Skip to content

Commit

Permalink
Fix SAML signature verification (#1396)
Browse files Browse the repository at this point in the history
  • Loading branch information
sandrotaje authored Jan 21, 2025
1 parent 60b0cf5 commit b465c9b
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 2 deletions.
2 changes: 1 addition & 1 deletion packages/backend-for-frontend/.env
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ SAML_AUDIENCE=selfcare.dev.interop.pagopa.it
PAGOPA_TENANT_ID=69e2865e-65ab-4e48-a638-2037a9ee2ee7
SAML_CALLBACK_URL="http://test.com/saml2/callback"
SAML_CALLBACK_ERROR_URL="http://test.com/saml2/error"
SAML_PUBLIC_KEY=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoQKapTgYkI9yZCHcNmJSY0giW4i5Qice5VK7SKbOXWsrdXIC5v9ckTSzqkiCzrHblGu4Ep7A/LULWdzUxDW5t6Jjn1rRxpWmTF/LX7to5HGIPH1kJ70gRROAyPUOqMtMUGVuLLKhgcMx71HDaT0OLSqsc0voQEcsBeppsZjFK0WqX9SzPvL3axIhhiBetckQ3R0AgwcZog4h+z3Dv8ngnAcrL3Nbsx6lGpHd7mtScw2JYe1R0C8092hWBZJqRsXUcCOo1piLoa0OwE+sxE+nJfSLjrQV6QkLgJljUUz6a4SwxWbuRyD6voY258GT1hIlvarydG6ctr+0sEfelDWB5QIDAQAB
SAML_PUBLIC_KEY="-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoQKapTgYkI9yZCHcNmJS\nY0giW4i5Qice5VK7SKbOXWsrdXIC5v9ckTSzqkiCzrHblGu4Ep7A/LULWdzUxDW5\nt6Jjn1rRxpWmTF/LX7to5HGIPH1kJ70gRROAyPUOqMtMUGVuLLKhgcMx71HDaT0O\nLSqsc0voQEcsBeppsZjFK0WqX9SzPvL3axIhhiBetckQ3R0AgwcZog4h+z3Dv8ng\nnAcrL3Nbsx6lGpHd7mtScw2JYe1R0C8092hWBZJqRsXUcCOo1piLoa0OwE+sxE+n\nJfSLjrQV6QkLgJljUUz6a4SwxWbuRyD6voY258GT1hIlvarydG6ctr+0sEfelDWB\n5QIDAQAB\n-----END PUBLIC KEY-----"

ALLOW_LIST_CONTAINER="interop-local-bucket"
ALLOW_LIST_PATH="allow-list"
Expand Down
9 changes: 8 additions & 1 deletion packages/backend-for-frontend/src/utilities/samlValidator.ts
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,14 @@ export const validateSamlResponse = (samlResponse: string): SAMLResponse => {
});

sig.loadSignature(node);
sig.checkSignature(samlResponse);
try {
const isValid = sig.checkSignature(samlResponse);
if (!isValid) {
throw samlNotValid("Signature is not valid");
}
} catch (e) {
throw samlNotValid("Signature contains errors");
}

if (!response.Assertion || response.Assertion.length === 0) {
throw samlNotValid("Missing Assertions");
Expand Down

0 comments on commit b465c9b

Please sign in to comment.