feat: restrict redirectUrls for CAS login (#2118)

* feat: support cas restricted login * feat: add cas login i18n * feat: add CheckCasService for all cas api * feat: gofumpt * feat: replace 404 * feat: reuse i18n * feat: delete CheckCasService * Update token_cas.go * Update LoginPage.js * Update token_cas.go --------- Co-authored-by: hsluoyz <hsluoyz@qq.com>
2025-05-23 02:35:49 +08:00 · 2023-07-24 11:47:31 +08:00 · 2023-07-24 11:47:31 +08:00 · b7a37126ad
commit b7a37126ad
parent 8669d5bb0d
4 changed files with 29 additions and 6 deletions
--- a/controllers/organization.go
+++ b/controllers/organization.go
@ -183,6 +183,8 @@ func (c *ApiController) DeleteOrganization() {
 func (c *ApiController) GetDefaultApplication() {
 	userId := c.GetSessionUsername()
 	id := c.Input().Get("id")
+	redirectUri := c.Input().Get("redirectUri")
+	typ := c.Input().Get("type")

 	application, err := object.GetDefaultApplication(id)
 	if err != nil {
@ -190,6 +192,14 @@ func (c *ApiController) GetDefaultApplication() {
 		return
 	}

+	if typ == "cas" {
+		err = object.CheckCasRestrict(application, c.GetAcceptLanguage(), redirectUri)
+		if err != nil {
+			c.ResponseError(err.Error())
+			return
+		}
+	}
+
 	maskedApplication := object.GetMaskedApplication(application, userId)
 	c.ResponseOk(maskedApplication)
 }
--- a/object/token_cas.go
+++ b/object/token_cas.go
@ -26,6 +26,7 @@ import (
 	"time"

 	"github.com/beevik/etree"
+	"github.com/casdoor/casdoor/i18n"
 	"github.com/casdoor/casdoor/util"
 	dsig "github.com/russellhaering/goxmldsig"
 )
@ -122,6 +123,13 @@ var stToServiceResponse sync.Map
 // pgt is short for proxy granting ticket
 var pgtToServiceResponse sync.Map

+func CheckCasRestrict(application *Application, lang string, service string) error {
+	if len(application.RedirectUris) > 0 && !application.IsRedirectUriValid(service) {
+		return fmt.Errorf(i18n.Translate(lang, "token:Redirect URI: %s doesn't exist in the allowed Redirect URI list"), service)
+	}
+	return nil
+}
+
 func StoreCasTokenForPgt(token *CasAuthenticationSuccess, service, userId string) string {
 	pgt := fmt.Sprintf("PGT-%s", util.GenerateId())
 	pgtToServiceResponse.Store(pgt, &CasAuthenticationSuccessWrapper{
--- a/web/src/auth/LoginPage.js
+++ b/web/src/auth/LoginPage.js
@ -173,7 +173,12 @@ class LoginPage extends React.Component {
          this.onUpdateApplication(res.data);
        });
    } else {
-      OrganizationBackend.getDefaultApplication("admin", this.state.owner)
+      let redirectUri = "";
+      if (this.state.type === "cas") {
+        const casParams = Util.getCasParameters();
+        redirectUri = casParams.service;
+      }
+      OrganizationBackend.getDefaultApplication("admin", this.state.owner, this.state.type, redirectUri)
        .then((res) => {
          if (res.status === "ok") {
            const application = res.data;
@ -183,9 +188,9 @@ class LoginPage extends React.Component {
            });
          } else {
            this.onUpdateApplication(null);
-            Setting.showMessage("error", res.msg);
-
-            this.props.history.push("/404");
+            this.setState({
+              msg: res.msg,
+            });
          }
        });
    }
--- a/web/src/backend/OrganizationBackend.js
+++ b/web/src/backend/OrganizationBackend.js
@ -70,8 +70,8 @@ export function deleteOrganization(organization) {
  }).then(res => res.json());
 }

-export function getDefaultApplication(owner, name) {
-  return fetch(`${Setting.ServerUrl}/api/get-default-application?id=${owner}/${encodeURIComponent(name)}`, {
+export function getDefaultApplication(owner, name, type = "", redirectUri = "") {
+  return fetch(`${Setting.ServerUrl}/api/get-default-application?id=${owner}/${encodeURIComponent(name)}&type=${type}&redirectUri=${redirectUri}`, {
    method: "GET",
    credentials: "include",
    headers: {