c2cgeoportal-geoportal 2.5.0.100__py2.py3-none-any.whl → 2.7.1.83__py2.py3-none-any.whl

c2cgeoportal_geoportal/views/login.py

@@ -1,6 +1,4 @@
-# -*- coding: utf-8 -*-
-
-# Copyright (c) 2011-2020, Camptocamp SA
+# Copyright (c) 2011-2022, Camptocamp SA
 # All rights reserved.
 
 # Redistribution and use in source and binary forms, with or without
@@ -30,24 +28,33 @@
 
 import json
 import logging
-from random import Random
+import secrets
 import sys
-from typing import Dict, Set, Tuple  # noqa # pylint: disable=unused-import
-import xml.dom.minidom  # noqa # pylint: disable=unused-import
+import urllib.parse
+from typing import Any, Dict, List, Optional, Tuple, Union
 
 import pyotp
-from pyramid.httpexceptions import HTTPBadRequest, HTTPForbidden, HTTPFound, HTTPUnauthorized
+import pyramid.request
+import pyramid.response
+from pyramid.httpexceptions import (
+    HTTPBadRequest,
+    HTTPForbidden,
+    HTTPFound,
+    HTTPUnauthorized,
+    exception_response,
+)
 from pyramid.response import Response
 from pyramid.security import forget, remember
-from pyramid.view import view_config
+from pyramid.view import forbidden_view_config, view_config
 from sqlalchemy.orm.exc import NoResultFound
 
 from c2cgeoportal_commons import models
 from c2cgeoportal_commons.lib.email_ import send_email_config
 from c2cgeoportal_commons.models import static
-from c2cgeoportal_geoportal import is_valid_referer
-from c2cgeoportal_geoportal.lib import get_setting, is_intranet
-from c2cgeoportal_geoportal.lib.caching import NO_CACHE, PUBLIC_CACHE, get_region, set_common_headers
+from c2cgeoportal_geoportal import is_valid_referrer
+from c2cgeoportal_geoportal.lib import get_setting, is_intranet, oauth2
+from c2cgeoportal_geoportal.lib.caching import get_region
+from c2cgeoportal_geoportal.lib.common_headers import Cache, set_common_headers
 from c2cgeoportal_geoportal.lib.functionality import get_functionality
 
 LOG = logging.getLogger(__name__)
@@ -55,16 +62,23 @@ CACHE_REGION = get_region("std")
 
 
 class Login:
-    def __init__(self, request):
+    """
+    All the login, logout, oauth2, user information views.
+
+    Also manage the 2fa.
+    """
+
+    def __init__(self, request: pyramid.request.Request):
         self.request = request
         self.settings = request.registry.settings
         self.lang = request.locale_name
 
         authentication_settings = self.settings.get("authentication", {})
+
         self.two_factor_auth = authentication_settings.get("two_factor", False)
         self.two_factor_issuer_name = authentication_settings.get("two_factor_issuer_name")
 
-    def _functionality(self):
+    def _functionality(self) -> Dict[str, List[Union[str, int, float, bool, List[Any], Dict[str, Any]]]]:
         functionality = {}
         for func_ in get_setting(self.settings, ("functionalities", "available_in_templates"), []):
             functionality[func_] = get_functionality(func_, self.request, is_intranet(self.request))
@@ -72,42 +86,48 @@ class Login:
 
     def _referer_log(self) -> None:
         if not hasattr(self.request, "is_valid_referer"):
-            self.request.is_valid_referer = is_valid_referer(self.request)
+            self.request.is_valid_referer = is_valid_referrer(self.request)
         if not self.request.is_valid_referer:
             LOG.info("Invalid referer for %s: %s", self.request.path_qs, repr(self.request.referer))
 
-    @view_config(context=HTTPForbidden, renderer="login.html")
-    def loginform403(self):
-        if self.request.authenticated_userid:
-            return HTTPUnauthorized()  # pragma: no cover
+    @forbidden_view_config(renderer="login.html")  # type: ignore
+    def loginform403(self) -> Union[Dict[str, Any], pyramid.response.Response]:
+        if self.request.authenticated_userid is not None:
+            return HTTPForbidden()
 
-        set_common_headers(self.request, "login", NO_CACHE)
+        set_common_headers(self.request, "login", Cache.PRIVATE_NO)
 
