2021-09-08 18:04:56 +00:00
|
|
|
package application
|
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/base64"
|
|
|
|
"net/http"
|
2022-02-15 10:05:03 +00:00
|
|
|
"net/url"
|
|
|
|
"strings"
|
2021-12-21 12:10:57 +00:00
|
|
|
"time"
|
2021-09-08 18:04:56 +00:00
|
|
|
|
|
|
|
"github.com/gorilla/securecookie"
|
2022-03-03 09:40:07 +00:00
|
|
|
"goauthentik.io/api/v3"
|
2021-09-08 18:04:56 +00:00
|
|
|
"goauthentik.io/internal/outpost/proxyv2/constants"
|
|
|
|
)
|
|
|
|
|
2022-02-15 10:05:03 +00:00
|
|
|
const (
|
2022-07-30 15:51:01 +00:00
|
|
|
redirectParam = "rd"
|
|
|
|
CallbackSignature = "X-authentik-auth-callback"
|
2022-08-07 16:50:24 +00:00
|
|
|
LogoutSignature = "X-authentik-logout"
|
2022-02-15 10:05:03 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func (a *Application) checkRedirectParam(r *http.Request) (string, bool) {
|
2022-02-15 12:43:55 +00:00
|
|
|
rd := r.URL.Query().Get(redirectParam)
|
2022-02-15 10:05:03 +00:00
|
|
|
if rd == "" {
|
|
|
|
return "", false
|
|
|
|
}
|
|
|
|
u, err := url.Parse(rd)
|
|
|
|
if err != nil {
|
|
|
|
a.log.WithError(err).Warning("Failed to parse redirect URL")
|
|
|
|
return "", false
|
|
|
|
}
|
|
|
|
// Check to make sure we only redirect to allowed places
|
|
|
|
if a.Mode() == api.PROXYMODE_PROXY || a.Mode() == api.PROXYMODE_FORWARD_SINGLE {
|
2023-02-20 20:22:18 +00:00
|
|
|
ext, err := url.Parse(a.proxyConfig.ExternalHost)
|
|
|
|
if err != nil {
|
|
|
|
return "", false
|
|
|
|
}
|
|
|
|
ext.Scheme = ""
|
|
|
|
if !strings.Contains(u.String(), ext.String()) {
|
|
|
|
a.log.WithField("url", u.String()).WithField("ext", ext.String()).Warning("redirect URI did not contain external host")
|
2022-02-15 10:05:03 +00:00
|
|
|
return "", false
|
|
|
|
}
|
|
|
|
} else {
|
2022-02-15 13:58:19 +00:00
|
|
|
if !strings.HasSuffix(u.Host, *a.proxyConfig.CookieDomain) {
|
|
|
|
a.log.WithField("host", u.Host).WithField("dom", *a.proxyConfig.CookieDomain).Warning("redirect URI Host was not included in cookie domain")
|
2022-02-15 10:05:03 +00:00
|
|
|
return "", false
|
|
|
|
}
|
|
|
|
}
|
2022-02-15 12:43:55 +00:00
|
|
|
return u.String(), true
|
2022-02-15 10:05:03 +00:00
|
|
|
}
|
|
|
|
|
2022-07-30 15:51:01 +00:00
|
|
|
func (a *Application) handleAuthStart(rw http.ResponseWriter, r *http.Request) {
|
2022-02-15 10:05:03 +00:00
|
|
|
newState := base64.RawURLEncoding.EncodeToString(securecookie.GenerateRandomKey(32))
|
2023-02-12 15:34:57 +00:00
|
|
|
s, _ := a.sessions.Get(r, a.SessionName())
|
2022-10-20 19:27:34 +00:00
|
|
|
// Check if we already have a state in the session,
|
|
|
|
// and if we do we don't do anything here
|
|
|
|
currentState, ok := s.Values[constants.SessionOAuthState].(string)
|
|
|
|
if ok {
|
2023-01-13 15:22:03 +00:00
