habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

internal: remove special route for /outpost.goauthentik.io (#7539)

Browse Source 
With this special route for outpost.goauthentik.io, misdirected requests to /outpost.goauthentik.io/auth/start will create a cookie for the domain authentik is accessed under, which will cause issues with the actual full auth flow. Requests to /outpost.goauthentik.io will still be routed to the outpost, but with this change only when the hostname matches

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens L
2023-11-13 17:39:40 +01:00
committed by GitHub
parent 695719540b
commit dc7ffba8fa
3 changed files with 11 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
internal/outpost/proxyv2/application/application.go
View File

@ -235,7 +235,10 @@ func (a *Application) Mode() api.ProxyMode {
return *a.proxyConfig.Mode return *a.proxyConfig.Mode
} }
func (a *Application) HasQuerySignature(r *http.Request) bool { func (a *Application) ShouldHandleURL(r *http.Request) bool {
if strings.HasPrefix(r.URL.Path, "/outpost.goauthentik.io") {
return true
}
if strings.EqualFold(r.URL.Query().Get(CallbackSignature), "true") { if strings.EqualFold(r.URL.Query().Get(CallbackSignature), "true") {
return true return true
} }

2
internal/outpost/proxyv2/proxyv2.go
View File

@ -74,7 +74,7 @@ func (ps *ProxyServer) HandleHost(rw http.ResponseWriter, r *http.Request) bool
if a == nil { if a == nil {
return false return false
} }
if a.HasQuerySignature(r) || a.Mode() == api.PROXYMODE_PROXY { if a.ShouldHandleURL(r) || a.Mode() == api.PROXYMODE_PROXY {
a.ServeHTTP(rw, r) a.ServeHTTP(rw, r)
return true return true
} }

26
internal/web/proxy.go
View File

@ -32,18 +32,6 @@ func (ws *WebServer) configureProxy() {
} }
rp.ErrorHandler = ws.proxyErrorHandler rp.ErrorHandler = ws.proxyErrorHandler
rp.ModifyResponse = ws.proxyModifyResponse rp.ModifyResponse = ws.proxyModifyResponse
ws.m.PathPrefix("/outpost.goauthentik.io").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
if ws.ProxyServer != nil {
before := time.Now()
ws.ProxyServer.Handle(rw, r)
elapsed := time.Since(before)
Requests.With(prometheus.Labels{
"dest": "embedded_outpost",
}).Observe(float64(elapsed) / float64(time.Second))
return
}
ws.proxyErrorHandler(rw, r, errors.New("proxy not running"))
})
ws.m.Path("/-/health/live/").HandlerFunc(sentry.SentryNoSample(func(rw http.ResponseWriter, r *http.Request) { ws.m.Path("/-/health/live/").HandlerFunc(sentry.SentryNoSample(func(rw http.ResponseWriter, r *http.Request) {
rw.WriteHeader(204) rw.WriteHeader(204)
})) }))
@ -53,14 +41,12 @@ func (ws *WebServer) configureProxy() {
return return
} }
before := time.Now() before := time.Now()
if ws.ProxyServer != nil { if ws.ProxyServer != nil && ws.ProxyServer.HandleHost(rw, r) {
if ws.ProxyServer.HandleHost(rw, r) { elapsed := time.Since(before)
elapsed := time.Since(before) Requests.With(prometheus.Labels{
Requests.With(prometheus.Labels{ "dest": "embedded_outpost",
"dest": "embedded_outpost", }).Observe(float64(elapsed) / float64(time.Second))
}).Observe(float64(elapsed) / float64(time.Second)) return
return
}
} }
elapsed := time.Since(before) elapsed := time.Since(before)
Requests.With(prometheus.Labels{ Requests.With(prometheus.Labels{