From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 10 Oct 2022 13:34:22 +0000 (+0000)
Subject: auth: Don't send server response for websocket handlers
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8403ae35a55781df9642e024d2291cb06a7a8b12;p=pbs.git

auth: Don't send server response for websocket handlers

WebSocket connections don't allow us to set any headers and we cannot
validate them on the client side either.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/web/auth.py b/src/web/auth.py
index a3166ac6..51d5e0b5 100644
--- a/src/web/auth.py
+++ b/src/web/auth.py
@@ -5,6 +5,7 @@ import kerberos
 import logging
 import os
 import tornado.web
+import tornado.websocket
 
 from . import base
 
@@ -78,11 +79,12 @@ class KerberosAuthMixin(object):
 			if not result == kerberos.AUTH_GSS_COMPLETE:
 				return self._auth_basic(auth_header)
 
-			# Fetch the server response
-			response = kerberos.authGSSServerResponse(context)
+			if not isinstance(self, tornado.websocket.WebSocketHandler):
+				# Fetch the server response
+				response = kerberos.authGSSServerResponse(context)
 
-			# Send the server response
-			self.set_header("WWW-Authenticate", "Negotiate %s" % response)
+				# Send the server response
+				self.set_header("WWW-Authenticate", "Negotiate %s" % response)
 
 			# Return the user who just authenticated
 			user = kerberos.authGSSServerUserName(context)