|
|
|
claims, err := a.checkAuth(rw, r)
|
2022-10-20 19:27:34 +00:00
|
|
|
if err != nil && claims != nil {
|
|
|
|
a.log.Trace("auth start request with existing authenticated session")
|
|
|
|
a.redirect(rw, r)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
a.log.Trace("session already has state, sending redirect to current state")
|
|
|
|
http.Redirect(rw, r, a.oauthConfig.AuthCodeURL(currentState), http.StatusFound)
|
|
|
|
return
|
2021-12-26 13:56:34 +00:00
|
|
|
}
|
2022-02-15 10:05:03 +00:00
|
|
|
rd, ok := a.checkRedirectParam(r)
|
|
|
|
if ok {
|
|
|
|
s.Values[constants.SessionRedirect] = rd
|
|
|
|
a.log.WithField("rd", rd).Trace("Setting redirect")
|
|
|
|
}
|
2022-10-20 19:27:34 +00:00
|
|
|
s.Values[constants.SessionOAuthState] = newState
|
|
|
|
err := s.Save(r, rw)
|
2021-09-08 18:04:56 +00:00
|
|
|
if err != nil {
|
|
|
|
a.log.WithError(err).Warning("failed to save session")
|
|
|
|
}
|
2021-12-26 13:11:11 +00:00
|
|
|
http.Redirect(rw, r, a.oauthConfig.AuthCodeURL(newState), http.StatusFound)
|
2021-09-08 18:04:56 +00:00
|
|
|
}
|
|
|
|
|
2022-07-30 15:51:01 +00:00
|
|
|
func (a *Application) handleAuthCallback(rw http.ResponseWriter, r *http.Request) {
|
2023-02-12 15:34:57 +00:00
|
|
|
s, err := a.sessions.Get(r, a.SessionName())
|
2022-02-15 22:24:27 +00:00
|
|
|
if err != nil {
|
|
|
|
a.log.WithError(err).Trace("failed to get session")
|
|
|
|
}
|
2021-09-08 18:04:56 +00:00
|
|
|
state, ok := s.Values[constants.SessionOAuthState]
|
|
|
|
if !ok {
|
|
|
|
a.log.Warning("No state saved in session")
|
2022-10-20 19:27:34 +00:00
|
|
|
a.redirect(rw, r)
|
2021-09-08 18:04:56 +00:00
|
|
|
return
|
|
|
|
}
|
2022-10-20 19:27:34 +00:00
|
|
|
claims, err := a.redeemCallback(state.(string), r.URL, r.Context())
|
2021-09-08 18:04:56 +00:00
|
|
|
if err != nil {
|
|
|
|
a.log.WithError(err).Warning("failed to redeem code")
|
|
|
|
rw.WriteHeader(400)
|
|
|
|
// To prevent the user from just refreshing and cause more errors, delete
|
|
|
|
// the state from the session
|
|
|
|
delete(s.Values, constants.SessionOAuthState)
|
|
|
|
err := s.Save(r, rw)
|
|
|
|
if err != nil {
|
|
|
|
a.log.WithError(err).Warning("failed to save session")
|
|
|
|
rw.WriteHeader(400)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
return
|
|
|
|
}
|
2021-12-21 12:10:57 +00:00
|
|
|
s.Options.MaxAge = int(time.Until(time.Unix(int64(claims.Exp), 0)).Seconds())
|
2021-09-08 18:04:56 +00:00
|
|
|
s.Values[constants.SessionClaims] = &claims
|
|
|
|
err = s.Save(r, rw)
|
|
|
|
if err != nil {
|
|
|
|
a.log.WithError(err).Warning("failed to save session")
|
|
|
|
rw.WriteHeader(400)
|
|
|
|
return
|
|
|
|
}
|
2022-10-20 19:27:34 +00:00
|
|
|
a.redirect(rw, r)
|
2021-09-08 18:04:56 +00:00
|
|
|
}
|