-        return {"lang": self.lang, "came_from": self.request.path, "two_fa": self.two_factor_auth}
+        return {
+            "lang": self.lang,
+            "login_params": {
+                "came_from": (f"{self.request.path}?{urllib.parse.urlencode(self.request.GET)}")
+            },
+            "two_fa": self.two_factor_auth,
+        }
 
-    @view_config(route_name="loginform", renderer="login.html")
-    def loginform(self):
-        set_common_headers(self.request, "login", PUBLIC_CACHE)
+    @view_config(route_name="loginform", renderer="login.html")  # type: ignore
+    def loginform(self) -> Dict[str, Any]:
+        set_common_headers(self.request, "login", Cache.PUBLIC)
 
         return {
             "lang": self.lang,
-            "came_from": self.request.params.get("came_from") or "/",
+            "login_params": {"came_from": self.request.params.get("came_from") or "/"},
             "two_fa": self.two_factor_auth,
         }
 
     @staticmethod
-    def _validate_2fa_totp(user, otp: str) -> bool:
+    def _validate_2fa_totp(user: static.User, otp: str) -> bool:
         if pyotp.TOTP(user.tech_data.get("2fa_totp_secret", "")).verify(otp):
             return True
         return False
 
-    @view_config(route_name="login")
-    def login(self):
+    @view_config(route_name="login")  # type: ignore
+    def login(self) -> pyramid.response.Response:
         self._referer_log()
 
         login = self.request.POST.get("login")
         password = self.request.POST.get("password")
-        if login is None or password is None:  # pragma nocover
+        if login is None or password is None:
             raise HTTPBadRequest("'login' and 'password' should be available in request params.")
         username = self.request.registry.validate_user(self.request, login, password)
         if username is not None:
@@ -117,16 +137,18 @@ class Login:
                     user.is_password_changed = False
                 if not user.is_password_changed:
                     user.tech_data["2fa_totp_secret"] = pyotp.random_base32()
+                    if self.request.GET.get("type") == "oauth2":
+                        raise HTTPFound(location=self.request.route_url("notlogin"))
                     return set_common_headers(
                         self.request,
                         "login",
-                        NO_CACHE,
+                        Cache.PRIVATE_NO,
                         response=Response(
                             json.dumps(
                                 {
                                     "username": user.username,
                                     "is_password_changed": False,
-                                    "two_factor_enable": True,
+                                    "two_factor_enable": self.two_factor_auth,
                                     "two_factor_totp_secret": user.tech_data["2fa_totp_secret"],
                                     "otp_uri": pyotp.TOTP(user.tech_data["2fa_totp_secret"]).provisioning_uri(
                                         user.email, issuer_name=self.two_factor_issuer_name
@@ -146,24 +168,29 @@ class Login:
             user.tech_data["consecutive_failed"] = "0"
 
             if not user.is_password_changed:
+                if self.request.GET.get("type") == "oauth2":
+                    raise HTTPFound(location=self.request.route_url("notlogin"))
                 return set_common_headers(
                     self.request,
                     "login",
-                    NO_CACHE,
+                    Cache.PRIVATE_NO,
                     response=Response(
                         json.dumps(
                             {
                                 "username": user.username,
                                 "is_password_changed": False,
-                                "two_factor_enable": True,
+                                "two_factor_enable": self.two_factor_auth,
                             }
                         ),
                         headers=(("Content-Type", "text/json"),),
                     ),
                 )
 
-            headers = remember(self.request, username)
             LOG.info("User '%s' logged in.", username)
+            if self.request.GET.get("type") == "oauth2":
+                self._oauth2_login(user)
+
+            headers = remember(self.request, username)
             came_from = self.request.params.get("came_from")
             if came_from:
                 return HTTPFound(location=came_from, headers=headers)
@@ -171,7 +198,7 @@ class Login:
             return set_common_headers(
                 self.request,
                 "login",
-                NO_CACHE,
+                Cache.PRIVATE_NO,
                 response=Response(json.dumps(self._user(self.request.get_user(username))), headers=headers),
             )
         user = models.DBSession.query(static.User).filter(static.User.username == login).one_or_none()
@@ -189,8 +216,41 @@ class Login:
             self.request.tm.commit()
         raise HTTPUnauthorized("See server logs for details")
 
