package application import ( "fmt" "net/http" "goauthentik.io/internal/outpost/proxyv2/constants" ) const HeaderAuthorization = "Authorization" const AuthBearer = "Bearer " // checkAuth Get claims which are currently in session // Returns an error if the session can't be loaded or the claims can't be parsed/type-cast func (a *Application) checkAuth(rw http.ResponseWriter, r *http.Request) (*Claims, error) { s, _ := a.sessions.Get(r, constants.SessionName) c := a.getClaimsFromSession(r) if c != nil { return c, nil } if rw == nil { return nil, fmt.Errorf("no response writer") } // Check bearer token if set bearer := a.checkAuthHeaderBearer(r) if bearer != "" { a.log.Trace("checking bearer token") tc := a.attemptBearerAuth(r, bearer) if tc != nil { s.Values[constants.SessionClaims] = tc.Claims err := s.Save(r, rw) if err != nil { return nil, err } r.Header.Del(HeaderAuthorization) return &tc.Claims, nil } a.log.Trace("no/invalid bearer token") } // Check basic auth if set username, password, basicSet := r.BasicAuth() if basicSet { a.log.Trace("checking basic auth") tc := a.attemptBasicAuth(username, password) if tc != nil { s.Values[constants.SessionClaims] = *tc err := s.Save(r, rw) if err != nil { return nil, err } r.Header.Del(HeaderAuthorization) return tc, nil } a.log.Trace("no/invalid basic auth") } return nil, fmt.Errorf("failed to get claims from session") } func (a *Application) getClaimsFromSession(r *http.Request) *Claims { s, err := a.sessions.Get(r, constants.SessionName) if err != nil { // err == user has no session/session is not valid, reject return nil } claims, ok := s.Values[constants.SessionClaims] if claims == nil || !ok { // no claims saved, reject return nil } c, ok := claims.(Claims) if !ok { return nil } return &c }