remove forward auth (#3628)

2025-08-04 01:09:36 +02:00 · 2022-11-23 15:59:28 -07:00 · 2022-11-23 15:59:28 -07:00 · fa26587f19
commit fa26587f19
parent ba07afc245
68 changed files with 302 additions and 5072 deletions
--- a/internal/urlutil/forward.go
+++ b/internal/urlutil/forward.go
@ -1,47 +0,0 @@
-package urlutil
-
-import (
-	"net/http"
-	"net/url"
-	"strings"
-)
-
-// Forward headers contains information from the client-facing side of proxy
-// servers that is altered or lost when a proxy is involved in the path of the
-// request.
-//
-// https://tools.ietf.org/html/rfc7239
-// https://en.wikipedia.org/wiki/X-Forwarded-For
-const (
-	HeaderForwardedHost  = "X-Forwarded-Host"
-	HeaderForwardedProto = "X-Forwarded-Proto"
-	HeaderForwardedURI   = "X-Forwarded-Uri" // traefik
-	HeaderOriginalURL    = "X-Original-Url"  // nginx
-)
-
-// GetForwardAuthURL gets the forward-auth URL for the given request.
-func GetForwardAuthURL(r *http.Request) *url.URL {
-	urqQuery := r.URL.Query().Get("uri")
-	u, _ := ParseAndValidateURL(urqQuery)
-	if u == nil {
-		u = &url.URL{
-			Scheme: r.Header.Get(HeaderForwardedProto),
-			Host:   r.Header.Get(HeaderForwardedHost),
-		}
-		rawPath := r.Header.Get(HeaderForwardedURI)
-		if idx := strings.Index(rawPath, "?"); idx >= 0 {
-			u.Path = rawPath[:idx]
-			u.RawQuery = rawPath[idx+1:]
-		} else {
-			u.Path = rawPath
-		}
-	}
-	originalURL := r.Header.Get(HeaderOriginalURL)
-	if originalURL != "" {
-		k, _ := ParseAndValidateURL(originalURL)
-		if k != nil {
-			u = k
-		}
-	}
-	return u
-}
--- a/internal/urlutil/forward_test.go
+++ b/internal/urlutil/forward_test.go
@ -1,22 +0,0 @@
-package urlutil
-
-import (
-	"net/http"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestGetForwardAuthURL(t *testing.T) {
-	t.Run("double-escaping", func(t *testing.T) {
-		req, err := http.NewRequest("GET", "https://example.com", nil)
-		require.NoError(t, err)
-		req.Header.Set("X-Forwarded-Proto", "https")
-		req.Header.Set("X-Forwarded-Host", "protected-host.tld")
-		req.Header.Set("X-Forwarded-Uri", "/example?a=b&c=d")
-
-		u := GetForwardAuthURL(req)
-		assert.Equal(t, "https://protected-host.tld/example?a=b&c=d", u.String())
-	})
-}
--- a/internal/urlutil/query_params.go
+++ b/internal/urlutil/query_params.go
@ -10,12 +10,10 @@ const (
 	QueryEnrollmentToken    = "pomerium_enrollment_token" //nolint
 	QueryIdentityProviderID = "pomerium_idp_id"
 	QueryIsProgrammatic     = "pomerium_programmatic"
-	QueryForwardAuth        = "pomerium_forward_auth"
 	QueryPomeriumJWT        = "pomerium_jwt"
 	QuerySession            = "pomerium_session"
 	QuerySessionEncrypted   = "pomerium_session_encrypted"
 	QueryRedirectURI        = "pomerium_redirect_uri"
-	QueryForwardAuthURI     = "uri"
 )

 // URL signature based query params used for verifying the authenticity of a URL.