-    @view_config(route_name="logout")
-    def logout(self):
+    def _oauth2_login(self, user: static.User) -> pyramid.response.Response:
+        self.request.user_ = user
+        LOG.debug(
+            "Call OAuth create_authorization_response with:\nurl: %s\nmethod: %s\nbody:\n%s",
+            self.request.current_route_url(_query=self.request.GET),
+            self.request.method,
+            self.request.body,
+        )
+        headers, body, status = oauth2.get_oauth_client(
+            self.request.registry.settings
+        ).create_authorization_response(
+            self.request.current_route_url(_query=self.request.GET),
+            self.request.method,
+            self.request.body,
+            self.request.headers,
+        )
+        if hasattr(self.request, "tm"):
+            self.request.tm.commit()
+        LOG.debug("OAuth create_authorization_response return\nstatus: %s\nbody:\n%s", status, body)
+
+        if status == 302:
+            raise HTTPFound(location=headers["Location"])
+        if status != 200:
+            if body:
+                raise exception_response(status, details=body)
+            raise exception_response(status)
+        return set_common_headers(
+            self.request,
+            "login",
+            Cache.PRIVATE_NO,
+            response=Response(body, headers=headers.items()),
+        )
+
+    @view_config(route_name="logout")  # type: ignore
+    def logout(self) -> pyramid.response.Response:
         headers = forget(self.request)
 
         if not self.request.user:
@@ -200,9 +260,11 @@ class Login:
         LOG.info("User '%s' (%s) logging out.", self.request.user.username, self.request.user.id)
 
         headers.append(("Content-Type", "text/json"))
-        return set_common_headers(self.request, "login", NO_CACHE, response=Response("true", headers=headers))
+        return set_common_headers(
+            self.request, "login", Cache.PRIVATE_NO, response=Response("true", headers=headers)
+        )
 
-    def _user(self, user=None):
+    def _user(self, user: Optional[static.User] = None) -> Dict[str, Any]:
         result = {
             "functionalities": self._functionality(),
             "is_intranet": is_intranet(self.request),
@@ -219,114 +281,171 @@ class Login:
             )
         return result
 
-    @view_config(route_name="loginuser", renderer="json")
-    def loginuser(self):
-        LOG.info("Client IP adresse: %s", self.request.client_addr)
-        set_common_headers(self.request, "login", NO_CACHE)
+    @view_config(route_name="loginuser", renderer="json")  # type: ignore
+    def loginuser(self) -> Dict[str, Any]:
+        LOG.info("Client IP address: %s", self.request.client_addr)
+        set_common_headers(self.request, "login", Cache.PRIVATE_NO)
         return self._user()
 
-    @view_config(route_name="change_password", renderer="json")
-    def change_password(self):
-        set_common_headers(self.request, "login", NO_CACHE)
+    @view_config(route_name="change_password", renderer="json")  # type: ignore
+    def change_password(self) -> pyramid.response.Response:
+        set_common_headers(self.request, "login", Cache.PRIVATE_NO)
 
         login = self.request.POST.get("login")
         old_password = self.request.POST.get("oldPassword")
         new_password = self.request.POST.get("newPassword")
         new_password_confirm = self.request.POST.get("confirmNewPassword")
+        otp = self.request.POST.get("otp")
         if new_password is None or new_password_confirm is None or old_password is None:
             raise HTTPBadRequest(
                 "'oldPassword', 'newPassword' and 'confirmNewPassword' should be available in "
                 "request params."
             )
+        if self.two_factor_auth and otp is None:
+            raise HTTPBadRequest("The second factor is missing.")
+        if login is None and self.request.user is None:
+            raise HTTPBadRequest("You should be logged in or 'login' should be available in request params.")
+        if new_password != new_password_confirm:
+            raise HTTPBadRequest("The new password and the new password confirmation do not match")
 
         if login is not None:
-            try:
-                user = self.request.get_user(login)
-                if user is None:
-                    LOG.info("The login '%s' does not exist.", login)
-                    raise HTTPUnauthorized("See server logs for details")
-            except NoResultFound:  # pragma: no cover
+            user = models.DBSession.query(static.User).filter_by(username=login).one_or_none()
+            if user is None:
                 LOG.info("The login '%s' does not exist.", login)
                 raise HTTPUnauthorized("See server logs for details")
 
             if self.two_factor_auth:
-                otp = self.request.POST.get("otp")
-                if otp is None:
-                    raise HTTPBadRequest("The second factor is missing.")
                 if not self._validate_2fa_totp(user, otp):
                     LOG.info("The second factor is wrong for user '%s'.", login)
                     raise HTTPUnauthorized("See server logs for details")
-
         else:
-            if self.request.user is not None:
-                user = self.request.user
-            else:
-                raise HTTPBadRequest(
-                    "You should be logged in or 'login' should be available in request params."
-                )
+            user = self.request.user
 
