Automatically Logging in user based on request header (Kerberos)


#1

I am running Meteor in a Kerberos SSO environment behind an NginX reverse proxy. NginX handles the Kerberos authentication and fills in a request header field called remote_user.
NginX forwards to the application server over a UNIX domain socket (TCP port would not be secure).

If I want Meteor to be the application server, I have two problems to solve:

  1. Need to get Meteor to listen on UNIX domain socket instead of TCP port
  2. Pass the remote_user field in the request header up to Meteor application code

I tried and failed to get help online, even posted to StackOverflow.
In the end, I started putting console.log() statements all over Meteor code to figure out what was going on , and came up with hacks that work. I am new to Javascript and I am sure my hacks will not pass any code review :slight_smile: However, if someone has better suggestions, I will be happy to implement, test and submit them.

My changes:

  1. tools/runners/run-proxy.js: changed the server.listen(…) statement to listen to pass a Unix socket file name instead of port num if
  2. packages/webapp/webapp_server.js: Added a app.use(…) block to set an environment variable which can be read later by application code.

I am especially unhappy with having to do #2. For some reason the request headers don’t seem to get passed up to the app. The meteor doc says “whitelisted” header fields are passed through but I don’t know how to whitelist my custom field.
I tried setting global variables and Meter.user_name, but these magically disappear by the time application code looks at them, even though the code is running in the same process (I know because I logged the pid). I don’t understand Javascript enough to know how this can happen.