github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 17:59:23 -04:00
Code Issues Projects Releases Packages Wiki Activity

Adding support for single session cookies appearing in an Array (#24984)

Browse source 
* Adding support for single auth cookies appearing in an Array

* Removing redundant newline
This commit is contained in:
Brandon Kobel 2018-11-02 06:23:54 -07:00 committed by GitHub
parent 69b286b2fc
commit 42b758c567
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 24 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

9
x-pack/plugins/security/server/lib/authentication/__tests__/session.js
View file

@ -78,6 +78,15 @@ describe('Session', () => {
sinon.assert.calledWithExactly(server.log, ['debug', 'security', 'auth', 'session'], failureReason);
});
it('returns session if single session cookie is in an array.', async () => {
const request = {};
const sessionValue = { token: 'token' };
const sessions = [{ value: sessionValue }];
server.auth.test.withArgs('security-cookie', request).resolves(sessions);
expect(await session.get(request)).to.be(sessionValue);
});
it('returns null if multiple session cookies are detected.', async () => {
const request = {};
const sessions = [{ value: { token: 'token' } }, { value: { token: 'token' } }];

20
x-pack/plugins/security/server/lib/authentication/session.js
View file

@ -55,13 +55,23 @@ export class Session {
try {
const session = await this._server.auth.test(HAPI_STRATEGY_NAME, request);
if (Array.isArray(session)) {
const warning = `Found ${session.length} auth sessions when we were only expecting 1.`;
this._server.log(['warning', 'security', 'auth', 'session'], warning);
return null;
// If it's not an array, just return the session value
if (!Array.isArray(session)) {
return session.value;
}
return session.value;
// If we have an array with one value, we're good also
if (session.length === 1) {
return session[0].value;
}
// Otherwise, we have more than one and won't be authing the user because we don't
// know which session identifies the actual user. There's potential to change this behavior
// to ensure all valid sessions identify the same user, or choose one valid one, but this
// is the safest option.
const warning = `Found ${session.length} auth sessions when we were only expecting 1.`;
this._server.log(['warning', 'security', 'auth', 'session'], warning);
return null;
} catch (err) {
this._server.log(['debug', 'security', 'auth', 'session'], err);
return null;