From cc3ec7492af2fd32fdd9dc685f35da30361076a6 Mon Sep 17 00:00:00 2001
From: Nils Bandener <git@bndnr.de>
Date: Tue, 21 Feb 2023 15:53:36 +0100
Subject: [PATCH] Use deflate to compress authentication header payload in
 Dashboard cookie

Signed-off-by: Nils Bandener <git@bndnr.de>
---
 server/auth/types/saml/routes.ts    |  7 +++++--
 server/auth/types/saml/saml_auth.ts | 26 +++++++++++++++++++++++---
 server/utils/compression.ts         | 14 ++++++++++++++
 3 files changed, 42 insertions(+), 5 deletions(-)
 create mode 100644 server/utils/compression.ts

diff --git a/server/auth/types/saml/routes.ts b/server/auth/types/saml/routes.ts
index 227976612..fefeb9499 100644
--- a/server/auth/types/saml/routes.ts
+++ b/server/auth/types/saml/routes.ts
@@ -25,6 +25,7 @@ import { SecurityClient } from '../../../backend/opensearch_security_client';
 import { CoreSetup } from '../../../../../../src/core/server';
 import { validateNextUrl } from '../../../utils/next_url';
 import { AuthType, SAML_AUTH_LOGIN, SAML_AUTH_LOGOUT } from '../../../../common';
+import { deflateValue } from '../../../utils/compression';
 
 export class SamlAuthRoutes {
   constructor(
@@ -141,10 +142,11 @@ export class SamlAuthRoutes {
           if (tokenPayload.exp) {
             expiryTime = parseInt(tokenPayload.exp, 10) * 1000;
           }
+          const compressedBuffer: Buffer = deflateValue(credentials.authorization);
           const cookie: SecuritySessionCookie = {
             username: user.username,
             credentials: {
-              authHeaderValue: credentials.authorization,
+              authHeaderValueCompressed: compressedBuffer.toString('base64'),
             },
             authType: AuthType.SAML, // TODO: create constant
             expiryTime,
@@ -209,10 +211,11 @@ export class SamlAuthRoutes {
             expiryTime = parseInt(tokenPayload.exp, 10) * 1000;
           }
 
+          const compressedBuffer: Buffer = deflateValue(credentials.authorization);
           const cookie: SecuritySessionCookie = {
             username: user.username,
             credentials: {
-              authHeaderValue: credentials.authorization,
+              authHeaderValueCompressed: compressedBuffer.toString('base64'),
             },
             authType: AuthType.SAML, // TODO: create constant
             expiryTime,
diff --git a/server/auth/types/saml/saml_auth.ts b/server/auth/types/saml/saml_auth.ts
index 4f6e8b4f9..30a646921 100644
--- a/server/auth/types/saml/saml_auth.ts
+++ b/server/auth/types/saml/saml_auth.ts
@@ -34,6 +34,10 @@ import {
 import { SamlAuthRoutes } from './routes';
 import { AuthenticationType } from '../authentication_type';
 import { AuthType } from '../../../../common';
+import {
+  deflateValue,
+  inflateValue
+} from '../../../utils/compression';
 
 export class SamlAuthentication extends AuthenticationType {
   public static readonly AUTH_HEADER_NAME = 'authorization';
@@ -91,7 +95,9 @@ export class SamlAuthentication extends AuthenticationType {
     return {
       username: authInfo.user_name,
       credentials: {
-        authHeaderValue: request.headers[SamlAuthentication.AUTH_HEADER_NAME],
+        authHeaderValueCompressed: deflateValue(
+          request.headers[SamlAuthentication.AUTH_HEADER_NAME] as string
+        ),
       },
       authType: AuthType.SAML,
       expiryTime: Date.now() + this.config.session.ttl,
@@ -104,7 +110,7 @@ export class SamlAuthentication extends AuthenticationType {
       cookie.authType === AuthType.SAML &&
       cookie.username &&
       cookie.expiryTime &&
-      cookie.credentials?.authHeaderValue
+      (cookie.credentials?.authHeaderValue || cookie.credentials?.authHeaderValueCompressed)
     );
   }
 
@@ -122,7 +128,21 @@ export class SamlAuthentication extends AuthenticationType {
 
   buildAuthHeaderFromCookie(cookie: SecuritySessionCookie): any {
     const headers: any = {};
-    headers[SamlAuthentication.AUTH_HEADER_NAME] = cookie.credentials?.authHeaderValue;
+    if (cookie.credentials?.authHeaderValueCompressed) {
+      try {
+        const uncompressedBuffer = inflateValue(
+          Buffer.from(cookie.credentials.authHeaderValueCompressed, 'base64')
+        );
+        headers[SamlAuthentication.AUTH_HEADER_NAME] = uncompressedBuffer.toString();
+      } catch (error) {
+        this.logger.error(error);
+        // @todo Re-throw?
+        // throw error;
+      }
+    } else {
+      headers[SamlAuthentication.AUTH_HEADER_NAME] = cookie.credentials?.authHeaderValue;
+    }
+
     return headers;
   }
 }
diff --git a/server/utils/compression.ts b/server/utils/compression.ts
new file mode 100644
index 000000000..eeb39e5bd
--- /dev/null
+++ b/server/utils/compression.ts
@@ -0,0 +1,14 @@
+import zlib, { ZlibOptions } from 'node:zlib';
+
+
+export function deflateValue(value: string, options: ZlibOptions = {}): Buffer {
+  const compressedBuffer: Buffer = zlib.deflateSync(value, options);
+
+  return compressedBuffer;
+}
+
+export function inflateValue(value: Buffer, options: ZlibOptions = {}): Buffer {
+  const uncompressedBuffer: Buffer = zlib.inflateSync(value, options);
+
+  return uncompressedBuffer;
+}