core/proxy: support loading sessions from headers and query string (#5294)

core/proxy: support loading sessions from headers and query string (#5291) * core/proxy: support loading sessions from headers and query string * update test Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
2025-06-12 07:42:49 +02:00 · 2024-09-19 12:03:58 -06:00 · 2024-09-19 12:03:58 -06:00 · 8b6dc27a01
commit 8b6dc27a01
parent 3dadcf1825
8 changed files with 136 additions and 104 deletions
--- a/proxy/handlers_test.go
+++ b/proxy/handlers_test.go
@ -15,7 +15,9 @@ import (

 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/atomicutil"
+	"github.com/pomerium/pomerium/internal/encoding/jws"
 	"github.com/pomerium/pomerium/internal/httputil"
+	"github.com/pomerium/pomerium/internal/sessions"
 	"github.com/pomerium/pomerium/internal/urlutil"
 )

@ -260,3 +262,78 @@ func TestProxy_registerDashboardHandlers_jwtEndpoint(t *testing.T) {
 		assert.Equal(t, rawJWT, string(b))
 	})
 }
+
+func TestLoadSessionState(t *testing.T) {
+	t.Parallel()
+
+	t.Run("no session", func(t *testing.T) {
+		t.Parallel()
+
+		opts := testOptions(t)
+		proxy, err := New(&config.Config{Options: opts})
+		require.NoError(t, err)
+
+		r := httptest.NewRequest(http.MethodGet, "/.pomerium/", nil)
+		w := httptest.NewRecorder()
+		proxy.ServeHTTP(w, r)
+
+		assert.Equal(t, http.StatusOK, w.Code)
+		assert.Contains(t, w.Body.String(), "window.POMERIUM_DATA")
+		assert.NotContains(t, w.Body.String(), "___SESSION_ID___")
+	})
+	t.Run("cookie session", func(t *testing.T) {
+		t.Parallel()
+
+		opts := testOptions(t)
+		proxy, err := New(&config.Config{Options: opts})
+		require.NoError(t, err)
+
+		session := encodeSession(t, opts, &sessions.State{
+			ID: "___SESSION_ID___",
+		})
+
+		r := httptest.NewRequest(http.MethodGet, "/.pomerium/", nil)
+		r.AddCookie(&http.Cookie{
+			Name:   opts.CookieName,
+			Domain: opts.CookieDomain,
+			Value:  session,
+		})
+		w := httptest.NewRecorder()
+		proxy.ServeHTTP(w, r)
+
+		assert.Equal(t, http.StatusOK, w.Code)
+		assert.Contains(t, w.Body.String(), "___SESSION_ID___")
+	})
+	t.Run("header session", func(t *testing.T) {
+		t.Parallel()
+
+		opts := testOptions(t)
+		proxy, err := New(&config.Config{Options: opts})
+		require.NoError(t, err)
+
+		session := encodeSession(t, opts, &sessions.State{
+			ID: "___SESSION_ID___",
+		})
+
+		r := httptest.NewRequest(http.MethodGet, "/.pomerium/", nil)
+		r.Header.Set("Authorization", "Bearer Pomerium-"+session)
+		w := httptest.NewRecorder()
+		proxy.ServeHTTP(w, r)
+
+		assert.Equal(t, http.StatusOK, w.Code)
+		assert.Contains(t, w.Body.String(), "___SESSION_ID___")
+	})
+}
+
+func encodeSession(t *testing.T, opts *config.Options, state *sessions.State) string {
+	sharedKey, err := opts.GetSharedKey()
+	require.NoError(t, err)
+
+	encoder, err := jws.NewHS256Signer(sharedKey)
+	require.NoError(t, err)
+
+	sessionBS, err := encoder.Marshal(state)
+	require.NoError(t, err)
+
+	return string(sessionBS)
+}