internal: remove special route for /outpost.goauthentik.io (#7539)
With this special route for outpost.goauthentik.io, misdirected requests to /outpost.goauthentik.io/auth/start will create a cookie for the domain authentik is accessed under, which will cause issues with the actual full auth flow. Requests to /outpost.goauthentik.io will still be routed to the outpost, but with this change only when the hostname matches Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
parent
695719540b
commit
dc7ffba8fa
|
@ -235,7 +235,10 @@ func (a *Application) Mode() api.ProxyMode {
|
||||||
return *a.proxyConfig.Mode
|
return *a.proxyConfig.Mode
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a *Application) HasQuerySignature(r *http.Request) bool {
|
func (a *Application) ShouldHandleURL(r *http.Request) bool {
|
||||||
|
if strings.HasPrefix(r.URL.Path, "/outpost.goauthentik.io") {
|
||||||
|
return true
|
||||||
|
}
|
||||||
if strings.EqualFold(r.URL.Query().Get(CallbackSignature), "true") {
|
if strings.EqualFold(r.URL.Query().Get(CallbackSignature), "true") {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
|
@ -74,7 +74,7 @@ func (ps *ProxyServer) HandleHost(rw http.ResponseWriter, r *http.Request) bool
|
||||||
if a == nil {
|
if a == nil {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
if a.HasQuerySignature(r) || a.Mode() == api.PROXYMODE_PROXY {
|
if a.ShouldHandleURL(r) || a.Mode() == api.PROXYMODE_PROXY {
|
||||||
a.ServeHTTP(rw, r)
|
a.ServeHTTP(rw, r)
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
|
@ -32,18 +32,6 @@ func (ws *WebServer) configureProxy() {
|
||||||
}
|
}
|
||||||
rp.ErrorHandler = ws.proxyErrorHandler
|
rp.ErrorHandler = ws.proxyErrorHandler
|
||||||
rp.ModifyResponse = ws.proxyModifyResponse
|
rp.ModifyResponse = ws.proxyModifyResponse
|
||||||
ws.m.PathPrefix("/outpost.goauthentik.io").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
|
||||||
if ws.ProxyServer != nil {
|
|
||||||
before := time.Now()
|
|
||||||
ws.ProxyServer.Handle(rw, r)
|
|
||||||
elapsed := time.Since(before)
|
|
||||||
Requests.With(prometheus.Labels{
|
|
||||||
"dest": "embedded_outpost",
|
|
||||||
}).Observe(float64(elapsed) / float64(time.Second))
|
|
||||||
return
|
|
||||||
}
|
|
||||||
ws.proxyErrorHandler(rw, r, errors.New("proxy not running"))
|
|
||||||
})
|
|
||||||
ws.m.Path("/-/health/live/").HandlerFunc(sentry.SentryNoSample(func(rw http.ResponseWriter, r *http.Request) {
|
ws.m.Path("/-/health/live/").HandlerFunc(sentry.SentryNoSample(func(rw http.ResponseWriter, r *http.Request) {
|
||||||
rw.WriteHeader(204)
|
rw.WriteHeader(204)
|
||||||
}))
|
}))
|
||||||
|
@ -53,15 +41,13 @@ func (ws *WebServer) configureProxy() {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
before := time.Now()
|
before := time.Now()
|
||||||
if ws.ProxyServer != nil {
|
if ws.ProxyServer != nil && ws.ProxyServer.HandleHost(rw, r) {
|
||||||
if ws.ProxyServer.HandleHost(rw, r) {
|
|
||||||
elapsed := time.Since(before)
|
elapsed := time.Since(before)
|
||||||
Requests.With(prometheus.Labels{
|
Requests.With(prometheus.Labels{
|
||||||
"dest": "embedded_outpost",
|
"dest": "embedded_outpost",
|
||||||
}).Observe(float64(elapsed) / float64(time.Second))
|
}).Observe(float64(elapsed) / float64(time.Second))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
}
|
|
||||||
elapsed := time.Since(before)
|
elapsed := time.Since(before)
|
||||||
Requests.With(prometheus.Labels{
|
Requests.With(prometheus.Labels{
|
||||||
"dest": "core",
|
"dest": "core",
|
||||||
|
|
Reference in New Issue