-        username = self.request.registry.validate_user(self.request, user.username, old_password)
-        if username is None:
-            LOG.info("The old password is wrong for user '%s'.", username)
+        if self.request.registry.validate_user(self.request, user.username, old_password) is None:
+            LOG.info("The old password is wrong for user '%s'.", user.username)
             raise HTTPUnauthorized("See server logs for details")
 
-        if new_password != new_password_confirm:
-            raise HTTPBadRequest("The new password and the new password confirmation do not match")
-
         user.password = new_password
         user.is_password_changed = True
         models.DBSession.flush()
-        LOG.info("Password changed for user '%s'", username)
+        LOG.info("Password changed for user '%s'", user.username)
 
-        headers = remember(self.request, username)
+        headers = remember(self.request, user.username)
         headers.append(("Content-Type", "text/json"))
         return set_common_headers(
-            self.request, "login", NO_CACHE, response=Response(json.dumps(self._user(user)), headers=headers)
+            self.request,
+            "login",
+            Cache.PRIVATE_NO,
+            response=Response(json.dumps(self._user(user)), headers=headers),
         )
 
     @staticmethod
-    def generate_password():
-        allchars = "123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
-        rand = Random()
+    def generate_password() -> str:
+        all_chars = "123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
 
-        password = ""
+        password = ""  # nosec
         for _ in range(8):
-            password += rand.choice(allchars)
+            password += secrets.choice(all_chars)
 
         return password
 
-    def _loginresetpassword(self):
+    def _loginresetpassword(
+        self,
+    ) -> Tuple[Optional[static.User], Optional[str], Optional[str], Optional[str]]:
         username = self.request.POST.get("login")
         if username is None:
             raise HTTPBadRequest("'login' should be available in request params.")
-        username = self.request.POST["login"]
         try:
             user = models.DBSession.query(static.User).filter(static.User.username == username).one()
-        except NoResultFound:  # pragma: no cover
-            return None, None, None, "The login '{}' does not exist.".format(username)
+        except NoResultFound:
+            return None, None, None, f"The login '{username}' does not exist."
 
-        if user.email is None or user.email == "":  # pragma: no cover
-            return None, None, None, "The user '{}' has no registered email address.".format(user.username)
+        if user.email is None or user.email == "":
+            return None, None, None, f"The user '{user.username}' has no registered email address."
 
         password = self.generate_password()
         user.set_temp_password(password)
 
         return user, username, password, None
 
-    @view_config(route_name="loginresetpassword", renderer="json")
-    def loginresetpassword(self):  # pragma: no cover
-        set_common_headers(self.request, "login", NO_CACHE)
+    @view_config(route_name="loginresetpassword", renderer="json")  # type: ignore
+    def loginresetpassword(self) -> Dict[str, Any]:
+        set_common_headers(self.request, "login", Cache.PRIVATE_NO)
 
         user, username, password, error = self._loginresetpassword()
         if error is not None:
             LOG.info(error)
-            raise HTTPUnauthorized("See server logs for details")
+            return {"success": True}
+
+        if user is None:
+            LOG.info("The user is not found without any error.")
+            return {"success": True}
+
         if user.deactivated:
             LOG.info("The user '%s' is deactivated", username)
-            raise HTTPUnauthorized("See server logs for details")
+            return {"success": True}
 
         send_email_config(
-            self.request.registry.settings, "reset_password", user.email, user=username, password=password
+            self.request.registry.settings,
+            "reset_password",
+            user.email,
+            user=username,
+            password=password,
+            application_url=self.request.route_url("base"),
+            current_url=self.request.current_route_url(),
         )
 
