From 74310b3de37623c43a7fc0856f44f69d492430db Mon Sep 17 00:00:00 2001
From: Caleb Doxsey <cdoxsey@pomerium.com>
Date: Wed, 20 Apr 2022 17:07:09 +0000
Subject: [PATCH] authorize: pass idp id for webauthn url, allow
 unauthenticated access to static files (#3282)

---
 authorize/check_response.go | 4 +++-
 internal/httputil/router.go | 3 ++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/authorize/check_response.go b/authorize/check_response.go
index af8364ee2..95e246b6d 100644
--- a/authorize/check_response.go
+++ b/authorize/check_response.go
@@ -54,7 +54,7 @@ func (a *Authorize) handleResultDenied(
 	case reasons.Has(criteria.ReasonDeviceUnauthenticated):
 		// when the user's device is unauthenticated it means they haven't
 		// registered a webauthn device yet, so redirect to the webauthn flow
-		return a.requireWebAuthnResponse(ctx, in, result, isForwardAuthVerify)
+		return a.requireWebAuthnResponse(ctx, in, request, result, isForwardAuthVerify)
 	case reasons.Has(criteria.ReasonDeviceUnauthorized):
 		denyStatusCode = httputil.StatusDeviceUnauthorized
 		denyStatusText = httputil.DetailsText(httputil.StatusDeviceUnauthorized)
@@ -178,6 +178,7 @@ func (a *Authorize) requireLoginResponse(
 func (a *Authorize) requireWebAuthnResponse(
 	ctx context.Context,
 	in *envoy_service_auth_v3.CheckRequest,
+	request *evaluator.Request,
 	result *evaluator.Result,
 	isForwardAuthVerify bool,
 ) (*envoy_service_auth_v3.CheckResponse, error) {
@@ -209,6 +210,7 @@ func (a *Authorize) requireWebAuthnResponse(
 		q.Set(urlutil.QueryDeviceType, webauthnutil.DefaultDeviceType)
 	}
 	q.Set(urlutil.QueryRedirectURI, checkRequestURL.String())
+	q.Set(urlutil.QueryIdentityProviderID, opts.GetIdentityProviderForPolicy(request.Policy).GetId())
 	signinURL.RawQuery = q.Encode()
 	redirectTo := urlutil.NewSignedURL(state.sharedKey, signinURL).String()
 
diff --git a/internal/httputil/router.go b/internal/httputil/router.go
index d4273c751..c40cf8d1b 100644
--- a/internal/httputil/router.go
+++ b/internal/httputil/router.go
@@ -39,5 +39,6 @@ func DashboardSubrouter(parent *mux.Router) *mux.Router {
 			return ui.ServeFile(w, r, fileName)
 		}))
 	}
-	return r
+	// return a new subrouter so any middleware doesn't get added to the static files
+	return r.NewRoute().Subrouter()
 }