From f6b144a0fa0b8100d54133edf65f27609b012d75 Mon Sep 17 00:00:00 2001
From: Jens L <jens@goauthentik.io>
Date: Sun, 6 Aug 2023 01:18:20 +0200
Subject: [PATCH] providers/proxy: only intercept auth header when a value is
 set (#6488)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 .../proxyv2/application/mode_common.go        | 41 +++++++++++--------
 1 file changed, 25 insertions(+), 16 deletions(-)

diff --git a/internal/outpost/proxyv2/application/mode_common.go b/internal/outpost/proxyv2/application/mode_common.go
index 883686032..d2eac42cb 100644
--- a/internal/outpost/proxyv2/application/mode_common.go
+++ b/internal/outpost/proxyv2/application/mode_common.go
@@ -13,6 +13,30 @@ import (
 	"goauthentik.io/internal/constants"
 )
 
+// Attempt to set basic auth based on user's attributes
+func (a *Application) setAuthorizationHeader(headers http.Header, c *Claims) {
+	if !*a.proxyConfig.BasicAuthEnabled {
+		return
+	}
+	userAttributes := c.Proxy.UserAttributes
+	var ok bool
+	var password string
+	if password, ok = userAttributes[*a.proxyConfig.BasicAuthPasswordAttribute].(string); !ok {
+		password = ""
+	}
+	// Check if we should use email or a custom attribute as username
+	var username string
+	if username, ok = userAttributes[*a.proxyConfig.BasicAuthUserAttribute].(string); !ok {
+		username = c.Email
+	}
+	if username == "" && password == "" {
+		return
+	}
+	authVal := base64.StdEncoding.EncodeToString([]byte(username + ":" + password))
+	a.log.WithField("username", username).Trace("setting http basic auth")
+	headers.Set("Authorization", fmt.Sprintf("Basic %s", authVal))
+}
+
 func (a *Application) addHeaders(headers http.Header, c *Claims) {
 	// https://goauthentik.io/docs/providers/proxy/proxy
 	headers.Set("X-authentik-username", c.PreferredUsername)
@@ -33,22 +57,7 @@ func (a *Application) addHeaders(headers http.Header, c *Claims) {
 		return
 	}
 	userAttributes := c.Proxy.UserAttributes
-	// Attempt to set basic auth based on user's attributes
-	if *a.proxyConfig.BasicAuthEnabled {
-		var ok bool
-		var password string
-		if password, ok = userAttributes[*a.proxyConfig.BasicAuthPasswordAttribute].(string); !ok {
-			password = ""
-		}
-		// Check if we should use email or a custom attribute as username
-		var username string
-		if username, ok = userAttributes[*a.proxyConfig.BasicAuthUserAttribute].(string); !ok {
-			username = c.Email
-		}
-		authVal := base64.StdEncoding.EncodeToString([]byte(username + ":" + password))
-		a.log.WithField("username", username).Trace("setting http basic auth")
-		headers.Set("Authorization", fmt.Sprintf("Basic %s", authVal))
-	}
+	a.setAuthorizationHeader(headers, c)
 	// Check if user has additional headers set that we should sent
 	if additionalHeaders, ok := userAttributes["additionalHeaders"].(map[string]interface{}); ok {
 		a.log.WithField("headers", additionalHeaders).Trace("setting additional headers")