kubernetes apiserver integration (#1063)

* sessions: support bearer tokens in authorization * wip * remove dead code * refactor signed jwt code * use function * update per comments * fix test
2025-08-03 08:50:42 +02:00 · 2020-07-14 08:33:24 -06:00 · 2020-07-14 08:33:24 -06:00 · a70254ab76
commit a70254ab76
parent 5f6a67e6eb
10 changed files with 140 additions and 57 deletions
--- a/internal/sessions/header/header_store.go
+++ b/internal/sessions/header/header_store.go
@ -54,9 +54,17 @@ func (as *Store) LoadSession(r *http.Request) (string, error) {
 // request, header key, and authentication type.
 func TokenFromHeader(r *http.Request, authHeader, authType string) string {
 	bearer := r.Header.Get(authHeader)
-	atSize := len(authType)
-	if len(bearer) > atSize && strings.EqualFold(bearer[0:atSize], authType) {
-		return bearer[atSize+1:]
+	// Authorization: Pomerium <JWT>
+	prefix := authType + " "
+	if strings.HasPrefix(bearer, prefix) {
+		return bearer[len(prefix):]
 	}
+
+	// Authorization: Bearer Pomerium-<JWT>
+	prefix = "Bearer " + authType + "-"
+	if strings.HasPrefix(bearer, prefix) {
+		return bearer[len(prefix):]
+	}
+
 	return ""
 }
--- a/internal/sessions/header/header_store_test.go
+++ b/internal/sessions/header/header_store_test.go
@ -0,0 +1,23 @@
+package header
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestTokenFromHeader(t *testing.T) {
+	t.Run("pomerium type", func(t *testing.T) {
+		r, _ := http.NewRequest("GET", "http://localhost/some/url", nil)
+		r.Header.Set("Authorization", "Pomerium JWT")
+		v := TokenFromHeader(r, "Authorization", "Pomerium")
+		assert.Equal(t, "JWT", v)
+	})
+	t.Run("bearer type", func(t *testing.T) {
+		r, _ := http.NewRequest("GET", "http://localhost/some/url", nil)
+		r.Header.Set("Authorization", "Bearer Pomerium-JWT")
+		v := TokenFromHeader(r, "Authorization", "Pomerium")
+		assert.Equal(t, "JWT", v)
+	})
+}