authenticate: add databroker versions to session cookie (#2709)

* authenticate: add databroker versions to session cookie authorize: wait for databroker synchronization on updated sessions * fix test
2025-05-09 15:17:39 +02:00 · 2021-10-26 14:45:53 -06:00 · 2021-10-26 14:45:53 -06:00 · d390e80b30
commit d390e80b30
parent b2c76c3816
6 changed files with 192 additions and 32 deletions
--- a/internal/urlutil/proxy.go
+++ b/internal/urlutil/proxy.go
@ -0,0 +1,51 @@
+package urlutil
+
+import (
+	"errors"
+	"net/http"
+	"net/url"
+)
+
+// ErrMissingRedirectURI indicates the pomerium_redirect_uri was missing from the query string.
+var ErrMissingRedirectURI = errors.New("missing " + QueryRedirectURI)
+
+// GetCallbackURL gets the proxy's callback URL from a request and a base64url encoded + encrypted session state JWT.
+func GetCallbackURL(r *http.Request, encodedSessionJWT string) (*url.URL, error) {
+	rawRedirectURI := r.FormValue(QueryRedirectURI)
+	if rawRedirectURI == "" {
+		return nil, ErrMissingRedirectURI
+	}
+
+	redirectURI, err := ParseAndValidateURL(rawRedirectURI)
+	if err != nil {
+		return nil, err
+	}
+
+	var callbackURI *url.URL
+	if callbackStr := r.FormValue(QueryCallbackURI); callbackStr != "" {
+		callbackURI, err = ParseAndValidateURL(callbackStr)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		// otherwise, assume callback is the same host as redirect
+		callbackURI, err = DeepCopy(redirectURI)
+		if err != nil {
+			return nil, err
+		}
+		callbackURI.Path = "/.pomerium/callback/"
+		callbackURI.RawQuery = ""
+	}
+
+	callbackParams := callbackURI.Query()
+
+	if r.FormValue(QueryIsProgrammatic) == "true" {
+		callbackParams.Set(QueryIsProgrammatic, "true")
+	}
+	// add our encoded and encrypted route-session JWT to a query param
+	callbackParams.Set(QuerySessionEncrypted, encodedSessionJWT)
+	callbackParams.Set(QueryRedirectURI, redirectURI.String())
+	callbackURI.RawQuery = callbackParams.Encode()
+
+	return callbackURI, nil
+}