authorize: support X-Pomerium-Authorization in addition to Authorization (#2780)

* authorize: support X-Pomerium-Authorization in addition to Authorization

* tangentental correction

Co-authored-by: alexfornuto <alex@fornuto.com>

internal/sessions/header/header_store.go

@@ -7,22 +7,16 @@ import (
 	"strings"
 
 	"github.com/pomerium/pomerium/internal/encoding"
+	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/internal/sessions"
 )
 
 var _ sessions.SessionLoader = &Store{}
 
-const (
-	defaultAuthHeader = "Authorization"
-	defaultAuthType   = "Bearer"
-)
-
 // Store implements the load session store interface using http
 // authorization headers.
 type Store struct {
-	authHeader string
-	authType   string
-	encoder    encoding.Unmarshaler
+	encoder encoding.Unmarshaler
 }
 
 // NewStore returns a new header store for loading sessions from
@@ -30,38 +24,38 @@ type Store struct {
 //
 // NOTA BENE: While most servers do not log Authorization headers by default,
 // you should ensure no other services are logging or leaking your auth headers.
-func NewStore(enc encoding.Unmarshaler, headerType string) *Store {
-	if headerType == "" {
-		headerType = defaultAuthType
-	}
+func NewStore(enc encoding.Unmarshaler) *Store {
 	return &Store{
-		authHeader: defaultAuthHeader,
-		authType:   headerType,
-		encoder:    enc,
+		encoder: enc,
 	}
 }
 
 // LoadSession tries to retrieve the token string from the Authorization header.
 func (as *Store) LoadSession(r *http.Request) (string, error) {
-	jwt := TokenFromHeader(r, as.authHeader, as.authType)
+	jwt := TokenFromHeaders(r)
 	if jwt == "" {
 		return "", sessions.ErrNoSessionFound
 	}
 	return jwt, nil
 }
 
-// TokenFromHeader retrieves the value of the authorization header from a given
-// request, header key, and authentication type.
-func TokenFromHeader(r *http.Request, authHeader, authType string) string {
-	bearer := r.Header.Get(authHeader)
+// TokenFromHeaders retrieves the value of the authorization header(s) from a given
+// request and authentication type.
+func TokenFromHeaders(r *http.Request) string {
+	// X-Pomerium-Authorization: <JWT>
+	if jwt := r.Header.Get(httputil.HeaderPomeriumAuthorization); jwt != "" {
+		return jwt
+	}
+
+	bearer := r.Header.Get(httputil.HeaderAuthorization)
 	// Authorization: Pomerium <JWT>
-	prefix := authType + " "
+	prefix := httputil.AuthorizationTypePomerium + " "
 	if strings.HasPrefix(bearer, prefix) {
 		return bearer[len(prefix):]
 	}
 
 	// Authorization: Bearer Pomerium-<JWT>
-	prefix = "Bearer " + authType + "-"
+	prefix = "Bearer " + httputil.AuthorizationTypePomerium + "-"
 	if strings.HasPrefix(bearer, prefix) {
 		return bearer[len(prefix):]
 	}

internal/sessions/header/header_store_test.go

@@ -8,16 +8,22 @@ import (
 )
 
 func TestTokenFromHeader(t *testing.T) {
+	t.Run("pomerium header", func(t *testing.T) {
+		r, _ := http.NewRequest("GET", "http://localhost/some/url", nil)
+		r.Header.Set("X-Pomerium-Authorization", "JWT")
+		v := TokenFromHeaders(r)
+		assert.Equal(t, "JWT", v)
+	})
 	t.Run("pomerium type", func(t *testing.T) {
 		r, _ := http.NewRequest("GET", "http://localhost/some/url", nil)
 		r.Header.Set("Authorization", "Pomerium JWT")
-		v := TokenFromHeader(r, "Authorization", "Pomerium")
+		v := TokenFromHeaders(r)
 		assert.Equal(t, "JWT", v)
 	})
 	t.Run("bearer type", func(t *testing.T) {
 		r, _ := http.NewRequest("GET", "http://localhost/some/url", nil)
 		r.Header.Set("Authorization", "Bearer Pomerium-JWT")
-		v := TokenFromHeader(r, "Authorization", "Pomerium")
+		v := TokenFromHeaders(r)
 		assert.Equal(t, "JWT", v)
 	})
 }

internal/sessions/header/middleware_test.go

@@ -41,9 +41,27 @@ func TestVerifier(t *testing.T) {
 		wantBody   string
 		wantStatus int
 	}{
-		{"good auth header session", "Bearer ", sessions.State{Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))}, http.StatusText(http.StatusOK), http.StatusOK},
-		{"empty auth header", "Bearer ", sessions.State{Expiry: jwt.NewNumericDate(time.Now().Add(-10 * time.Minute))}, "internal/sessions: session is not found\n", http.StatusUnauthorized},
-		{"bad auth type", "bees ", sessions.State{Expiry: jwt.NewNumericDate(time.Now().Add(-10 * time.Minute))}, "internal/sessions: session is not found\n", http.StatusUnauthorized},
+		{
+			"good auth header session",
+			"Pomerium ",
+			sessions.State{Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))},
+			http.StatusText(http.StatusOK),
+			http.StatusOK,
+		},
+		{
+			"empty auth header",
+			"Pomerium ",
+			sessions.State{Expiry: jwt.NewNumericDate(time.Now().Add(-10 * time.Minute))},
+			"internal/sessions: session is not found\n",
+			http.StatusUnauthorized,
+		},
+		{
+			"bad auth type",
+			"bees ",
+			sessions.State{Expiry: jwt.NewNumericDate(time.Now().Add(-10 * time.Minute))},
+			"internal/sessions: session is not found\n",
+			http.StatusUnauthorized,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -60,7 +78,7 @@ func TestVerifier(t *testing.T) {
 				// add some garbage to the end of the string
 				encSession = append(encSession, cryptutil.NewKey()...)
 			}
-			s := NewStore(encoder, "")
+			s := NewStore(encoder)
 
 			r := httptest.NewRequest(http.MethodGet, "/", nil)
 			r.Header.Set("Accept", "application/json")
@@ -77,10 +95,10 @@ func TestVerifier(t *testing.T) {
 			gotBody := w.Body.String()
 			gotStatus := w.Result().StatusCode
 
-			if diff := cmp.Diff(gotBody, tt.wantBody); diff != "" {
+			if diff := cmp.Diff(tt.wantBody, gotBody); diff != "" {
 				t.Errorf("RetrieveSession() = %v", diff)
 			}
-			if diff := cmp.Diff(gotStatus, tt.wantStatus); diff != "" {
+			if diff := cmp.Diff(tt.wantStatus, gotStatus); diff != "" {
 				t.Errorf("RetrieveSession() = %v", diff)
 			}
 		})