2021-09-08 18:04:56 +00:00
|
|
|
package application
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"encoding/base64"
|
|
|
|
|
"net/http"
|
2021-12-21 12:10:57 +00:00
|
|
|
"time"
|
2021-09-08 18:04:56 +00:00
|
|
|
|
|
|
|
|
"github.com/gorilla/securecookie"
|
|
|
|
|
"goauthentik.io/internal/outpost/proxyv2/constants"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func (a *Application) handleRedirect(rw http.ResponseWriter, r *http.Request) {
|
2021-12-26 13:11:11 +00:00
|
|
|
newState := base64.RawStdEncoding.EncodeToString(securecookie.GenerateRandomKey(32))
|
|
|
|
|
s, err := a.sessions.Get(r, constants.SeesionName)
|
|
|
|
|
if err != nil {
|
|
|
|
|
s.Values[constants.SessionOAuthState] = []string{}
|
|
|
|
|
}
|
|
|
|
|
state := s.Values[constants.SessionOAuthState].([]string)
|
|
|
|
|
s.Values[constants.SessionOAuthState] = append(state, newState)
|
|
|
|
|
err = s.Save(r, rw)
|
2021-09-08 18:04:56 +00:00
|
|
|
if err != nil {
|
|
|
|
|
a.log.WithError(err).Warning("failed to save session")
|
|
|
|
|
}
|
2021-12-21 09:07:08 +00:00
|
|
|
if loop, ok := s.Values[constants.SessionLoopDetection]; ok {
|
|
|
|
|
if loop.(int) > 10 {
|
|
|
|
|
rw.WriteHeader(http.StatusBadRequest)
|
|
|
|
|
a.ErrorPage(rw, r, "Detected redirect loop, make sure /akprox is accessible without authentication.")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-12-26 13:11:11 +00:00
|
|
|
http.Redirect(rw, r, a.oauthConfig.AuthCodeURL(newState), http.StatusFound)
|
2021-09-08 18:04:56 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *Application) handleCallback(rw http.ResponseWriter, r *http.Request) {
|
|
|
|
|
s, _ := a.sessions.Get(r, constants.SeesionName)
|
|
|
|
|
state, ok := s.Values[constants.SessionOAuthState]
|
|
|
|
|
if !ok {
|
|
|
|
|
a.log.Warning("No state saved in session")
|
|
|
|
|
http.Redirect(rw, r, a.proxyConfig.ExternalHost, http.StatusFound)
|
|
|
|
|
return
|
|
|
|
|
}
|
2021-12-26 13:11:11 +00:00
|
|
|
claims, err := a.redeemCallback(r, state.([]string))
|
2021-09-08 18:04:56 +00:00
|
|
|
if err != nil {
|
|
|
|
|
a.log.WithError(err).Warning("failed to redeem code")
|
|
|
|
|
rw.WriteHeader(400)
|
|
|
|
|
// To prevent the user from just refreshing and cause more errors, delete
|
|
|
|
|
// the state from the session
|
|
|
|
|
delete(s.Values, constants.SessionOAuthState)
|
|
|
|
|
err := s.Save(r, rw)
|
|
|
|
|
if err != nil {
|
|
|
|
|
a.log.WithError(err).Warning("failed to save session")
|
|
|
|
|
rw.WriteHeader(400)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
return
|
|
|
|
|
}
|
2021-12-21 12:10:57 +00:00
|
|
|
s.Options.MaxAge = int(time.Until(time.Unix(int64(claims.Exp), 0)).Seconds())
|
2021-09-08 18:04:56 +00:00
|
|
|
s.Values[constants.SessionClaims] = &claims
|
|
|
|
|
err = s.Save(r, rw)
|
|
|
|
|
if err != nil {
|
|
|
|
|
a.log.WithError(err).Warning("failed to save session")
|
|
|
|
|
rw.WriteHeader(400)
|
|
|
|
|
return
|
|
|
|
|
}
|
2021-09-09 08:56:20 +00:00
|
|
|
redirect := a.proxyConfig.ExternalHost
|
|
|
|
|
redirectR, ok := s.Values[constants.SessionRedirect]
|
|
|
|
|
if ok {
|
2021-12-26 13:11:11 +00:00
|
|
|
a.log.WithField("redirect", redirectR).Trace("got final redirect from session")
|
2021-09-09 08:56:20 +00:00
|
|
|
redirect = redirectR.(string)
|
|
|
|
|
}
|
|
|
|
|
http.Redirect(rw, r, redirect, http.StatusFound)
|
2021-09-08 18:04:56 +00:00
|
|
|
}
|
