From f10b57ba0bf69fb9dba83c2a01c8b08ebc182423 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Tue, 21 Dec 2021 10:07:08 +0100 Subject: [PATCH] outposts/proxy: handle redirect loop in start handler, show error message Signed-off-by: Jens Langhammer --- internal/outpost/proxyv2/application/mode_forward.go | 5 ----- internal/outpost/proxyv2/application/oauth.go | 7 +++++++ 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/internal/outpost/proxyv2/application/mode_forward.go b/internal/outpost/proxyv2/application/mode_forward.go index e5772a1924..69f5ee9b35 100644 --- a/internal/outpost/proxyv2/application/mode_forward.go +++ b/internal/outpost/proxyv2/application/mode_forward.go @@ -60,11 +60,6 @@ func (a *Application) forwardHandleTraefik(rw http.ResponseWriter, r *http.Reque s.Values[constants.SessionLoopDetection] = 1 } else { s.Values[constants.SessionLoopDetection] = val.(int) + 1 - if val.(int) > 10 { - a.log.Error("Stopped redirect loop") - rw.WriteHeader(http.StatusBadRequest) - return - } } } err = s.Save(r, rw) diff --git a/internal/outpost/proxyv2/application/oauth.go b/internal/outpost/proxyv2/application/oauth.go index e9e46a3581..c898dfa36b 100644 --- a/internal/outpost/proxyv2/application/oauth.go +++ b/internal/outpost/proxyv2/application/oauth.go @@ -16,6 +16,13 @@ func (a *Application) handleRedirect(rw http.ResponseWriter, r *http.Request) { if err != nil { a.log.WithError(err).Warning("failed to save session") } + if loop, ok := s.Values[constants.SessionLoopDetection]; ok { + if loop.(int) > 10 { + rw.WriteHeader(http.StatusBadRequest) + a.ErrorPage(rw, r, "Detected redirect loop, make sure /akprox is accessible without authentication.") + return + } + } http.Redirect(rw, r, a.oauthConfig.AuthCodeURL(state), http.StatusFound) }