Add SKIP_PROVIDER_BUTTON env

2025-05-31 01:47:33 +02:00 · 2019-01-15 20:20:00 -08:00 · 2019-01-15 20:20:00 -08:00 · 356aa33970
commit 356aa33970
parent 44527662fd
2 changed files with 42 additions and 18 deletions
--- a/authenticate/authenticate.go
+++ b/authenticate/authenticate.go
@ -53,6 +53,7 @@ type Options struct {
 	Provider           string   `envconfig:"IDP_PROVIDER"`      //Provider name e.g. "oidc","okta","google",etc
 	ProviderURL        string   `envconfig:"IDP_PROVIDER_URL"`
 	Scopes             []string `envconfig:"IDP_SCOPE" default:"openid,email,profile"`
 	SkipProviderButton bool     `envconfig:"SKIP_PROVIDER_BUTTON"`
 }
 // OptionsFromEnvConfig builds the authentication service's configuration
@ -122,6 +123,8 @@ type Authenticate struct {
 	sessionStore sessions.SessionStore
 	cipher       cryptutil.Cipher
 	skipProviderButton bool
 	provider providers.Provider
 }
@ -169,6 +172,7 @@ func New(opts *Options, optionFuncs ...func(*Authenticate) error) (*Authenticate
 		csrfStore:          cookieStore,
 		sessionStore:       cookieStore,
 		cipher:             cipher,
 		skipProviderButton: opts.SkipProviderButton,
 	}
 	// p.ServeMux = p.Handler()
 	p.provider, err = newProvider(opts)
--- a/authenticate/handlers.go
+++ b/authenticate/handlers.go
@ -191,11 +191,19 @@ func (p *Authenticate) SignIn(rw http.ResponseWriter, req *http.Request) {
 		p.ProxyOAuthRedirect(rw, req, session)
 	case http.ErrNoCookie:
 		log.Error().Err(err).Msg("authenticate.SignIn : err no cookie")
 		if p.skipProviderButton {
 			p.skipButtonOAuthStart(rw, req)
 		} else {
 			p.SignInPage(rw, req)
 		}
 	case sessions.ErrLifetimeExpired, sessions.ErrInvalidSession:
 		log.Error().Err(err).Msg("authenticate.SignIn : invalid cookie cookie")
 		p.sessionStore.ClearSession(rw, req)
 		if p.skipProviderButton {
 			p.skipButtonOAuthStart(rw, req)
 		} else {
 			p.SignInPage(rw, req)
 		}
 	default:
 		log.Error().Err(err).Msg("authenticate.SignIn : unknown error cookie")
 		httputil.ErrorResponse(rw, req, err.Error(), httputil.CodeForError(err))
@ -338,12 +346,24 @@ func (p *Authenticate) SignOutPage(rw http.ResponseWriter, req *http.Request, me
 // OAuthStart starts the authentication process by redirecting to the provider. It provides a
 // `redirectURI`, allowing the provider to redirect back to the sso proxy after authentication.
 func (p *Authenticate) OAuthStart(rw http.ResponseWriter, req *http.Request) {
 	authRedirectURL, err := url.Parse(req.URL.Query().Get("redirect_uri"))
 	if err == nil {
 		httputil.ErrorResponse(rw, req, "Invalid redirect parameter", http.StatusBadRequest)
 		return
 	}
 	p.helperOAuthStart(rw, req, authRedirectURL)
 }
 func (p *Authenticate) skipButtonOAuthStart(rw http.ResponseWriter, req *http.Request) {
 	p.helperOAuthStart(rw, req, p.RedirectURL.ResolveReference(req.URL))
 }
 func (p *Authenticate) helperOAuthStart(rw http.ResponseWriter, req *http.Request, authRedirectURL *url.URL) {
 	nonce := fmt.Sprintf("%x", cryptutil.GenerateKey())
 	p.csrfStore.SetCSRF(rw, req, nonce)
-	authRedirectURL, err := url.Parse(req.URL.Query().Get("redirect_uri"))
+	if !validRedirectURI(authRedirectURL.String(), p.ProxyRootDomains) {
 	if err != nil || !validRedirectURI(authRedirectURL.String(), p.ProxyRootDomains) {
 		httputil.ErrorResponse(rw, req, "Invalid redirect parameter", http.StatusBadRequest)
 		return
 	}