fix(auth): use X-Forwarded-User header to populate username response (#…

…490) * chore(headers): clean up unused headers references * fix(auth): use X-Forwarded-User header to populate username response
cryostatio · Jun 5, 2024 · d9f05db · d9f05db
1 parent 70a5097
commit d9f05db
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 9 deletions.
diff --git a/src/main/java/io/cryostat/Health.java b/src/main/java/io/cryostat/Health.java
@@ -200,11 +200,7 @@ public ResponseBuilder corsSkippedHeaders() {
                     .header("Access-Control-Allow-Origin", "http://localhost:9000")
                     .header(
                             "Access-Control-Allow-Headers",
-                            "accept, origin, authorization, content-type,"
-                                    + " x-requested-with, x-jmx-authorization")
-                    .header(
-                            "Access-Control-Expose-Headers",
-                            "x-www-authenticate, x-jmx-authenticate")
+                            "accept, origin, authorization, content-type," + " x-requested-with")
                     .header("Access-Control-Allow-Methods", "GET,POST,OPTIONS")
                     .header("Access-Control-Allow-Credentials", "true");
         }

diff --git a/src/main/java/io/cryostat/security/Auth.java b/src/main/java/io/cryostat/security/Auth.java
@@ -28,6 +28,7 @@
 import jakarta.ws.rs.core.Context;
 import jakarta.ws.rs.core.MediaType;
 import jakarta.ws.rs.core.Response;
+import jakarta.ws.rs.core.SecurityContext;
 import org.jboss.resteasy.reactive.RestResponse;
 
 @Path("")
@@ -47,10 +48,16 @@ public Response logout(@Context RoutingContext context) {
     @Path("/api/v2.1/auth")
     @PermitAll
     @Produces(MediaType.APPLICATION_JSON)
-    public Response login(@Context RoutingContext context) {
+    public Response login(@Context RoutingContext context, SecurityContext securityContext) {
+        String user =
+                securityContext.getUserPrincipal() != null
+                        ? securityContext.getUserPrincipal().getName()
+                        : context.request().getHeader("X-Forwarded-User");
+        if (user == null) {
+            user = "";
+        }
         return Response.ok()
-                .header("X-WWW-Authenticate", "None")
-                .entity(V2Response.json(Response.Status.OK, Map.of("username", "user")))
+                .entity(V2Response.json(Response.Status.OK, Map.of("username", user)))
                 .build();
     }
 }
diff --git a/src/main/resources/application-dev.properties b/src/main/resources/application-dev.properties
@@ -6,7 +6,6 @@ quarkus.http.cors=true
 # quarkus.http.cors.origins=http://localhost:9000,http://0.0.0.0:9000
 quarkus.http.cors.origins=http://localhost:9000
 quarkus.http.cors.access-control-allow-credentials=true
-quarkus.http.cors.exposed-headers=X-WWW-Authenticate
 # quarkus.http.cors.methods=GET,PUT,POST,PATCH,OPTIONS
 # quarkus.http.cors.access-control-max-age=1s