From 9821476086c60193748b42511a4cb7c1c1706ad1 Mon Sep 17 00:00:00 2001
From: Cuong Manh Le <cuong.manhle.vn@gmail.com>
Date: Sat, 4 Jul 2020 00:26:47 +0700
Subject: [PATCH] proxy: fix redirect url with traefik forward auth

With Traefik in forward auth mode, when accessing:

	https://example.com/foo

traefik will send a request like this to proxy:

	https://pomerium?uri=https://example.com

The path "/foo" is passed to proxy via "X-Forwarded-Uri" instead of via
query parameters. When proxy redirects request to authenticate, it only
set the "pomerirum_redirect_url" to the value of "uri".

So after authentication success, the user will be redirected to example.com
instead of example.com/foo. If "X-Forwarded-Uri" is present, we should
add it to redirect uri, so the user will be redirected to right place.
---
 proxy/forward_auth.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/proxy/forward_auth.go b/proxy/forward_auth.go
index a226a1ce0..5b64dbfa9 100644
--- a/proxy/forward_auth.go
+++ b/proxy/forward_auth.go
@@ -140,6 +140,11 @@ func (p *Proxy) Verify(verifyOnly bool) http.Handler {
 			return httputil.NewError(http.StatusUnauthorized, err)
 		}
 
+		// Traefik set the uri in the header, we must add it to redirect uri if present. Otherwise, request like
+		// https://example.com/foo will be redirected to https://example.com after authentication.
+		if xfu := r.Header.Get(httputil.HeaderForwardedURI); xfu != "" {
+			uri.Path += xfu
+		}
 		// redirect to authenticate
 		authN := *p.authenticateSigninURL
 		q := authN.Query()