authorize: add support for .pomerium and unauthenticated routes (#639)

* authorize: add support for .pomerium and unauthenticated routes integration-tests: add test for forward auth dashboard urls * proxy: fix ctx error test to return a 200 when authorize allows it
2025-05-12 00:27:35 +02:00 · 2020-04-29 10:55:46 -06:00 · 2020-04-29 10:55:46 -06:00 · b1d3bbaf56
commit b1d3bbaf56
parent e5c7c5b27e
11 changed files with 158 additions and 69 deletions
--- a/proxy/forward_auth.go
+++ b/proxy/forward_auth.go
@ -117,21 +117,22 @@ func (p *Proxy) Verify(verifyOnly bool) http.Handler {
 		}
 		originalRequest := p.getOriginalRequest(r, uri)

-		if _, err := sessions.FromContext(r.Context()); err != nil {
-			if verifyOnly {
-				return httputil.NewError(http.StatusUnauthorized, err)
-			}
-			authN := *p.authenticateSigninURL
-			q := authN.Query()
-			q.Set(urlutil.QueryCallbackURI, uri.String())
-			q.Set(urlutil.QueryRedirectURI, uri.String())              // final destination
-			q.Set(urlutil.QueryForwardAuth, urlutil.StripPort(r.Host)) // add fwd auth to trusted audience
-			authN.RawQuery = q.Encode()
-			httputil.Redirect(w, r, urlutil.NewSignedURL(p.SharedKey, &authN).String(), http.StatusFound)
-			return nil
-		}
-
 		if err := p.authorize(w, originalRequest); err != nil {
+			// no session, so redirect
+			if _, err := sessions.FromContext(r.Context()); err != nil {
+				if verifyOnly {
+					return httputil.NewError(http.StatusUnauthorized, err)
+				}
+				authN := *p.authenticateSigninURL
+				q := authN.Query()
+				q.Set(urlutil.QueryCallbackURI, uri.String())
+				q.Set(urlutil.QueryRedirectURI, uri.String())              // final destination
+				q.Set(urlutil.QueryForwardAuth, urlutil.StripPort(r.Host)) // add fwd auth to trusted audience
+				authN.RawQuery = q.Encode()
+				httputil.Redirect(w, r, urlutil.NewSignedURL(p.SharedKey, &authN).String(), http.StatusFound)
+				return nil
+			}
+
 			return err
 		}