fix: 🐛 Empty referrer is always considered as external

Dominik Frantisek Bucik · Dominik Frantisek Bucik · commit 73288b52b796 · 2022-01-26T13:36:44.000+01:00
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlInvalidateSessionFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlInvalidateSessionFilter.java
@@ -68,19 +68,18 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
         HttpServletRequest req = (HttpServletRequest) request;
         HttpServletResponse res = (HttpServletResponse) response;
         if (MATCHER.matches(req)) {
-            boolean isDeviceCodeFlow = DEVICE_CODE_MATCHER.matches(req) || DEVICE_CODE_ALL_MATCHER.matches(req);
             String referer = req.getHeader(REFERER);
-            if (!isInternalReferer(referer, !isDeviceCodeFlow)) {
+            if (!isInternalReferer(referer)) {
                 log.debug("Got external referer, clear session to reauthenticate");
                 contextLogoutHandler.logout(req, res, null);
             }
         }
         chain.doFilter(req, res);
     }
 
-    private boolean isInternalReferer(String referer, boolean emptyRefererAsInternal) {
-        if (!StringUtils.hasText(referer)) { // no referer, consider as internal
-            return emptyRefererAsInternal;
+    private boolean isInternalReferer(String referer) {
+        if (!StringUtils.hasText(referer)) {
+            return false;
         }
         for (String internal : internalReferrers) {
             if (referer.startsWith(internal)) {

Original file line number	Diff line number	Diff line change
`@@ -68,19 +68,18 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha`
`68`	`68`	`HttpServletRequest req = (HttpServletRequest) request;`
`69`	`69`	`HttpServletResponse res = (HttpServletResponse) response;`
`70`	`70`	`if (MATCHER.matches(req)) {`
`71`		`- boolean isDeviceCodeFlow = DEVICE_CODE_MATCHER.matches(req) \|\| DEVICE_CODE_ALL_MATCHER.matches(req);`
`72`	`71`	`String referer = req.getHeader(REFERER);`
`73`		`- if (!isInternalReferer(referer, !isDeviceCodeFlow)) {`
	`72`	`+ if (!isInternalReferer(referer)) {`
`74`	`73`	`log.debug("Got external referer, clear session to reauthenticate");`
`75`	`74`	`contextLogoutHandler.logout(req, res, null);`
`76`	`75`	`}`
`77`	`76`	`}`
`78`	`77`	`chain.doFilter(req, res);`
`79`	`78`	`}`
`80`	`79`
`81`		`- private boolean isInternalReferer(String referer, boolean emptyRefererAsInternal) {`
`82`		`- if (!StringUtils.hasText(referer)) { // no referer, consider as internal`
`83`		`- return emptyRefererAsInternal;`
	`80`	`+ private boolean isInternalReferer(String referer) {`
	`81`	`+ if (!StringUtils.hasText(referer)) {`
	`82`	`+ return false;`
`84`	`83`	`}`
`85`	`84`	`for (String internal : internalReferrers) {`
`86`	`85`	`if (referer.startsWith(internal)) {`