         return {"success": True}
+
+    @view_config(route_name="oauth2token")  # type: ignore
+    def oauth2token(self) -> pyramid.response.Response:
+        LOG.debug(
+            "Call OAuth create_token_response with:\nurl: %s\nmethod: %s\nbody:\n%s",
+            self.request.current_route_url(_query=self.request.GET),
+            self.request.method,
+            self.request.body,
+        )
+        headers, body, status = oauth2.get_oauth_client(self.request.registry.settings).create_token_response(
+            self.request.current_route_url(_query=self.request.GET),
+            self.request.method,
+            self.request.body,
+            self.request.headers,
+            {},
+        )
+        LOG.debug("OAuth create_token_response return status: %s", status)
+
+        if hasattr(self.request, "tm"):
+            self.request.tm.commit()
+
+        # All requests to /token will return a json response, no redirection.
+        if status != 200:
+            if body:
+                raise exception_response(status, detail=body)
+            raise exception_response(status)
+        return set_common_headers(
+            self.request,
+            "login",
+            Cache.PRIVATE_NO,
+            response=Response(body, headers=headers.items()),
+        )
+
+    @view_config(route_name="oauth2loginform", renderer="login.html")  # type: ignore
+    def oauth2loginform(self) -> Dict[str, Any]:
+        set_common_headers(self.request, "login", Cache.PUBLIC)
+
+        if self.request.user:
+            self._oauth2_login(self.request.user)
+
+        login_param = {"type": "oauth2"}
+        login_param.update(self.request.params)
+        return {
+            "lang": self.lang,
+            "login_params": login_param,
+            "two_fa": self.two_factor_auth,
+        }
+
+    @view_config(route_name="notlogin", renderer="notlogin.html")  # type: ignore
+    def notlogin(self) -> Dict[str, Any]:
+        set_common_headers(self.request, "login", Cache.PUBLIC)
+
+        return {"lang": self.lang}

c2cgeoportal_geoportal/views/mapserverproxy.py

@@ -1,6 +1,4 @@
-# -*- coding: utf-8 -*-
-
-# Copyright (c) 2011-2019, Camptocamp SA
+# Copyright (c) 2011-2021, Camptocamp SA
 # All rights reserved.
 
 # Redistribution and use in source and binary forms, with or without
@@ -29,16 +27,18 @@
 
 
 import logging
-from typing import Any, Dict  # noqa, pylint: disable=unused-import
+from typing import Any, Dict, Set
 
-from pyramid.httpexceptions import HTTPUnauthorized
+from pyramid.httpexceptions import HTTPFound, HTTPInternalServerError, HTTPUnauthorized
 from pyramid.request import Request
 from pyramid.response import Response
 from pyramid.view import view_config
 
+from c2cgeoportal_commons.lib.url import Url
 from c2cgeoportal_commons.models import main
 from c2cgeoportal_geoportal.lib import get_roles_id, get_roles_name
-from c2cgeoportal_geoportal.lib.caching import NO_CACHE, PRIVATE_CACHE, PUBLIC_CACHE, get_region
+from c2cgeoportal_geoportal.lib.caching import get_region
+from c2cgeoportal_geoportal.lib.common_headers import Cache
 from c2cgeoportal_geoportal.lib.filter_capabilities import filter_capabilities
 from c2cgeoportal_geoportal.lib.functionality import get_mapserver_substitution_params
 from c2cgeoportal_geoportal.views.ogcproxy import OGCProxy
@@ -48,6 +48,7 @@ LOG = logging.getLogger(__name__)
 
 
 class MapservProxy(OGCProxy):
+    """Proxy for OGC (WMS/WFS) servers."""
 
     params: Dict[str, str] = {}
 
@@ -55,13 +56,18 @@ class MapservProxy(OGCProxy):
         OGCProxy.__init__(self, request)
         self.user = self.request.user
 
-    @view_config(route_name="mapserverproxy")
-    @view_config(route_name="mapserverproxy_post")
+    @view_config(route_name="mapserverproxy")  # type: ignore
+    @view_config(route_name="mapserverproxy_post")  # type: ignore
+    @view_config(route_name="mapserverproxy_get_path")  # type: ignore
+    @view_config(route_name="mapserverproxy_post_path")  # type: ignore
     def proxy(self) -> Response:
-
         if self.user is None and "authentication_required" in self.request.params:
             LOG.debug("proxy() detected authentication_required")
-            raise HTTPUnauthorized(headers={"WWW-Authenticate": 'Basic realm="Access to restricted layers"'})
+            if self.request.registry.settings.get("basicauth", "False").lower() == "true":
+                raise HTTPUnauthorized(
+                    headers={"WWW-Authenticate": 'Basic realm="Access to restricted layers"'}
+                )
+            raise HTTPUnauthorized(headers={"WWW-Authenticate": 'Bearer realm="Access to restricted layers"'})
 
