authentik/internal/outpost/proxyv2/application/auth.go

package application

import (
	"fmt"
	"net/http"

	"goauthentik.io/internal/outpost/proxyv2/constants"
)

const HeaderAuthorization = "Authorization"
const AuthBearer = "Bearer "

// checkAuth Get claims which are currently in session
// Returns an error if the session can't be loaded or the claims can't be parsed/type-cast
func (a *Application) checkAuth(rw http.ResponseWriter, r *http.Request) (*Claims, error) {
	s, _ := a.sessions.Get(r, constants.SessionName)

	c := a.getClaimsFromSession(r)
	if c != nil {
		return c, nil
	}

	if rw == nil {
		return nil, fmt.Errorf("no response writer")
	}
	// Check bearer token if set
	bearer := a.checkAuthHeaderBearer(r)
	if bearer != "" {
		a.log.Trace("checking bearer token")
		tc := a.attemptBearerAuth(r, bearer)
		if tc != nil {
			s.Values[constants.SessionClaims] = tc.Claims
			err := s.Save(r, rw)
			if err != nil {
				return nil, err
			}
			r.Header.Del(HeaderAuthorization)
			return &tc.Claims, nil
		}
		a.log.Trace("no/invalid bearer token")
	}
	// Check basic auth if set
	username, password, basicSet := r.BasicAuth()
	if basicSet {
		a.log.Trace("checking basic auth")
		tc := a.attemptBasicAuth(username, password)
		if tc != nil {
			s.Values[constants.SessionClaims] = *tc
			err := s.Save(r, rw)
			if err != nil {
				return nil, err
			}
			r.Header.Del(HeaderAuthorization)
			return tc, nil
		}
		a.log.Trace("no/invalid basic auth")
	}

	return nil, fmt.Errorf("failed to get claims from session")
}

func (a *Application) getClaimsFromSession(r *http.Request) *Claims {
	s, err := a.sessions.Get(r, constants.SessionName)
	if err != nil {
		// err == user has no session/session is not valid, reject
		return nil
	}
	claims, ok := s.Values[constants.SessionClaims]
	if claims == nil || !ok {
		// no claims saved, reject
		return nil
	}
	c, ok := claims.(Claims)
	if !ok {
		return nil
	}
	return &c
}
providers/proxy: add initial header token auth (#4421) * initial implementation Signed-off-by: Jens Langhammer <jens@goauthentik.io> * check for openid/profile claims Signed-off-by: Jens Langhammer <jens@goauthentik.io> * include jwks sources in proxy provider Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add web ui for jwks Signed-off-by: Jens Langhammer <jens@goauthentik.io> * only show sources with JWKS data configured Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix introspection tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * start basic Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add basic auth Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add docs, update admonitions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add client_id to api, add tab for auth Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update locale Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens Langhammer <jens@goauthentik.io> 2023-01-13 15:22:03 +00:00			`package application`

			`import (`
			`"fmt"`
			`"net/http"`

			`"goauthentik.io/internal/outpost/proxyv2/constants"`
			`)`

			`const HeaderAuthorization = "Authorization"`
			`const AuthBearer = "Bearer "`

			`// checkAuth Get claims which are currently in session`
			`// Returns an error if the session can't be loaded or the claims can't be parsed/type-cast`
			`func (a Application) checkAuth(rw http.ResponseWriter, r http.Request) (*Claims, error) {`
			`s, _ := a.sessions.Get(r, constants.SessionName)`

			`c := a.getClaimsFromSession(r)`
			`if c != nil {`
			`return c, nil`
			`}`

			`if rw == nil {`
			`return nil, fmt.Errorf("no response writer")`
			`}`
			`// Check bearer token if set`
			`bearer := a.checkAuthHeaderBearer(r)`
			`if bearer != "" {`
			`a.log.Trace("checking bearer token")`
			`tc := a.attemptBearerAuth(r, bearer)`
			`if tc != nil {`
			`s.Values[constants.SessionClaims] = tc.Claims`
			`err := s.Save(r, rw)`
			`if err != nil {`
			`return nil, err`
			`}`
			`r.Header.Del(HeaderAuthorization)`
			`return &tc.Claims, nil`
			`}`
			`a.log.Trace("no/invalid bearer token")`
			`}`
			`// Check basic auth if set`
			`username, password, basicSet := r.BasicAuth()`
			`if basicSet {`
			`a.log.Trace("checking basic auth")`
			`tc := a.attemptBasicAuth(username, password)`
			`if tc != nil {`
			`s.Values[constants.SessionClaims] = *tc`
			`err := s.Save(r, rw)`
			`if err != nil {`
			`return nil, err`
			`}`
			`r.Header.Del(HeaderAuthorization)`
			`return tc, nil`
			`}`
			`a.log.Trace("no/invalid basic auth")`
			`}`

			`return nil, fmt.Errorf("failed to get claims from session")`
			`}`

			`func (a Application) getClaimsFromSession(r http.Request) *Claims {`
			`s, err := a.sessions.Get(r, constants.SessionName)`
			`if err != nil {`
			`// err == user has no session/session is not valid, reject`
			`return nil`
			`}`
			`claims, ok := s.Values[constants.SessionClaims]`
			`if claims == nil \|\| !ok {`
			`// no claims saved, reject`
			`return nil`
			`}`
			`c, ok := claims.(Claims)`
			`if !ok {`
			`return nil`
			`}`
			`return &c`
			`}`