3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-07-10 05:18:18 +02:00
Code Issues Projects Releases Packages Wiki Activity

authorize: allow access to /.pomerium/webauthn when policy denies access

Browse source
This commit is contained in:
Caleb Doxsey 2023-02-24 15:58:48 -07:00
parent 88915a79c1
commit 2d194e728b
6 changed files with 55 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

14
authorize/check_response.go
View file

@ -226,14 +226,20 @@ func (a *Authorize) requireWebAuthnResponse(
opts := a.currentOptions.Load()
state := a.state.Load()
if !a.shouldRedirect(in) {
return a.deniedResponse(ctx, in, http.StatusUnauthorized, http.StatusText(http.StatusUnauthorized), nil)
}
// always assume https scheme
checkRequestURL := getCheckRequestURL(in)
checkRequestURL.Scheme = "https"
// If we're already on a webauthn route, return OK.
// https://github.com/pomerium/pomerium-console/issues/3210
if checkRequestURL.Path == urlutil.WebAuthnURLPath || checkRequestURL.Path == urlutil.DeviceEnrolledPath {
return a.okResponse(result.Headers), nil
}
if !a.shouldRedirect(in) {
return a.deniedResponse(ctx, in, http.StatusUnauthorized, http.StatusText(http.StatusUnauthorized), nil)
}
q := url.Values{}
if deviceType, ok := result.Allow.AdditionalData["device_type"].(string); ok {
q.Set(urlutil.QueryDeviceType, deviceType)