outposts/proxyv2: fix before-redirect url not being saved in proxy mode
closes #2109 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
7f47f93e4e
commit
41e7b9b73f
|
@ -6,7 +6,9 @@ import (
|
|||
"net/url"
|
||||
"path"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
||||
"goauthentik.io/api"
|
||||
"goauthentik.io/internal/outpost/proxyv2/constants"
|
||||
)
|
||||
|
||||
|
@ -20,6 +22,33 @@ func urlJoin(originalUrl string, newPath string) string {
|
|||
}
|
||||
|
||||
func (a *Application) redirectToStart(rw http.ResponseWriter, r *http.Request) {
|
||||
s, err := a.sessions.Get(r, constants.SeesionName)
|
||||
if err == nil {
|
||||
a.log.WithError(err).Warning("failed to decode session")
|
||||
}
|
||||
redirectUrl := r.URL.String()
|
||||
// simple way to copy the URL
|
||||
u, _ := url.Parse(redirectUrl)
|
||||
// In proxy and forward_single mode we only have one URL that we route on
|
||||
// if we somehow got here without that URL, make sure we're at least redirected back to it
|
||||
if a.Mode() == api.PROXYMODE_PROXY || a.Mode() == api.PROXYMODE_FORWARD_SINGLE {
|
||||
u.Host = a.proxyConfig.ExternalHost
|
||||
}
|
||||
if a.Mode() == api.PROXYMODE_FORWARD_DOMAIN {
|
||||
dom := strings.TrimPrefix(*a.proxyConfig.CookieDomain, ".")
|
||||
// In forward_domain we only check that the current URL's host
|
||||
// ends with the cookie domain (remove the leading period if set)
|
||||
if !strings.HasSuffix(r.URL.Hostname(), dom) {
|
||||
a.log.WithField("url", r.URL.String()).WithField("cd", dom).Warning("Invalid redirect found")
|
||||
redirectUrl = ""
|
||||
}
|
||||
}
|
||||
s.Values[constants.SessionRedirect] = redirectUrl
|
||||
err = s.Save(r, rw)
|
||||
if err != nil {
|
||||
a.log.WithError(err).Warning("failed to save session before redirect")
|
||||
}
|
||||
|
||||
authUrl := urlJoin(a.proxyConfig.ExternalHost, "/akprox/start")
|
||||
http.Redirect(rw, r, authUrl, http.StatusFound)
|
||||
}
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
"""This file needs to be run from the root of the project to correctly
|
||||
import authentik. This is done by the dockerfile."""
|
||||
from json import dumps
|
||||
from sys import exit as sysexit
|
||||
from sys import stderr
|
||||
from time import sleep, time
|
||||
|
||||
|
@ -28,7 +29,7 @@ def j_print(event: str, log_level: str = "info", **kwargs):
|
|||
# Sanity check, ensure SECRET_KEY is set before we even check for database connectivity
|
||||
if CONFIG.y("secret_key") is None or len(CONFIG.y("secret_key")) == 0:
|
||||
j_print("Secret key missing, check https://goauthentik.io/docs/installation/.")
|
||||
exit(1)
|
||||
sysexit(1)
|
||||
|
||||
|
||||
while True:
|
||||
|
|
Reference in a new issue