From 664fb8b0eaffa80f59218fa1a1cc6906f9cdb132 Mon Sep 17 00:00:00 2001
From: Bobby DeSimone <bobbydesimone@gmail.com>
Date: Wed, 18 Sep 2019 12:47:30 -0700
Subject: [PATCH] proxy: remove csrf checks from proxied routes

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
---
 proxy/handlers.go | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/proxy/handlers.go b/proxy/handlers.go
index c7d4df5ec..7d53c093b 100644
--- a/proxy/handlers.go
+++ b/proxy/handlers.go
@@ -25,21 +25,24 @@ func (p *Proxy) Handler() http.Handler {
 		_, ok := p.routeConfigs[host]
 		return ok
 	}))
-	r.Use(csrf.Protect(
+	r.HandleFunc("/robots.txt", p.RobotsTxt)
+	// requires authN not authZ
+	r.Use(sessions.RetrieveSession(p.sessionStore))
+	r.Use(p.VerifySession)
+	// Proxy service endpoints
+	v := r.PathPrefix("/.pomerium").Subrouter()
+	v.Use(csrf.Protect(
 		p.cookieSecret,
 		csrf.Path("/"),
 		csrf.Domain(p.cookieDomain),
 		csrf.CookieName(fmt.Sprintf("%s_csrf", p.cookieName)),
 		csrf.ErrorHandler(http.HandlerFunc(httputil.CSRFFailureHandler)),
 	))
-	r.HandleFunc("/robots.txt", p.RobotsTxt)
-	// requires authN not authZ
-	r.Use(sessions.RetrieveSession(p.sessionStore))
-	r.Use(p.VerifySession)
-	r.HandleFunc("/.pomerium/", p.UserDashboard).Methods(http.MethodGet)
-	r.HandleFunc("/.pomerium/impersonate", p.Impersonate).Methods(http.MethodPost)
-	r.HandleFunc("/.pomerium/sign_out", p.SignOut).Methods(http.MethodGet, http.MethodPost)
-	r.HandleFunc("/.pomerium/refresh", p.ForceRefresh).Methods(http.MethodPost)
+	v.HandleFunc("/", p.UserDashboard).Methods(http.MethodGet)
+	v.HandleFunc("/impersonate", p.Impersonate).Methods(http.MethodPost)
+	v.HandleFunc("/sign_out", p.SignOut).Methods(http.MethodGet, http.MethodPost)
+	v.HandleFunc("/refresh", p.ForceRefresh).Methods(http.MethodPost)
+
 	r.PathPrefix("/").HandlerFunc(p.Proxy)
 	return r
 }