outposts/proxyv2: fix before-redirect url not being saved in proxy mode

closes #2109 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-01-19 19:15:57 +01:00
parent 7f47f93e4e
commit 41e7b9b73f
2 changed files with 31 additions and 1 deletions
--- a/internal/outpost/proxyv2/application/utils.go
+++ b/internal/outpost/proxyv2/application/utils.go
@ -6,7 +6,9 @@ import (
 	"net/url"
 	"path"
 	"strconv"
+	"strings"

+	"goauthentik.io/api"
 	"goauthentik.io/internal/outpost/proxyv2/constants"
 )

@ -20,6 +22,33 @@ func urlJoin(originalUrl string, newPath string) string {
 }

 func (a *Application) redirectToStart(rw http.ResponseWriter, r *http.Request) {
+	s, err := a.sessions.Get(r, constants.SeesionName)
+	if err == nil {
+		a.log.WithError(err).Warning("failed to decode session")
+	}
+	redirectUrl := r.URL.String()
+	// simple way to copy the URL
+	u, _ := url.Parse(redirectUrl)
+	// In proxy and forward_single mode we only have one URL that we route on
+	// if we somehow got here without that URL, make sure we're at least redirected back to it
+	if a.Mode() == api.PROXYMODE_PROXY || a.Mode() == api.PROXYMODE_FORWARD_SINGLE {
+		u.Host = a.proxyConfig.ExternalHost
+	}
+	if a.Mode() == api.PROXYMODE_FORWARD_DOMAIN {
+		dom := strings.TrimPrefix(*a.proxyConfig.CookieDomain, ".")
+		// In forward_domain we only check that the current URL's host
+		// ends with the cookie domain (remove the leading period if set)
+		if !strings.HasSuffix(r.URL.Hostname(), dom) {
+			a.log.WithField("url", r.URL.String()).WithField("cd", dom).Warning("Invalid redirect found")
+			redirectUrl = ""
+		}
+	}
+	s.Values[constants.SessionRedirect] = redirectUrl
+	err = s.Save(r, rw)
+	if err != nil {
+		a.log.WithError(err).Warning("failed to save session before redirect")
+	}
+
 	authUrl := urlJoin(a.proxyConfig.ExternalHost, "/akprox/start")
 	http.Redirect(rw, r, authUrl, http.StatusFound)
 }