Backoffice session timeout on custom-URL backoffices leads to high browser CPU and self-inflicted backend DDoS (#5210)

2019-04-23 16:37:37 +02:00
parent db7ae9a7e2
commit 8d382fb9b7
1 changed files with 20 additions and 13 deletions
--- a/src/Umbraco.Web.UI.Client/src/common/security/securityinterceptor.js
+++ b/src/Umbraco.Web.UI.Client/src/common/security/securityinterceptor.js
@@ -44,21 +44,28 @@ angular.module('umbraco.security.interceptor')
                        return promise;
                    }

-                    //A 401 means that the user is not logged in
-                    if (originalResponse.status === 401 && !originalResponse.config.url.endsWith("umbraco/backoffice/UmbracoApi/Authentication/GetCurrentUser")) {
+                    if (originalResponse.status === 401) {

-                      var userService = $injector.get('userService'); // see above
+                        //A 401 means that the user is not logged in

-                      //Associate the user name with the retry to ensure we retry for the right user
-                      promise = userService.getCurrentUser()
-                        .then(function (user) {
-                          var userName = user ? user.name : null;
-                          //The request bounced because it was not authorized - add a new request to the retry queue
-                          return queue.pushRetryFn('unauthorized-server', userName, function retryRequest() {
-                            // We must use $injector to get the $http service to prevent circular dependency
-                            return $injector.get('$http')(originalResponse.config);
-                          });
-                        });
+                        //avoid an infinite loop
+                        var umbRequestHelper = $injector.get('umbRequestHelper');
+                        var getCurrentUserPath = umbRequestHelper.getApiUrl("authenticationApiBaseUrl", "GetCurrentUser");
+                        if (!originalResponse.config.url.endsWith(getCurrentUserPath)) {
+
+                            var userService = $injector.get('userService'); // see above
+
+                            //Associate the user name with the retry to ensure we retry for the right user
+                            promise = userService.getCurrentUser()
+                                .then(function (user) {
+                                    var userName = user ? user.name : null;
+                                    //The request bounced because it was not authorized - add a new request to the retry queue
+                                    return queue.pushRetryFn('unauthorized-server', userName, function retryRequest() {
+                                        // We must use $injector to get the $http service to prevent circular dependency
+                                        return $injector.get('$http')(originalResponse.config);
+                                    });
+                                });
+                        }
                    }
                    else if (originalResponse.status === 404) {