authorize: allow access to /.pomerium/webauthn when policy denies access (#4015)

2025-08-04 01:09:36 +02:00 · 2023-02-27 09:49:06 -07:00 · 2023-02-27 09:49:06 -07:00 · 76a7ce3a6f
commit 76a7ce3a6f
parent 88915a79c1
6 changed files with 55 additions and 11 deletions
--- a/authorize/check_response.go
+++ b/authorize/check_response.go
@ -226,14 +226,20 @@ func (a *Authorize) requireWebAuthnResponse(
 	opts := a.currentOptions.Load()
 	state := a.state.Load()

-	if !a.shouldRedirect(in) {
-		return a.deniedResponse(ctx, in, http.StatusUnauthorized, http.StatusText(http.StatusUnauthorized), nil)
-	}
-
 	// always assume https scheme
 	checkRequestURL := getCheckRequestURL(in)
 	checkRequestURL.Scheme = "https"

+	// If we're already on a webauthn route, return OK.
+	// https://github.com/pomerium/pomerium-console/issues/3210
+	if checkRequestURL.Path == urlutil.WebAuthnURLPath || checkRequestURL.Path == urlutil.DeviceEnrolledPath {
+		return a.okResponse(result.Headers), nil
+	}
+
+	if !a.shouldRedirect(in) {
+		return a.deniedResponse(ctx, in, http.StatusUnauthorized, http.StatusText(http.StatusUnauthorized), nil)
+	}
+
 	q := url.Values{}
 	if deviceType, ok := result.Allow.AdditionalData["device_type"].(string); ok {
 		q.Set(urlutil.QueryDeviceType, deviceType)
--- a/authorize/check_response_test.go
+++ b/authorize/check_response_test.go
@ -62,6 +62,36 @@ func TestAuthorize_handleResult(t *testing.T) {
 		assert.NoError(t, err)
 		assert.Equal(t, 302, int(res.GetDeniedResponse().GetStatus().GetCode()))
 	})
+	t.Run("device-unauthenticated", func(t *testing.T) {
+		res, err := a.handleResult(context.Background(),
+			&envoy_service_auth_v3.CheckRequest{},
+			&evaluator.Request{},
+			&evaluator.Result{
+				Allow: evaluator.NewRuleResult(false, criteria.ReasonDeviceUnauthenticated),
+			})
+		assert.NoError(t, err)
+		assert.Equal(t, 302, int(res.GetDeniedResponse().GetStatus().GetCode()))
+
+		t.Run("webauthn path", func(t *testing.T) {
+			res, err := a.handleResult(context.Background(),
+				&envoy_service_auth_v3.CheckRequest{
+					Attributes: &envoy_service_auth_v3.AttributeContext{
+						Request: &envoy_service_auth_v3.AttributeContext_Request{
+							Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
+								Path: "/.pomerium/webauthn",
+							},
+						},
+					},
+				},
+				&evaluator.Request{},
+				&evaluator.Result{
+					Allow: evaluator.NewRuleResult(true, criteria.ReasonPomeriumRoute),
+					Deny:  evaluator.NewRuleResult(false, criteria.ReasonDeviceUnauthenticated),
+				})
+			assert.NoError(t, err)
+			assert.NotNil(t, res.GetOkResponse())
+		})
+	})
 }

 func TestAuthorize_okResponse(t *testing.T) {