Fix: Extend Basic Auth compatibility with browsers

2026-03-04 17:56:38 +00:00 · 2025-12-01 01:18:09 +01:00
parent 02fbc279b5
commit 46ed27a218
31 changed files with 527 additions and 300 deletions
--- a/server/routers/badger/logRequestAudit.ts
+++ b/server/routers/badger/logRequestAudit.ts
@@ -9,7 +9,7 @@ Reasons:
 100 - Allowed by Rule
 101 - Allowed No Auth
 102 - Valid Access Token
-103 - Valid header auth
+103 - Valid Header Auth (HTTP Basic Auth)
 104 - Valid Pincode
 105 - Valid Password
 106 - Valid email
--- a/server/routers/badger/verifySession.ts
+++ b/server/routers/badger/verifySession.ts
@@ -13,7 +13,7 @@ import {
    LoginPage,
    Org,
    Resource,
-    ResourceHeaderAuth,
+    ResourceHeaderAuth, ResourceHeaderAuthExtendedCompatibility,
    ResourcePassword,
    ResourcePincode,
    ResourceRule,
@@ -65,6 +65,7 @@ type BasicUserData = {

 export type VerifyUserResponse = {
    valid: boolean;
+    headerAuthChallenged?: boolean;
    redirectUrl?: string;
    userData?: BasicUserData;
 };
@@ -142,6 +143,7 @@ export async function verifyResourceSession(
                  pincode: ResourcePincode | null;
                  password: ResourcePassword | null;
                  headerAuth: ResourceHeaderAuth | null;
+                  headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
                  org: Org;
              }
            | undefined = cache.get(resourceCacheKey);
@@ -171,7 +173,7 @@ export async function verifyResourceSession(
            cache.set(resourceCacheKey, resourceData, 5);
        }

-        const { resource, pincode, password, headerAuth } = resourceData;
+        const { resource, pincode, password, headerAuth, headerAuthExtendedCompatibility } = resourceData;

        if (!resource) {
            logger.debug(`Resource not found ${cleanHost}`);
@@ -450,7 +452,8 @@ export async function verifyResourceSession(
                !sso &&
                !pincode &&
                !password &&
-                !resource.emailWhitelistEnabled
+                !resource.emailWhitelistEnabled &&
+                !headerAuthExtendedCompatibility?.extendedCompatibilityIsActivated
            ) {
                logRequestAudit(
                    {
@@ -465,13 +468,15 @@ export async function verifyResourceSession(

                return notAllowed(res);
            }
-        } else if (headerAuth) {
+        }
+        else if (headerAuth) {
            // if there are no other auth methods we need to return unauthorized if nothing is provided
            if (
                !sso &&
                !pincode &&
                !password &&
-                !resource.emailWhitelistEnabled
+                !resource.emailWhitelistEnabled &&
+                !headerAuthExtendedCompatibility?.extendedCompatibilityIsActivated
            ) {
                logRequestAudit(
                    {
@@ -557,7 +562,7 @@ export async function verifyResourceSession(
            }

            if (resourceSession) {
-                // only run this check if not SSO sesion; SSO session length is checked later
+                // only run this check if not SSO session; SSO session length is checked later
                const accessPolicy = await enforceResourceSessionLength(
                    resourceSession,
                    resourceData.org
@@ -701,6 +706,11 @@ export async function verifyResourceSession(
            }
        }

+        // If headerAuthExtendedCompatibility is activated but no clientHeaderAuth provided, force client to challenge
+        if (headerAuthExtendedCompatibility && headerAuthExtendedCompatibility.extendedCompatibilityIsActivated && !clientHeaderAuth){
+            return headerAuthChallenged(res, redirectPath, resource.orgId);
+        }
+
        logger.debug("No more auth to check, resource not allowed");

        if (config.getRawConfig().app.log_failed_attempts) {
@@ -833,6 +843,46 @@ function allowed(res: Response, userData?: BasicUserData) {
    return response<VerifyUserResponse>(res, data);
 }

+async function headerAuthChallenged(
+    res: Response,
+    redirectPath?: string,
+    orgId?: string
+) {
+    let loginPage: LoginPage | null = null;
+    if (orgId) {
+        const { tier } = await getOrgTierData(orgId); // returns null in oss
+        if (tier === TierId.STANDARD) {
+            loginPage = await getOrgLoginPage(orgId);
+        }
+    }
+
+    let redirectUrl: string | undefined = undefined;
+    if (redirectPath) {
+        let endpoint: string;
+
+        if (loginPage && loginPage.domainId && loginPage.fullDomain) {
+            const secure = config
+                .getRawConfig()
+                .app.dashboard_url?.startsWith("https");
+            const method = secure ? "https" : "http";
+            endpoint = `${method}://${loginPage.fullDomain}`;
+        } else {
+            endpoint = config.getRawConfig().app.dashboard_url!;
+        }
+        redirectUrl = `${endpoint}${redirectPath}`;
+    }
+
+    const data = {
+        data: { headerAuthChallenged: true, valid: false, redirectUrl },
+        success: true,
+        error: false,
+        message: "Access denied",
+        status: HttpCode.OK
+    };
+    logger.debug(JSON.stringify(data));
+    return response<VerifyUserResponse>(res, data);
+}
+
 async function isUserAllowedToAccessResource(
    userSessionId: string,
    resource: Resource,