From be13027fe0c0e287684cd8b566b4243f36e47789 Mon Sep 17 00:00:00 2001 From: Caleb Doxsey Date: Wed, 22 Feb 2023 21:42:10 -0700 Subject: [PATCH 1/2] authenticate: don't require a session for sign_out (#4007) authenticate: dont require a session for sign_out --- authenticate/handlers.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/authenticate/handlers.go b/authenticate/handlers.go index 6067160a3..63198f626 100644 --- a/authenticate/handlers.go +++ b/authenticate/handlers.go @@ -96,11 +96,16 @@ func (a *Authenticate) mountDashboard(r *mux.Router) { AllowedHeaders: []string{"*"}, }) sr.Use(c.Handler) + + // routes that don't need a session: + sr.Path("/sign_out").Handler(httputil.HandlerFunc(a.SignOut)) + + // routes that need a session: + sr = sr.NewRoute().Subrouter() sr.Use(a.RetrieveSession) sr.Use(a.VerifySession) sr.Path("/").Handler(a.requireValidSignatureOnRedirect(a.userInfo)) sr.Path("/sign_in").Handler(httputil.HandlerFunc(a.SignIn)) - sr.Path("/sign_out").Handler(httputil.HandlerFunc(a.SignOut)) sr.Path("/device-enrolled").Handler(httputil.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error { userInfoData, err := a.getUserInfoData(r) if err != nil { From df54a0c603f8295b92dc584e93640701f1ac860f Mon Sep 17 00:00:00 2001 From: Denis Mishin Date: Thu, 23 Feb 2023 10:01:24 -0500 Subject: [PATCH 2/2] authenticate: fix callback handler for split mode (#4008) fix auth handler for split mode --- config/envoyconfig/routes.go | 35 ++++++++++++++++++++++++++--------- 1 file changed, 26 insertions(+), 9 deletions(-) diff --git a/config/envoyconfig/routes.go b/config/envoyconfig/routes.go index b638ca9d2..15d9f7936 100644 --- a/config/envoyconfig/routes.go +++ b/config/envoyconfig/routes.go @@ -74,21 +74,38 @@ func (b *Builder) buildPomeriumHTTPRoutes(options *config.Options, host string) routes = append(routes, b.buildControlPlanePathRoute("/robots.txt", false)) } } - // if we're handling authentication, add the oauth2 callback url - // as the callback url is from the IdP, it is expected only on the public authenticate URL endpoint - authenticateURL, err := options.GetAuthenticateURL() + + authRoutes, err := b.buildPomeriumAuthenticateHTTPRoutes(options, host) if err != nil { return nil, err } - if config.IsAuthenticate(options.Services) && urlMatchesHost(authenticateURL, host) { - routes = append(routes, - b.buildControlPlanePathRoute(options.AuthenticateCallbackPath, false), - b.buildControlPlanePathRoute("/", false), - ) - } + routes = append(routes, authRoutes...) return routes, nil } +func (b *Builder) buildPomeriumAuthenticateHTTPRoutes(options *config.Options, host string) ([]*envoy_config_route_v3.Route, error) { + if !config.IsAuthenticate(options.Services) { + return nil, nil + } + + for _, fn := range []func() (*url.URL, error){ + options.GetAuthenticateURL, + options.GetInternalAuthenticateURL, + } { + u, err := fn() + if err != nil { + return nil, err + } + if urlMatchesHost(u, host) { + return []*envoy_config_route_v3.Route{ + b.buildControlPlanePathRoute(options.AuthenticateCallbackPath, false), + b.buildControlPlanePathRoute("/", false), + }, nil + } + } + return nil, nil +} + func (b *Builder) buildControlPlanePathRoute(path string, protected bool) *envoy_config_route_v3.Route { r := &envoy_config_route_v3.Route{ Name: "pomerium-path-" + path,