outposts/proxy: reduce possibility for redirect loops, keep single state (#3831)

use single state, redirect when start url is hit with active session Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-10-20 21:27:34 +02:00
parent a1ce8100e9
commit d53733b6fc
6 changed files with 44 additions and 39 deletions
--- a/internal/outpost/proxyv2/application/utils.go
+++ b/internal/outpost/proxyv2/application/utils.go
@ -56,12 +56,27 @@ func (a *Application) redirectToStart(rw http.ResponseWriter, r *http.Request) {
 	}

 	urlArgs := url.Values{
-		"rd": []string{redirectUrl},
+		redirectParam: []string{redirectUrl},
 	}
 	authUrl := urlJoin(a.proxyConfig.ExternalHost, "/outpost.goauthentik.io/start")
 	http.Redirect(rw, r, authUrl+"?"+urlArgs.Encode(), http.StatusFound)
 }

+func (a *Application) redirect(rw http.ResponseWriter, r *http.Request) {
+	redirect := a.proxyConfig.ExternalHost
+	rd, ok := a.checkRedirectParam(r)
+	if ok {
+		redirect = rd
+	}
+	s, _ := a.sessions.Get(r, constants.SessionName)
+	redirectR, ok := s.Values[constants.SessionRedirect]
+	if ok {
+		redirect = redirectR.(string)
+	}
+	a.log.WithField("redirect", redirect).Trace("final redirect")
+	http.Redirect(rw, r, redirect, http.StatusFound)
+}
+
 // getClaims Get claims which are currently in session
 // Returns an error if the session can't be loaded or the claims can't be parsed/type-cast
 func (a *Application) getClaims(r *http.Request) (*Claims, error) {