public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

AuthOnly endpoint should not accept requests with no session

This commit is contained in:
Joel Speed 2022-12-23 13:59:02 +00:00
parent aafa966550
commit 82e61caf5c
No known key found for this signature in database
GPG Key ID: 6E80578D6751DEFB
2 changed files with 22 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
oauthproxy.go
View File

@ -919,7 +919,8 @@ func (p *OAuthProxy) enrichSessionState(ctx context.Context, s *sessionsapi.Sess
// and optional authorization). // and optional authorization).
func (p *OAuthProxy) AuthOnly(rw http.ResponseWriter, req *http.Request) { func (p *OAuthProxy) AuthOnly(rw http.ResponseWriter, req *http.Request) {
session, err := p.getAuthenticatedSession(rw, req) session, err := p.getAuthenticatedSession(rw, req)
if err != nil { if err != nil || session == nil {
// If there's no session, or an error retrieving it, we need to return 401 to trigger the OAuth2 flow.
http.Error(rw, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized) http.Error(rw, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
return return
} }

22
oauthproxy_test.go
View File

@ -1401,6 +1401,24 @@ func TestAuthOnlyEndpointSetBasicAuthFalseRequestHeaders(t *testing.T) {
assert.Equal(t, 0, len(pcTest.rw.Header().Values("Authorization")), "should not have Authorization header entries") assert.Equal(t, 0, len(pcTest.rw.Header().Values("Authorization")), "should not have Authorization header entries")
} }
func TestAuthOnlyEndpointRejectPreflighRequests(t *testing.T) {
skipPreflight := func(opts *options.Options) {
opts.SkipAuthPreflight = true
}
test, err := NewAuthOnlyEndpointTest("", skipPreflight)
if err != nil {
t.Fatal(err)
}
test.req.Method = http.MethodOptions
test.proxy.ServeHTTP(test.rw, test.req)
assert.Equal(t, http.StatusUnauthorized, test.rw.Code)
bodyBytes, _ := io.ReadAll(test.rw.Body)
assert.Equal(t, "Unauthorized\n", string(bodyBytes))
}
func TestAuthSkippedForPreflightRequests(t *testing.T) { func TestAuthSkippedForPreflightRequests(t *testing.T) {
upstreamServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { upstreamServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(200) w.WriteHeader(200)
@ -3057,14 +3075,14 @@ func TestAuthOnlyAllowedGroupsWithSkipMethods(t *testing.T) {
method: "OPTIONS", method: "OPTIONS",
ip: "1.2.3.5:43670", ip: "1.2.3.5:43670",
withSession: false, withSession: false,
expectedStatusCode: http.StatusAccepted, expectedStatusCode: http.StatusUnauthorized,
}, },
{ {
name: "UserWithoutSessionTrustedIp", name: "UserWithoutSessionTrustedIp",
method: "GET", method: "GET",
ip: "1.2.3.4:43670", ip: "1.2.3.4:43670",
withSession: false, withSession: false,
expectedStatusCode: http.StatusAccepted, expectedStatusCode: http.StatusUnauthorized,
}, },
} }