3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-07-30 23:09:23 +02:00
Code Issues Projects Releases Packages Wiki Activity

mcp: fix authorization header removal (#5719)

Browse source 
## Summary

Remove Authorization header for the MCP server upstream.

## Related issues

Fix https://github.com/pomerium/pomerium/issues/5718

## User Explanation

<!-- How would you explain this change to the user? If this
change doesn't create any user-facing changes, you can leave
this blank. If filled out, add the `docs` label -->

## Checklist

- [x] reference any related issues
- [x] updated unit tests
- [x] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [x] ready for review
This commit is contained in:
Denis Mishin 2025-07-10 17:37:07 -07:00 committed by GitHub
parent 28da6dc174
commit 8fa26c63f5
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 27 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

9
authorize/check_response.go
View file

@ -75,7 +75,7 @@ func (a *Authorize) handleResultAllowed(
_ *envoy_service_auth_v3.CheckRequest,
result *evaluator.Result,
) (*envoy_service_auth_v3.CheckResponse, error) {
return a.okResponse(result.Headers), nil
return a.okResponse(result.Headers, result.HeadersToRemove), nil
}
func (a *Authorize) handleResultDenied(
@ -115,12 +115,13 @@ func invalidClientCertReason(reasons criteria.Reasons) bool {
reasons.Has(criteria.ReasonInvalidClientCertificate)
}
func (a *Authorize) okResponse(headers http.Header) *envoy_service_auth_v3.CheckResponse {
func (a *Authorize) okResponse(headersToSet http.Header, headersToRemove []string) *envoy_service_auth_v3.CheckResponse {
return &envoy_service_auth_v3.CheckResponse{
Status: &status.Status{Code: int32(codes.OK), Message: "OK"},
HttpResponse: &envoy_service_auth_v3.CheckResponse_OkResponse{
OkResponse: &envoy_service_auth_v3.OkHttpResponse{
Headers: toEnvoyHeaders(headers),
Headers: toEnvoyHeaders(headersToSet),
HeadersToRemove: headersToRemove,
},
},
}
@ -298,7 +299,7 @@ func (a *Authorize) requireWebAuthnResponse(
// If we're already on a webauthn route, return OK.
// https://github.com/pomerium/pomerium-console/issues/3210
if checkRequestURL.Path == urlutil.WebAuthnURLPath || checkRequestURL.Path == urlutil.DeviceEnrolledPath {
return a.okResponse(result.Headers), nil
return a.okResponse(result.Headers, result.HeadersToRemove), nil
}
if !a.shouldRedirect(in, request) {