Skip to content

Enforce corporate_id claim in Penpot auth_request middleware#36

Open
UsamaSadiq wants to merge 1 commit into
foss-sandboxfrom
usama/enforce-corporate-id-auth
Open

Enforce corporate_id claim in Penpot auth_request middleware#36
UsamaSadiq wants to merge 1 commit into
foss-sandboxfrom
usama/enforce-corporate-id-auth

Conversation

@UsamaSadiq

Copy link
Copy Markdown
Collaborator

Description

Add corporate_id enforcement to Penpot's wrap-authz middleware in auth_request.clj. When PENPOT_SMB_CORPORATE_ID is set, the middleware decodes the X-Auth-Request-Access-Token JWT payload and rejects requests where custom:is_corporate is not "true" or custom:corporate_id does not match the configured value. Returns 403 on mismatch. When the env var is empty or unset, all checks are skipped (backward compatible).

This is the per-app Layer 2 enforcement that closes the Bearer token bypass path (SKIP_JWT_BEARER_TOKENS=true in oauth2-proxy). Layer 1 enforcement in mpass-auth-proxy is already on foss-sandbox.

Signed-off-by: Usama Sadiq <usama.sadiq@arbisoft.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant