From 1a199eb9f57947d553fc36fdea798acae8849fe2 Mon Sep 17 00:00:00 2001 From: Caleb Doxsey Date: Fri, 28 Mar 2025 13:04:25 -0600 Subject: [PATCH] authenticate: remove /.pomerium/callback handler (#5553) --- authenticate/handlers.go | 51 ----------------------------------- authenticate/handlers_test.go | 8 ------ authenticate/middleware.go | 11 -------- 3 files changed, 70 deletions(-) diff --git a/authenticate/handlers.go b/authenticate/handlers.go index fe99d5c29..3b513cc50 100644 --- a/authenticate/handlers.go +++ b/authenticate/handlers.go @@ -117,9 +117,6 @@ func (a *Authenticate) mountDashboard(r *mux.Router) { handlers.DeviceEnrolled(a.getUserInfoData(r)).ServeHTTP(w, r) return nil })) - - cr := sr.PathPrefix("/callback").Subrouter() - cr.Path("/").Handler(a.requireValidSignature(a.Callback)).Methods(http.MethodGet) } // RetrieveSession is the middleware used retrieve session by the sessionLoader @@ -526,54 +523,6 @@ func (a *Authenticate) revokeSession(ctx context.Context, w http.ResponseWriter, return state.flow.RevokeSession(ctx, r, authenticator, sessionState) } -// Callback handles the result of a successful call to the authenticate service -// and is responsible setting per-route sessions. -func (a *Authenticate) Callback(w http.ResponseWriter, r *http.Request) error { - redirectURLString := r.FormValue(urlutil.QueryRedirectURI) - encryptedSession := r.FormValue(urlutil.QuerySessionEncrypted) - - redirectURL, err := urlutil.ParseAndValidateURL(redirectURLString) - if err != nil { - return httputil.NewError(http.StatusBadRequest, err) - } - - rawJWT, err := a.saveCallbackSession(w, r, encryptedSession) - if err != nil { - return httputil.NewError(http.StatusBadRequest, err) - } - - // if programmatic, encode the session jwt as a query param - if isProgrammatic := r.FormValue(urlutil.QueryIsProgrammatic); isProgrammatic == "true" { - q := redirectURL.Query() - q.Set(urlutil.QueryPomeriumJWT, string(rawJWT)) - redirectURL.RawQuery = q.Encode() - } - httputil.Redirect(w, r, redirectURL.String(), http.StatusFound) - return nil -} - -// saveCallbackSession takes an encrypted per-route session token, decrypts -// it using the shared service key, then stores it the local session store. -func (a *Authenticate) saveCallbackSession(w http.ResponseWriter, r *http.Request, enctoken string) ([]byte, error) { - state := a.state.Load() - - // 1. extract the base64 encoded and encrypted JWT from query params - encryptedJWT, err := base64.URLEncoding.DecodeString(enctoken) - if err != nil { - return nil, fmt.Errorf("proxy: malfromed callback token: %w", err) - } - // 2. decrypt the JWT using the cipher using the _shared_ secret key - rawJWT, err := cryptutil.Decrypt(state.sharedCipher, encryptedJWT, nil) - if err != nil { - return nil, fmt.Errorf("proxy: callback token decrypt error: %w", err) - } - // 3. Save the decrypted JWT to the session store directly as a string, without resigning - if err = state.sessionStore.SaveSession(w, r, rawJWT); err != nil { - return nil, fmt.Errorf("proxy: callback session save failure: %w", err) - } - return rawJWT, nil -} - func (a *Authenticate) getIdentityProviderIDForRequest(r *http.Request) string { if err := r.ParseForm(); err != nil { return "" diff --git a/authenticate/handlers_test.go b/authenticate/handlers_test.go index b9ae56066..0588cbebe 100644 --- a/authenticate/handlers_test.go +++ b/authenticate/handlers_test.go @@ -694,14 +694,6 @@ func (m mockDataBrokerServiceClient) Put(ctx context.Context, in *databroker.Put return m.put(ctx, in, opts...) } -func mustParseURL(rawurl string) *url.URL { - u, err := url.Parse(rawurl) - if err != nil { - panic(err) - } - return u -} - // stubFlow is a stub implementation of the flow interface. type stubFlow struct { verifySignatureErr error diff --git a/authenticate/middleware.go b/authenticate/middleware.go index abe949212..973a28db7 100644 --- a/authenticate/middleware.go +++ b/authenticate/middleware.go @@ -20,14 +20,3 @@ func (a *Authenticate) requireValidSignatureOnRedirect(next httputil.HandlerFunc return next(w, r) }) } - -// requireValidSignature validates the pomerium_signature. -func (a *Authenticate) requireValidSignature(next httputil.HandlerFunc) http.Handler { - return httputil.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error { - err := a.state.Load().flow.VerifyAuthenticateSignature(r) - if err != nil { - return err - } - return next(w, r) - }) -}