outposts/proxyv2: fix before-redirect url not being saved in proxy mode

closes #2109

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2022-01-19 19:15:57 +01:00
parent 7f47f93e4e
commit 41e7b9b73f
2 changed files with 31 additions and 1 deletions

View File

@ -6,7 +6,9 @@ import (
"net/url" "net/url"
"path" "path"
"strconv" "strconv"
"strings"
"goauthentik.io/api"
"goauthentik.io/internal/outpost/proxyv2/constants" "goauthentik.io/internal/outpost/proxyv2/constants"
) )
@ -20,6 +22,33 @@ func urlJoin(originalUrl string, newPath string) string {
} }
func (a *Application) redirectToStart(rw http.ResponseWriter, r *http.Request) { func (a *Application) redirectToStart(rw http.ResponseWriter, r *http.Request) {
s, err := a.sessions.Get(r, constants.SeesionName)
if err == nil {
a.log.WithError(err).Warning("failed to decode session")
}
redirectUrl := r.URL.String()
// simple way to copy the URL
u, _ := url.Parse(redirectUrl)
// In proxy and forward_single mode we only have one URL that we route on
// if we somehow got here without that URL, make sure we're at least redirected back to it
if a.Mode() == api.PROXYMODE_PROXY || a.Mode() == api.PROXYMODE_FORWARD_SINGLE {
u.Host = a.proxyConfig.ExternalHost
}
if a.Mode() == api.PROXYMODE_FORWARD_DOMAIN {
dom := strings.TrimPrefix(*a.proxyConfig.CookieDomain, ".")
// In forward_domain we only check that the current URL's host
// ends with the cookie domain (remove the leading period if set)
if !strings.HasSuffix(r.URL.Hostname(), dom) {
a.log.WithField("url", r.URL.String()).WithField("cd", dom).Warning("Invalid redirect found")
redirectUrl = ""
}
}
s.Values[constants.SessionRedirect] = redirectUrl
err = s.Save(r, rw)
if err != nil {
a.log.WithError(err).Warning("failed to save session before redirect")
}
authUrl := urlJoin(a.proxyConfig.ExternalHost, "/akprox/start") authUrl := urlJoin(a.proxyConfig.ExternalHost, "/akprox/start")
http.Redirect(rw, r, authUrl, http.StatusFound) http.Redirect(rw, r, authUrl, http.StatusFound)
} }

View File

@ -2,6 +2,7 @@
"""This file needs to be run from the root of the project to correctly """This file needs to be run from the root of the project to correctly
import authentik. This is done by the dockerfile.""" import authentik. This is done by the dockerfile."""
from json import dumps from json import dumps
from sys import exit as sysexit
from sys import stderr from sys import stderr
from time import sleep, time from time import sleep, time
@ -28,7 +29,7 @@ def j_print(event: str, log_level: str = "info", **kwargs):
# Sanity check, ensure SECRET_KEY is set before we even check for database connectivity # Sanity check, ensure SECRET_KEY is set before we even check for database connectivity
if CONFIG.y("secret_key") is None or len(CONFIG.y("secret_key")) == 0: if CONFIG.y("secret_key") is None or len(CONFIG.y("secret_key")) == 0:
j_print("Secret key missing, check https://goauthentik.io/docs/installation/.") j_print("Secret key missing, check https://goauthentik.io/docs/installation/.")
exit(1) sysexit(1)
while True: while True: