internal/sessions: make user state domain scoped

internal/sessions: session state is domain scoped internal/sessions: infer csrf cookie, route scoped proxy & authenticate: use shared cookie name proxy & authenticate: prevent resaving unchanged session proxy & authenticate: redirect instead of error for no session on login internal/config: merge cookies proxy: remove favicon specific route proxy: use mock server for tests proxy: add tests for failures
2025-06-01 18:33:19 +02:00 · 2019-05-20 19:22:22 -07:00 · 2019-05-20 19:22:22 -07:00 · 3eff6cce13
commit 3eff6cce13
parent 2eb2eb0620
12 changed files with 231 additions and 348 deletions
--- a/proxy/proxy_test.go
+++ b/proxy/proxy_test.go
@ -2,6 +2,7 @@ package proxy // import "github.com/pomerium/pomerium/proxy"

 import (
 	"encoding/base64"
+	"fmt"
 	"io/ioutil"
 	"net"
 	"net/http"
@ -82,7 +83,7 @@ func TestNewReverseProxyHandler(t *testing.T) {
 func testOptions() *config.Options {
 	authenticateService, _ := url.Parse("https://authenticate.corp.beyondperimeter.com")
 	authorizeService, _ := url.Parse("https://authorize.corp.beyondperimeter.com")
-	configBlob := `[{"from":"corp.example.notatld","to":"example.notatld"}]` //valid yaml
+	configBlob := `[{"from":"corp.example.notatld","to":"example.notatld"}]`
 	policy := base64.URLEncoding.EncodeToString([]byte(configBlob))

 	opts := config.NewOptions()
@ -91,13 +92,30 @@ func testOptions() *config.Options {
 	opts.AuthorizeURL = authorizeService
 	opts.SharedKey = "80ldlrU2d7w+wVpKNfevk6fmb8otEx6CqOfshj2LwhQ="
 	opts.CookieSecret = "OromP1gurwGWjQPYb1nNgSxtbVB5NnLzX6z5WOKr0Yw="
-	opts.ProxyCookieName = "pomerium"
+	opts.CookieName = "pomerium"
 	return opts
 }

-func testOptionsWithCORS() *config.Options {
-	configBlob := `[{"from":"corp.example.com","to":"example.com","cors_allow_preflight":true}]` //valid yaml
-	opts := testOptions()
+func testOptionsTestServer(uri string) *config.Options {
+	authenticateService, _ := url.Parse("https://authenticate.corp.beyondperimeter.com")
+	authorizeService, _ := url.Parse("https://authorize.corp.beyondperimeter.com")
+	// RFC 2606
+	configBlob := fmt.Sprintf(`[{"from":"httpbin.corp.example","to":"%s"}]`, uri)
+	policy := base64.URLEncoding.EncodeToString([]byte(configBlob))
+
+	opts := config.NewOptions()
+	opts.Policy = policy
+	opts.AuthenticateURL = authenticateService
+	opts.AuthorizeURL = authorizeService
+	opts.SharedKey = "80ldlrU2d7w+wVpKNfevk6fmb8otEx6CqOfshj2LwhQ="
+	opts.CookieSecret = "OromP1gurwGWjQPYb1nNgSxtbVB5NnLzX6z5WOKr0Yw="
+	opts.CookieName = "pomerium"
+	return opts
+}
+
+func testOptionsWithCORS(uri string) *config.Options {
+	configBlob := fmt.Sprintf(`[{"from":"httpbin.corp.example","to":"%s","cors_allow_preflight":true}]`, uri)
+	opts := testOptionsTestServer(uri)
 	opts.Policy = base64.URLEncoding.EncodeToString([]byte(configBlob))
 	return opts
 }