ylqjgm
/
canvas-lms
mirror of https://github.com/instructure/canvas-lms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

add trusted referrer header 

fixes: CNVS-17692

Adds a header to the response when logging in that tells if the referrer
is trusted or not.  This is so admins can verify trusted referrers.

Change-Id: I2d08fcc7882fd3588ca1769419548ab731701495
Reviewed-on: https://gerrit.instructure.com/46408
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: August Thornton <august@instructure.com>
Product-Review: Nick Cloward <ncloward@instructure.com>
Reviewed-by: Jacob Fugal <jacob@instructure.com>
This commit is contained in:
Nick Cloward 2014-12-30 14:24:56 -07:00
parent 07a4fa8b1a
commit 66d20740d8
2 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/controllers/pseudonym_sessions_controller.rb
View File

@ -649,6 +649,10 @@ class PseudonymSessionsController < ApplicationController
CanvasBreachMitigation::MaskingSecrets.reset_authenticity_token!(cookies)
Auditors::Authentication.record(@current_pseudonym, 'login')
if !params.has_key?(request_forgery_protection_token) && @domain_root_account.trusted_referer?(request.referer)
response.headers['X-Account-Trusted-Referrer'] = 'true'
end
otp_passed ||= @current_user.validate_otp_secret_key_remember_me_cookie(cookies['canvas_otp_remember_me'], request.remote_ip)
if !otp_passed
mfa_settings = @current_user.mfa_settings

12
spec/controllers/pseudonym_sessions_controller_spec.rb
View File

@ -96,6 +96,18 @@ describe PseudonymSessionsController do
expect(assigns[:pseudonym_session]).not_to be_nil
end
it "should login if authenticity token is not provided and referrer is trusted" do
Account.any_instance.expects(:trusted_referer?).returns(true)
post 'create', :pseudonym_session => { :unique_id => ' jtfrd@instructure.com ', :password => 'qwerty' }
expect(response).to be_redirect
expect(response).to redirect_to(dashboard_url(:login_success => 1))
expect(assigns[:user]).to eq @user
expect(assigns[:pseudonym]).to eq @pseudonym
expect(assigns[:pseudonym_session]).not_to be_nil
expect(response.headers.key?('X-Account-Trusted-Referrer')).to be_truthy
expect(response.headers['X-Account-Trusted-Referrer']).to eq 'true'
end
context "ldap" do
it "should log in a user with a identifier_format" do
user_with_pseudonym(:username => '12345', :active_all => 1)