:00			`-- Display normal form`
Request headers bugfix 2013-10-16 17:30:08 +02:00			`return`
Handle multi-domain 2013-10-16 11:27:18 +02:00			`else`
			`-- Set token`
Bugfixes 2013-10-15 13:58:16 +02:00			`set_token_cookie()`
Handle multi-domain 2013-10-16 11:27:18 +02:00			`return redirect(portal_url)`
Init 2013-10-15 10:11:39 +02:00			`end`
			`end`

			`function do_login ()`
			`ngx.req.read_body()`
			`local args = ngx.req.get_post_args()`

			`-- CSRF check`
Cookies bugfix and rename 2013-10-16 16:20:51 +02:00			`local token = ngx.var.cookie_SSOwAuthToken`
Bugfixes 2013-10-15 13:58:16 +02:00
			`if token and tokens[token] then`
			`tokens[token] = nil`
Handle multi-domain 2013-10-16 11:27:18 +02:00			`ngx.status = ngx.HTTP_CREATED`
Init 2013-10-15 10:11:39 +02:00
			`if authenticate(args.user, args.password) then`
Cookies bugfix and rename 2013-10-16 16:20:51 +02:00			`local redirect_url = ngx.var.cookie_SSOwAuthRedirect`
Handle multi-domain 2013-10-16 11:27:18 +02:00			`if not redirect_url then redirect_url = portal_url end`
			`connections[args.user] = {}`
			`connections[args.user]["redirect_url"] = redirect_url`
			`connections[args.user]["domains"] = {}`
			`for _, value in ipairs(conf["domains"]) do`
			`table.insert(connections[args.user]["domains"], value)`
Init 2013-10-15 10:11:39 +02:00			`end`
Handle multi-domain 2013-10-16 11:27:18 +02:00
			`-- Connect to the first domain (self)`
			`return redirect(ngx.var.scheme.."://"..ngx.var.http_host.."/?ssoconnect="..args.user)`
Init 2013-10-15 10:11:39 +02:00			`end`
			`end`
Handle multi-domain 2013-10-16 11:27:18 +02:00			`return redirect(portal_url)`
			`end`

			`function redirect (url)`
			`ngx.header["Set-Cookie"] = cookies`
Request headers bugfix 2013-10-16 17:30:08 +02:00			`return ngx.redirect(url)`
Init 2013-10-15 10:11:39 +02:00			`end`

Bugfixes 2013-10-15 13:58:16 +02:00			`function pass ()`
			`delete_onetime_cookie()`
Request headers bugfix 2013-10-16 17:30:08 +02:00			`ngx.req.set_header("Set-Cookie", cookies)`
Bugfixes 2013-10-15 13:58:16 +02:00			`return`
			`end`

			`--`
			`-- Routing`
			`--`

Handle multi-domain 2013-10-16 11:27:18 +02:00			`-- Connection`
			`if ngx.var.request_method == "GET" then`
			`local args = ngx.req.get_uri_args()`

			`-- /?ssoconnect=user`
			`local user = args.ssoconnect`
			`if user and connections[user] then`
			`-- Set Authentication cookie`
			`set_auth_cookie(user, ngx.var.host)`
			`-- Remove domain from connection table`
			`domain_key = is_in_table(connections[user]["domains"], ngx.var.host)`
			`table.remove(connections[user]["domains"], domain_key)`

			`if table.getn(connections[user]["domains"]) == 0 then`
			`-- All the redirections has been made`
			`local redirect_url = connections[user]["redirect_url"]`
			`connections[user] = nil`
			`return redirect(ngx.unescape_uri(redirect_url))`
			`else`
			`-- Redirect to the next domain`
			`for _, domain in ipairs(connections[user]["domains"]) do`
			`return redirect(ngx.var.scheme.."://"..domain.."/?ssoconnect="..user)`
			`end`
			`end`
			`end`
			`end`

Bugfixes 2013-10-15 13:58:16 +02:00			`-- Portal`
Change main_domain to portal_domain 2013-10-16 15:54:58 +02:00			`if ngx.var.host == conf["portal_domain"]`
Init 2013-10-15 10:11:39 +02:00			`and string.starts(ngx.var.uri, conf["portal_path"])`
			`then`
Bugfixes 2013-10-15 13:58:16 +02:00			`if ngx.var.request_method == "GET" then`
Init 2013-10-15 10:11:39 +02:00			`return display_login_form()`
Bugfixes 2013-10-15 13:58:16 +02:00			`elseif ngx.var.request_method == "POST" then`
Init 2013-10-15 10:11:39 +02:00			`return do_login()`
			`end`
			`end`

			`-- Skipped urls`
			`for _, url in ipairs(conf["skipped_urls"]) do`
Bugfixes 2013-10-15 13:58:16 +02:00			`if string.starts(ngx.var.host..ngx.var.uri, url) then`
			`return pass`
Init 2013-10-15 10:11:39 +02:00			`end`
			`end`

			`-- Unprotected urls`
			`for _, url in ipairs(conf["unprotected_urls"]) do`
Bugfixes 2013-10-15 13:58:16 +02:00			`if string.starts(ngx.var.host..ngx.var.uri, url) then`
Init 2013-10-15 10:11:39 +02:00			`if check_cookie() then`
Cookies bugfix and rename 2013-10-16 16:20:51 +02:00			`set_headers(ngx.var.cookie_SSOwAuthUser)`
Init 2013-10-15 10:11:39 +02:00			`end`
Bugfixes 2013-10-15 13:58:16 +02:00			`return pass`
Init 2013-10-15 10:11:39 +02:00			`end`
			`end`

			`-- Cookie validation`
			`if check_cookie() then`
Cookies bugfix and rename 2013-10-16 16:20:51 +02:00			`set_headers(ngx.var.cookie_SSOwAuthUser)`
Bugfixes 2013-10-15 13:58:16 +02:00			`return pass`
Cookies bugfix and rename 2013-10-16 16:20:51 +02:00			`else`
			`delete_cookie()`
Init 2013-10-15 10:11:39 +02:00			`end`

Handle multi-domain 2013-10-16 11:27:18 +02:00
Init 2013-10-15 10:11:39 +02:00			`-- Connect with HTTP Auth if credentials are brought`
			`local auth_header = ngx.req.get_headers()["Authorization"]`
			`if auth_header then`
			`_, _, b64_cred = string.find(auth_header, "^Basic%s+(.+)$")`
			`_, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$")`
			`if authenticate(user, password) then`
			`set_headers(user)`
Bugfixes 2013-10-15 13:58:16 +02:00			`return pass`
Init 2013-10-15 10:11:39 +02:00			`end`
			`end`

Handle multi-domain 2013-10-16 11:27:18 +02:00			`-- Else redirect to portal`
			`local back_url = ngx.escape_uri(ngx.var.scheme .. "://" .. ngx.var.http_host .. ngx.var.uri)`
			`if set_redirect_cookie(back_url) then`
			`-- From same domain`
			`return redirect(portal_url)`
Bugfixes 2013-10-15 13:58:16 +02:00			`else`
Handle multi-domain 2013-10-16 11:27:18 +02:00			`-- From another domain`
			`return redirect(portal_url.."?r="..ngx.encode_base64(back_url))`
Bugfixes 2013-10-15 13:58:16 +02:00			`end`