outposts/proxyv2: fix before-redirect url not being saved in proxy mode
closes #2109 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
7f47f93e4e
commit
41e7b9b73f
|
@ -6,7 +6,9 @@ import (
|
||||||
"net/url"
|
"net/url"
|
||||||
"path"
|
"path"
|
||||||
"strconv"
|
"strconv"
|
||||||
|
"strings"
|
||||||
|
|
||||||
|
"goauthentik.io/api"
|
||||||
"goauthentik.io/internal/outpost/proxyv2/constants"
|
"goauthentik.io/internal/outpost/proxyv2/constants"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -20,6 +22,33 @@ func urlJoin(originalUrl string, newPath string) string {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a *Application) redirectToStart(rw http.ResponseWriter, r *http.Request) {
|
func (a *Application) redirectToStart(rw http.ResponseWriter, r *http.Request) {
|
||||||
|
s, err := a.sessions.Get(r, constants.SeesionName)
|
||||||
|
if err == nil {
|
||||||
|
a.log.WithError(err).Warning("failed to decode session")
|
||||||
|
}
|
||||||
|
redirectUrl := r.URL.String()
|
||||||
|
// simple way to copy the URL
|
||||||
|
u, _ := url.Parse(redirectUrl)
|
||||||
|
// In proxy and forward_single mode we only have one URL that we route on
|
||||||
|
// if we somehow got here without that URL, make sure we're at least redirected back to it
|
||||||
|
if a.Mode() == api.PROXYMODE_PROXY || a.Mode() == api.PROXYMODE_FORWARD_SINGLE {
|
||||||
|
u.Host = a.proxyConfig.ExternalHost
|
||||||
|
}
|
||||||
|
if a.Mode() == api.PROXYMODE_FORWARD_DOMAIN {
|
||||||
|
dom := strings.TrimPrefix(*a.proxyConfig.CookieDomain, ".")
|
||||||
|
// In forward_domain we only check that the current URL's host
|
||||||
|
// ends with the cookie domain (remove the leading period if set)
|
||||||
|
if !strings.HasSuffix(r.URL.Hostname(), dom) {
|
||||||
|
a.log.WithField("url", r.URL.String()).WithField("cd", dom).Warning("Invalid redirect found")
|
||||||
|
redirectUrl = ""
|
||||||
|
}
|
||||||
|
}
|
||||||
|
s.Values[constants.SessionRedirect] = redirectUrl
|
||||||
|
err = s.Save(r, rw)
|
||||||
|
if err != nil {
|
||||||
|
a.log.WithError(err).Warning("failed to save session before redirect")
|
||||||
|
}
|
||||||
|
|
||||||
authUrl := urlJoin(a.proxyConfig.ExternalHost, "/akprox/start")
|
authUrl := urlJoin(a.proxyConfig.ExternalHost, "/akprox/start")
|
||||||
http.Redirect(rw, r, authUrl, http.StatusFound)
|
http.Redirect(rw, r, authUrl, http.StatusFound)
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,6 +2,7 @@
|
||||||
"""This file needs to be run from the root of the project to correctly
|
"""This file needs to be run from the root of the project to correctly
|
||||||
import authentik. This is done by the dockerfile."""
|
import authentik. This is done by the dockerfile."""
|
||||||
from json import dumps
|
from json import dumps
|
||||||
|
from sys import exit as sysexit
|
||||||
from sys import stderr
|
from sys import stderr
|
||||||
from time import sleep, time
|
from time import sleep, time
|
||||||
|
|
||||||
|
@ -28,7 +29,7 @@ def j_print(event: str, log_level: str = "info", **kwargs):
|
||||||
# Sanity check, ensure SECRET_KEY is set before we even check for database connectivity
|
# Sanity check, ensure SECRET_KEY is set before we even check for database connectivity
|
||||||
if CONFIG.y("secret_key") is None or len(CONFIG.y("secret_key")) == 0:
|
if CONFIG.y("secret_key") is None or len(CONFIG.y("secret_key")) == 0:
|
||||||
j_print("Secret key missing, check https://goauthentik.io/docs/installation/.")
|
j_print("Secret key missing, check https://goauthentik.io/docs/installation/.")
|
||||||
exit(1)
|
sysexit(1)
|
||||||
|
|
||||||
|
|
||||||
while True:
|
while True:
|
||||||
|
|
Reference in New Issue