3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-11 16:17:39 +02:00
Code Issues Projects Releases Packages Wiki Activity

Update JWT headers to only be in responses from forward auth endpoint (#642)

Browse source
This commit is contained in:
Travis Groth 2020-05-04 07:26:37 -04:00 committed by GitHub
parent f7ee08b05a
commit b2e3b22f14
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 96 additions and 51 deletions
Download patch file Download diff file Expand all files Collapse all files

7
proxy/forward_auth.go
View file

@ -19,6 +19,7 @@ func (p *Proxy) registerFwdAuthHandlers() http.Handler {
r := httputil.NewRouter()
r.StrictSlash(true)
r.Use(sessions.RetrieveSession(p.sessionStore))
r.Use(p.jwtClaimMiddleware(true))
// NGNIX's forward-auth capabilities are split across two settings:
// `auth-url` and `auth-signin` which correspond to `verify` and `auth-url`
@ -117,7 +118,8 @@ func (p *Proxy) Verify(verifyOnly bool) http.Handler {
}
originalRequest := p.getOriginalRequest(r, uri)
if err := p.authorize(w, originalRequest); err != nil {
authz, err := p.authorize(w, originalRequest)
if err != nil {
// no session, so redirect
if _, err := sessions.FromContext(r.Context()); err != nil {
if verifyOnly {
@ -132,10 +134,11 @@ func (p *Proxy) Verify(verifyOnly bool) http.Handler {
httputil.Redirect(w, r, urlutil.NewSignedURL(p.SharedKey, &authN).String(), http.StatusFound)
return nil
}
return err
}
w.Header().Set(httputil.HeaderPomeriumJWTAssertion, authz.GetSignedJwt())
w.Header().Set("Content-Type", "text/plain; charset=utf-8")
w.WriteHeader(http.StatusOK)
fmt.Fprintf(w, "Access to %s is allowed.", uri.Host)