authorize: only redirect for HTML pages (#2264) (#2298)

* authorize: only redirect for HTML pages * authorize: only redirect for HTML pages
2025-08-03 16:59:22 +02:00 · 2021-06-16 12:15:30 -06:00 · 2021-06-16 12:15:30 -06:00 · 88e1458404
commit 88e1458404
parent 45a9a1843c
5 changed files with 74 additions and 2 deletions
--- a/authorize/check_response.go
+++ b/authorize/check_response.go
@ -13,6 +13,7 @@ import (
 	envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
 	envoy_type_v3 "github.com/envoyproxy/go-control-plane/envoy/type/v3"
 	"github.com/golang/protobuf/ptypes/wrappers"
+	"github.com/tniswong/go.rfcx/rfc7231"
 	"google.golang.org/genproto/googleapis/rpc/status"
 	"google.golang.org/grpc/codes"

@ -104,7 +105,7 @@ func (a *Authorize) deniedResponse(
 	}, nil
 }

-func (a *Authorize) redirectResponse(ctx context.Context, in *envoy_service_auth_v3.CheckRequest) (*envoy_service_auth_v3.CheckResponse, error) {
+func (a *Authorize) requireLoginResponse(ctx context.Context, in *envoy_service_auth_v3.CheckRequest) (*envoy_service_auth_v3.CheckResponse, error) {
 	opts := a.currentOptions.Load()
 	state := a.state.Load()
 	authenticateURL, err := opts.GetAuthenticateURL()
@ -112,6 +113,10 @@ func (a *Authorize) redirectResponse(ctx context.Context, in *envoy_service_auth
 		return nil, err
 	}

+	if !shouldRedirect(in) {
+		return a.deniedResponse(ctx, in, http.StatusUnauthorized, http.StatusText(http.StatusUnauthorized), nil)
+	}
+
 	signinURL := authenticateURL.ResolveReference(&url.URL{
 		Path: "/.pomerium/sign_in",
 	})
@ -180,3 +185,22 @@ func (a *Authorize) userInfoEndpointURL(in *envoy_service_auth_v3.CheckRequest)

 	return urlutil.NewSignedURL(a.state.Load().sharedKey, debugEndpoint).Sign(), nil
 }
+
+func shouldRedirect(in *envoy_service_auth_v3.CheckRequest) bool {
+	requestHeaders := in.GetAttributes().GetRequest().GetHttp().GetHeaders()
+	if requestHeaders == nil {
+		return true
+	}
+
+	a, err := rfc7231.ParseAccept(requestHeaders["accept"])
+	if err != nil {
+		return true
+	}
+
+	mediaType, ok := a.MostAcceptable([]string{"text/html", "application/json", "text/plain"})
+	if !ok {
+		return true
+	}
+
+	return mediaType == "text/html"
+}
--- a/authorize/check_response_test.go
+++ b/authorize/check_response_test.go
@ -179,3 +179,48 @@ func mustParseWeightedURLs(t *testing.T, urls ...string) []config.WeightedURL {
 	require.NoError(t, err)
 	return wu
 }
+
+func TestRequireLogin(t *testing.T) {
+	opt := config.NewDefaultOptions()
+	opt.AuthenticateURLString = "https://authenticate.example.com"
+	opt.DataBrokerURLString = "https://databroker.example.com"
+	opt.SharedKey = "E8wWIMnihUx+AUfRegAQDNs8eRb3UrB5G3zlJW9XJDM="
+	a, err := New(&config.Config{Options: opt})
+	require.NoError(t, err)
+
+	t.Run("accept empty", func(t *testing.T) {
+		res, err := a.requireLoginResponse(context.Background(), &envoy_service_auth_v3.CheckRequest{})
+		require.NoError(t, err)
+		assert.Equal(t, http.StatusFound, int(res.GetDeniedResponse().GetStatus().GetCode()))
+	})
+	t.Run("accept html", func(t *testing.T) {
+		res, err := a.requireLoginResponse(context.Background(), &envoy_service_auth_v3.CheckRequest{
+			Attributes: &envoy_service_auth_v3.AttributeContext{
+				Request: &envoy_service_auth_v3.AttributeContext_Request{
+					Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
+						Headers: map[string]string{
+							"accept": "*/*",
+						},
+					},
+				},
+			},
+		})
+		require.NoError(t, err)
+		assert.Equal(t, http.StatusFound, int(res.GetDeniedResponse().GetStatus().GetCode()))
+	})
+	t.Run("accept json", func(t *testing.T) {
+		res, err := a.requireLoginResponse(context.Background(), &envoy_service_auth_v3.CheckRequest{
+			Attributes: &envoy_service_auth_v3.AttributeContext{
+				Request: &envoy_service_auth_v3.AttributeContext_Request{
+					Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
+						Headers: map[string]string{
+							"accept": "application/json",
+						},
+					},
+				},
+			},
+		})
+		require.NoError(t, err)
+		assert.Equal(t, http.StatusUnauthorized, int(res.GetDeniedResponse().GetStatus().GetCode()))
+	})
+}
--- a/authorize/grpc.go
+++ b/authorize/grpc.go
@ -75,7 +75,7 @@ func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v3.CheckRe
 		if isForwardAuth && hreq.URL.Path == "/verify" {
 			return a.deniedResponse(ctx, in, http.StatusUnauthorized, "Unauthenticated", nil)
 		}
-		return a.redirectResponse(ctx, in)
+		return a.requireLoginResponse(ctx, in)
 	}
 	return a.deniedResponse(ctx, in, int32(reply.Status), reply.Message, nil)
 }