Yunohost 12 Auth header removed

[Josue-T]

Describe the bug

Some authentication header was removed on Yunohost 12 and it's annoying because some apps need it to have the SSO working correctly. From what I know here are the list of the impacted apps (that I'm maintaining):

• PgAdmin
• Seafile
• XWiki

And here are the list of the authentication header which was removed:
Remote-User, Email, Name, Auth-User.

Context

• Hardware: Any
• YunoHost version: 12.x

To reproduce

We can see easly the difference this way:

• Use this mini webserver to show the header: https://gist.github.com/phrawzty/62540f146ee5e74ea1ab
• Configure nginx to point to the previous webserver
• Launch the webserver
• Send a request

See the difference between Yunohost 11 and Yunohost 12.

Yunohost 11

...
some other headers
...
Authorization: Basic am9zdWU6cHdk
Remote-User: josue
Email: [email protected]
Name: =?utf-8?b?Sm9zdcODwqkgam9zdWU=?=
Auth-User: josue

Yunohost 12

...
some other headers
...
Authorization: Basic am9zdWU6cHdk

Expected behavior

We should have the same header between Yunohost 12 and Yunohost 11.

[alexAubin]

Regarding pgadmin :

• it uses WEBSERVER_REMOTE_USER = 'REMOTE_USER' in the config, but it's probably easy to define REMOTE_USER from the nginx conf similar to what we do for php apps

Regarding seafile :

• it uses REMOTE_USER_HEADER = 'HTTP_EMAIL' in combination with LDAP_LOGIN_ATTR = 'mail' but it sounds perfectly feasible to use the classic user uid (similar to pgadmin)

Regarding xwiki:

• it uses xwiki.authentication.ldap.httpHeader=REMOTE_USER, so same as before, this header an probably be created by some nginx conf snippet ?

[alexAubin]

Or alternatively we should decide to always populate some YNH_USER header which would only come from ssowat (contrarily to the basic auth header or remote_user where there's always some sort of possible-spoofing ambiguity) and deprecate using $remote_user to populate REMOTE_USER in nginx conf, especially php ones)

[Josue-T]

Hello,

Well I could agree for pgadmin and XWiki but the issue with seafile is that there are no other solution than to use email because it's hard coded and so we can't just say let's use the username instead cf YunoHost-Apps/seafile_ynh#5 note I searched many time a way to fix this but for now I only concluded that we still need to use the email as it's done by design.

Note also that to me the issue while using the basic auth instead of the remote user header is that we have the basic auth spoofing issue. The remote_user header don't have this security issue as it can't be set by the client (from what I understood). But well it's a bit a different discussion.

And to me in general case having theses HEADER was really good as by this way we was able to have a full authentication on some app without the need connect to LDAP. By example some app could support the authentication by the header but not by LDAP. And with theses header we was able to retrieve most of the account info like the name, username and email. This was completely removed and it's a shame.

Note that maybe some other apps use this, but as I'm not the maintainer I have less an overview of the usage.

[Josue-T]

Or alternatively we should decide to always populate some YNH_USER header which would only come from ssowat (contrarily to the basic auth header or remote_user where there's always some sort of possible-spoofing ambiguity) and deprecate using $remote_user to populate REMOTE_USER in nginx conf, especially php ones)

Yes this sound me really a good idea. I also used the $remote_user to populate the REMOTE_USER in nginx conf but following the issue with the basic auth spoofing it might be better to drop this practice.

[Josue-T]

Hello,

@alexAubin I'll work on this theses few next days.

After some investigation of how it works, the idea is to populate some headers like YNH_USER, YNH_EMAIL, ... And depreciate the current REMOTE_USER header which is quite unsafe if populated from the auth basic header (like with php).

[alexAubin]

YunoHost/SSOwat#231 got merged