From 589b0d2d1e0fe0de0e0ff3dfdaa97b84b4cf3e41 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lukas=20L=C3=B6sche?= <lukas@some.engineering>
Date: Thu, 24 Nov 2022 15:36:26 +0100
Subject: [PATCH] [resotolib][fix] Compare origin to host in cookie based JWT
 auth (#1306)

---
 resotolib/resotolib/asynchronous/web/auth.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/resotolib/resotolib/asynchronous/web/auth.py b/resotolib/resotolib/asynchronous/web/auth.py
index 0ea16b1a37..8c8589ed5f 100644
--- a/resotolib/resotolib/asynchronous/web/auth.py
+++ b/resotolib/resotolib/asynchronous/web/auth.py
@@ -3,6 +3,7 @@
 from contextvars import ContextVar
 from re import RegexFlag
 from typing import Any, Dict, Optional, Set
+from urllib.parse import urlparse
 
 from aiohttp import web
 from aiohttp.web import Request, StreamResponse
@@ -38,10 +39,18 @@ def always_allowed(request: Request) -> bool:
 
     @middleware
     async def valid_jwt_handler(request: Request, handler: RequestHandler) -> StreamResponse:
-        auth_header = request.headers.get("authorization") or request.cookies.get("resoto_authorization")
+        auth_header = request.headers.get("Authorization") or request.cookies.get("resoto_authorization")
         if always_allowed(request):
             return await handler(request)
         elif auth_header:
+            origin: Optional[str] = urlparse(request.headers.get("Origin")).hostname
+            host: Optional[str] = request.headers.get("Host")
+            if host is not None and origin is not None:
+                if ":" in host:
+                    host = host.split(":")[0]
+                if origin.lower() != host.lower():
+                    log.warning(f"Origin {origin} is not allowed in request from {request.remote} to {request.path}")
+                    raise web.HTTPForbidden()
             try:
                 # note: the expiration is already checked by this function
                 jwt = ck_jwt.decode_jwt_from_header_value(auth_header, psk)