         # We have a user logged in. We need to set group_id and possible layer_name in the params. We set
         # layer_name when either QUERY_PARAMS or LAYERS is set in the WMS params, i.e. for GetMap and
@@ -72,29 +78,34 @@ class MapservProxy(OGCProxy):
             self.params["role_ids"] = ",".join([str(e) for e in get_roles_id(self.request)])
 
             # In some application we want to display the features owned by a user than we need his id.
-            self.params["user_id"] = self.user.id if self.user is not None else "-1"  # pragma: no cover
+            self.params["user_id"] = self.user.id if self.user is not None else "-1"
 
         # Do not allows direct variable substitution
         for k in list(self.params.keys()):
-            if k[:2].capitalize() == "S_":
+            if len(k) > 1 and k[:2].capitalize() == "S_":
                 LOG.warning("Direct substitution not allowed (%s=%s).", k, self.params[k])
                 del self.params[k]
 
-        # add functionalities params
-        self.params.update(get_mapserver_substitution_params(self.request))
+        if (
+            self.ogc_server.auth == main.OGCSERVER_AUTH_STANDARD
+            and self.ogc_server.type == main.OGCSERVER_TYPE_MAPSERVER
+        ):
+            # Add functionalities params
+            self.params.update(get_mapserver_substitution_params(self.request))
 
-        # get method
+        # Get method
         method = self.request.method
 
         # we want the browser to cache GetLegendGraphic and
         # DescribeFeatureType requests
         use_cache = False
 
+        errors: Set[str] = set()
         if method == "GET":
             # For GET requests, params are added only if the self.request
             # parameter is actually provided.
             if "request" not in self.lower_params:
-                self.params = {}  # pragma: no cover
+                self.params = {}
             else:
                 if self.ogc_server.type != main.OGCSERVER_TYPE_QGISSERVER or "user_id" not in self.params:
 
@@ -107,28 +118,33 @@ class MapservProxy(OGCProxy):
                         del self.params["role_ids"]
 
             if "service" in self.lower_params and self.lower_params["service"] == "wfs":
-                _url = self._get_wfs_url()
+                _url = self._get_wfs_url(errors)
             else:
-                _url = self._get_wms_url()
+                _url = self._get_wms_url(errors)
         else:
             # POST means WFS
-            _url = self._get_wfs_url()
-
-        cache_control = PRIVATE_CACHE
-        if method == "GET" and "service" in self.lower_params and self.lower_params["service"] == "wms":
-            if self.lower_params.get("request") in ("getmap", "getfeatureinfo"):
-                cache_control = NO_CACHE
-            elif self.lower_params.get("request") == "getlegendgraphic":
-                cache_control = PUBLIC_CACHE
-        elif method == "GET" and "service" in self.lower_params and self.lower_params["service"] == "wfs":
-            if self.lower_params.get("request") == "getfeature":
-                cache_control = NO_CACHE
-        elif method != "GET":
-            cache_control = NO_CACHE
-
-        headers = self._get_headers()
+            _url = self._get_wfs_url(errors)
+
+        if _url is None:
+            LOG.error("Error getting the URL:\n%s", "\n".join(errors))
+            raise HTTPInternalServerError()
+
+        cache_control = (
+            Cache.PRIVATE
+            if method == "GET"
+            and self.lower_params.get("request")
+            in (
+                "getcapabilities",
+                "getlegendgraphic",
+                "describefeaturetype",
+                "describelayer",
+            )
+            else Cache.PRIVATE_NO
+        )
+
+        headers = self.get_headers()
         # Add headers for Geoserver
-        if self.ogc_server.auth == main.OGCSERVER_AUTH_GEOSERVER:
+        if self.ogc_server.auth == main.OGCSERVER_AUTH_GEOSERVER and self.user is not None:
             headers["sec-username"] = self.user.username
             headers["sec-roles"] = ";".join(get_roles_name(self.request))
 
@@ -150,7 +166,15 @@ class MapservProxy(OGCProxy):
 
         return response
 
-    def _proxy_callback(self, cache_control: int, url: str, params: dict, **kwargs: Any) -> Response:
+    def _proxy_callback(
+        self, cache_control: Cache, url: Url, params: Dict[str, str], **kwargs: Any
+    ) -> Response:
+        if self.request.matched_route.name.endswith("_path"):
+            if self.request.matchdict["path"] == ("favicon.ico",):
+                return HTTPFound("/favicon.ico")
+            url = url.clone()
+            url.path = self.request.path
+
         response = self._proxy(url=url, params=params, **kwargs)
 
         content = response.content