proxy: remove csrf checks from proxied routes

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2025-05-22 13:37:19 +02:00 · 2019-09-18 12:47:30 -07:00 · 2019-09-18 12:47:30 -07:00 · 664fb8b0ea
commit 664fb8b0ea
parent 923dca3fe1
1 changed files with 12 additions and 9 deletions
--- a/proxy/handlers.go
+++ b/proxy/handlers.go
@ -25,21 +25,24 @@ func (p *Proxy) Handler() http.Handler {
 		_, ok := p.routeConfigs[host]
 		return ok
 	}))
-	r.Use(csrf.Protect(
+	r.HandleFunc("/robots.txt", p.RobotsTxt)
 	// requires authN not authZ
 	r.Use(sessions.RetrieveSession(p.sessionStore))
 	r.Use(p.VerifySession)
 	// Proxy service endpoints
 	v := r.PathPrefix("/.pomerium").Subrouter()
 	v.Use(csrf.Protect(
 		p.cookieSecret,
 		csrf.Path("/"),
 		csrf.Domain(p.cookieDomain),
 		csrf.CookieName(fmt.Sprintf("%s_csrf", p.cookieName)),
 		csrf.ErrorHandler(http.HandlerFunc(httputil.CSRFFailureHandler)),
 	))
-	r.HandleFunc("/robots.txt", p.RobotsTxt)
+	v.HandleFunc("/", p.UserDashboard).Methods(http.MethodGet)
-	// requires authN not authZ
+	v.HandleFunc("/impersonate", p.Impersonate).Methods(http.MethodPost)
-	r.Use(sessions.RetrieveSession(p.sessionStore))
+	v.HandleFunc("/sign_out", p.SignOut).Methods(http.MethodGet, http.MethodPost)
-	r.Use(p.VerifySession)
+	v.HandleFunc("/refresh", p.ForceRefresh).Methods(http.MethodPost)
-	r.HandleFunc("/.pomerium/", p.UserDashboard).Methods(http.MethodGet)
+
 	r.HandleFunc("/.pomerium/impersonate", p.Impersonate).Methods(http.MethodPost)
 	r.HandleFunc("/.pomerium/sign_out", p.SignOut).Methods(http.MethodGet, http.MethodPost)
 	r.HandleFunc("/.pomerium/refresh", p.ForceRefresh).Methods(http.MethodPost)
 	r.PathPrefix("/").HandlerFunc(p.Proxy)
 	return r
 }