authenticate: handle XHR redirect flow (#387)

- authenticate: add cors preflight check support for sign_in endpoint - internal/httputil: indicate responses that originate from pomerium vs the app - proxy: detect XHR requests and do not redirect on failure. - authenticate: removed default session duration; should be maintained out of band with rpc.
2025-05-09 23:27:43 +02:00 · 2019-11-14 19:37:31 -08:00 · 2019-11-14 19:37:31 -08:00 · 00c29f4e77
commit 00c29f4e77
parent 9030bd32cb
11 changed files with 128 additions and 35 deletions
--- a/internal/middleware/middleware.go
+++ b/internal/middleware/middleware.go
@ -34,25 +34,25 @@ func ValidateSignature(sharedSecret string) func(next http.Handler) http.Handler
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			ctx, span := trace.StartSpan(r.Context(), "middleware.ValidateSignature")
 			defer span.End()
-
-			err := r.ParseForm()
-			if err != nil {
-				httputil.ErrorResponse(w, r, httputil.Error("couldn't parse form", http.StatusBadRequest, err))
-				return
-			}
-			redirectURI := r.Form.Get("redirect_uri")
-			sigVal := r.Form.Get("sig")
-			timestamp := r.Form.Get("ts")
-			if !ValidSignature(redirectURI, sigVal, timestamp, sharedSecret) {
+			if !ValidateRedirectURI(r, sharedSecret) {
 				httputil.ErrorResponse(w, r, httputil.Error("invalid signature", http.StatusBadRequest, nil))
 				return
 			}
-
 			next.ServeHTTP(w, r.WithContext(ctx))
 		})
 	}
 }

+// ValidateRedirectURI takes a request and parses `redirect_uri`, `sig`, `ts`
+// and validates the supplied signature (`sig`)'s HMAC for validity.
+func ValidateRedirectURI(r *http.Request, key string) bool {
+	return ValidSignature(
+		r.FormValue("redirect_uri"),
+		r.FormValue("sig"),
+		r.FormValue("ts"),
+		key)
+}
+
 // Healthcheck endpoint middleware useful to setting up a path like
 // `/ping` that load balancers or uptime testing external services
 // can make a request before hitting any routes. It's also convenient