authorize: support X-Pomerium-Authorization in addition to Authorization (#2780)

* authorize: support X-Pomerium-Authorization in addition to Authorization * tangentental correction Co-authored-by: alexfornuto <alex@fornuto.com>
2025-07-29 14:39:40 +02:00 · 2021-11-29 12:19:14 -07:00 · 2021-11-29 12:19:14 -07:00 · a8b76bd623
commit a8b76bd623
parent 88c5eeba45
11 changed files with 101 additions and 42 deletions
--- a/internal/sessions/header/header_store.go
+++ b/internal/sessions/header/header_store.go
@ -7,22 +7,16 @@ import (
 	"strings"

 	"github.com/pomerium/pomerium/internal/encoding"
+	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/internal/sessions"
 )

 var _ sessions.SessionLoader = &Store{}

-const (
-	defaultAuthHeader = "Authorization"
-	defaultAuthType   = "Bearer"
-)
-
 // Store implements the load session store interface using http
 // authorization headers.
 type Store struct {
-	authHeader string
-	authType   string
-	encoder    encoding.Unmarshaler
+	encoder encoding.Unmarshaler
 }

 // NewStore returns a new header store for loading sessions from
@ -30,38 +24,38 @@ type Store struct {
 //
 // NOTA BENE: While most servers do not log Authorization headers by default,
 // you should ensure no other services are logging or leaking your auth headers.
-func NewStore(enc encoding.Unmarshaler, headerType string) *Store {
-	if headerType == "" {
-		headerType = defaultAuthType
-	}
+func NewStore(enc encoding.Unmarshaler) *Store {
 	return &Store{
-		authHeader: defaultAuthHeader,
-		authType:   headerType,
-		encoder:    enc,
+		encoder: enc,
 	}
 }

 // LoadSession tries to retrieve the token string from the Authorization header.
 func (as *Store) LoadSession(r *http.Request) (string, error) {
-	jwt := TokenFromHeader(r, as.authHeader, as.authType)
+	jwt := TokenFromHeaders(r)
 	if jwt == "" {
 		return "", sessions.ErrNoSessionFound
 	}
 	return jwt, nil
 }

-// TokenFromHeader retrieves the value of the authorization header from a given
-// request, header key, and authentication type.
-func TokenFromHeader(r *http.Request, authHeader, authType string) string {
-	bearer := r.Header.Get(authHeader)
+// TokenFromHeaders retrieves the value of the authorization header(s) from a given
+// request and authentication type.
+func TokenFromHeaders(r *http.Request) string {
+	// X-Pomerium-Authorization: <JWT>
+	if jwt := r.Header.Get(httputil.HeaderPomeriumAuthorization); jwt != "" {
+		return jwt
+	}
+
+	bearer := r.Header.Get(httputil.HeaderAuthorization)
 	// Authorization: Pomerium <JWT>
-	prefix := authType + " "
+	prefix := httputil.AuthorizationTypePomerium + " "
 	if strings.HasPrefix(bearer, prefix) {
 		return bearer[len(prefix):]
 	}

 	// Authorization: Bearer Pomerium-<JWT>
-	prefix = "Bearer " + authType + "-"
+	prefix = "Bearer " + httputil.AuthorizationTypePomerium + "-"
 	if strings.HasPrefix(bearer, prefix) {
 		return bearer[len(prefix):]
 	}