From dc7ffba8fac7db28e91375423094a7f2ba9767d5 Mon Sep 17 00:00:00 2001
From: Jens L <jens@goauthentik.io>
Date: Mon, 13 Nov 2023 17:39:40 +0100
Subject: [PATCH] internal: remove special route for /outpost.goauthentik.io
 (#7539)

With this special route for outpost.goauthentik.io, misdirected requests to /outpost.goauthentik.io/auth/start will create a cookie for the domain authentik is accessed under, which will cause issues with the actual full auth flow. Requests to /outpost.goauthentik.io will still be routed to the outpost, but with this change only when the hostname matches

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 .../proxyv2/application/application.go        |  5 +++-
 internal/outpost/proxyv2/proxyv2.go           |  2 +-
 internal/web/proxy.go                         | 26 +++++--------------
 3 files changed, 11 insertions(+), 22 deletions(-)

diff --git a/internal/outpost/proxyv2/application/application.go b/internal/outpost/proxyv2/application/application.go
index dc3a87950..03dc4289d 100644
--- a/internal/outpost/proxyv2/application/application.go
+++ b/internal/outpost/proxyv2/application/application.go
@@ -235,7 +235,10 @@ func (a *Application) Mode() api.ProxyMode {
 	return *a.proxyConfig.Mode
 }
 
-func (a *Application) HasQuerySignature(r *http.Request) bool {
+func (a *Application) ShouldHandleURL(r *http.Request) bool {
+	if strings.HasPrefix(r.URL.Path, "/outpost.goauthentik.io") {
+		return true
+	}
 	if strings.EqualFold(r.URL.Query().Get(CallbackSignature), "true") {
 		return true
 	}
diff --git a/internal/outpost/proxyv2/proxyv2.go b/internal/outpost/proxyv2/proxyv2.go
index 70364957f..cd0129038 100644
--- a/internal/outpost/proxyv2/proxyv2.go
+++ b/internal/outpost/proxyv2/proxyv2.go
@@ -74,7 +74,7 @@ func (ps *ProxyServer) HandleHost(rw http.ResponseWriter, r *http.Request) bool
 	if a == nil {
 		return false
 	}
-	if a.HasQuerySignature(r) || a.Mode() == api.PROXYMODE_PROXY {
+	if a.ShouldHandleURL(r) || a.Mode() == api.PROXYMODE_PROXY {
 		a.ServeHTTP(rw, r)
 		return true
 	}
diff --git a/internal/web/proxy.go b/internal/web/proxy.go
index c1e38a397..56f81a072 100644
--- a/internal/web/proxy.go
+++ b/internal/web/proxy.go
@@ -32,18 +32,6 @@ func (ws *WebServer) configureProxy() {
 	}
 	rp.ErrorHandler = ws.proxyErrorHandler
 	rp.ModifyResponse = ws.proxyModifyResponse
-	ws.m.PathPrefix("/outpost.goauthentik.io").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-		if ws.ProxyServer != nil {
-			before := time.Now()
-			ws.ProxyServer.Handle(rw, r)
-			elapsed := time.Since(before)
-			Requests.With(prometheus.Labels{
-				"dest": "embedded_outpost",
-			}).Observe(float64(elapsed) / float64(time.Second))
-			return
-		}
-		ws.proxyErrorHandler(rw, r, errors.New("proxy not running"))
-	})
 	ws.m.Path("/-/health/live/").HandlerFunc(sentry.SentryNoSample(func(rw http.ResponseWriter, r *http.Request) {
 		rw.WriteHeader(204)
 	}))
@@ -53,14 +41,12 @@ func (ws *WebServer) configureProxy() {
 			return
 		}
 		before := time.Now()
-		if ws.ProxyServer != nil {
-			if ws.ProxyServer.HandleHost(rw, r) {
-				elapsed := time.Since(before)
-				Requests.With(prometheus.Labels{
-					"dest": "embedded_outpost",
-				}).Observe(float64(elapsed) / float64(time.Second))
-				return
-			}
+		if ws.ProxyServer != nil && ws.ProxyServer.HandleHost(rw, r) {
+			elapsed := time.Since(before)
+			Requests.With(prometheus.Labels{
+				"dest": "embedded_outpost",
+			}).Observe(float64(elapsed) / float64(time.Second))
+			return
 		}
 		elapsed := time.Since(before)
 		Requests.With(prometheus.Labels{