extern/zrok
1
1
Fork 0
mirror of https://github.com/openziti/zrok.git synced 2025-08-16 19:01:16 +02:00
Code Issues Packages Projects Releases Wiki Activity

fixed redirect to respect intended route, added additional logging around token swapping

Browse Source
This commit is contained in:
Cam
2023-09-13 10:37:38 -05:00
parent 4cf8b7d7c6
commit 4be9089cfe
3 changed files with 26 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
endpoints/publicProxy/http.go
View File

@ -208,10 +208,12 @@ func authHandler(handler http.Handler, realm string, pcfg *Config, ctx ziti.Cont
}
}
target := fmt.Sprintf("%s%s", r.Host, r.URL.Path)
cookie, err := r.Cookie("zrok-access")
if err != nil {
logrus.Errorf("Unable to get access cookie: %v", err)
http.Redirect(w, r, fmt.Sprintf("http://%s.%s:%d/%s/login?share=%s&checkInterval=%s", shrToken, pcfg.HostMatch, pcfg.Oauth.Port, provider.(string), shrToken, authCheckInterval.String()), http.StatusFound)
http.Redirect(w, r, fmt.Sprintf("http://%s.%s:%d/%s/login?targethost=%s&checkInterval=%s", shrToken, pcfg.HostMatch, pcfg.Oauth.Port, provider.(string), url.QueryEscape(target), authCheckInterval.String()), http.StatusFound)
return
}
tkn, err := jwt.ParseWithClaims(cookie.Value, &ZrokClaims{}, func(t *jwt.Token) (interface{}, error) {
@ -222,18 +224,18 @@ func authHandler(handler http.Handler, realm string, pcfg *Config, ctx ziti.Cont
})
if err != nil {
logrus.Errorf("Unable to parse JWT: %v", err)
http.Redirect(w, r, fmt.Sprintf("http://%s.%s:%d/%s/login?share=%s&checkInterval=%s", shrToken, pcfg.HostMatch, pcfg.Oauth.Port, provider.(string), shrToken, authCheckInterval.String()), http.StatusFound)
http.Redirect(w, r, fmt.Sprintf("http://%s.%s:%d/%s/login?targethost=%s&checkInterval=%s", shrToken, pcfg.HostMatch, pcfg.Oauth.Port, provider.(string), url.QueryEscape(target), authCheckInterval.String()), http.StatusFound)
return
}
claims := tkn.Claims.(*ZrokClaims)
if claims.Provider != provider {
logrus.Error("Provider mismatch. Redoing auth flow")
http.Redirect(w, r, fmt.Sprintf("http://%s.%s:%d/%s/login?share=%s&checkInterval=%s", shrToken, pcfg.HostMatch, pcfg.Oauth.Port, provider.(string), shrToken, authCheckInterval.String()), http.StatusFound)
http.Redirect(w, r, fmt.Sprintf("http://%s.%s:%d/%s/login?targethost=%s&checkInterval=%s", shrToken, pcfg.HostMatch, pcfg.Oauth.Port, provider.(string), url.QueryEscape(target), authCheckInterval.String()), http.StatusFound)
return
}
if claims.AuthorizationCheckInterval != authCheckInterval {
logrus.Error("Authorization check interval mismatch. Redoing auth flow")
http.Redirect(w, r, fmt.Sprintf("http://%s.%s:%d/%s/login?share=%s&checkInterval=%s", shrToken, pcfg.HostMatch, pcfg.Oauth.Port, provider.(string), shrToken, authCheckInterval.String()), http.StatusFound)
http.Redirect(w, r, fmt.Sprintf("http://%s.%s:%d/%s/login?targethost=%s&checkInterval=%s", shrToken, pcfg.HostMatch, pcfg.Oauth.Port, provider.(string), url.QueryEscape(target), authCheckInterval.String()), http.StatusFound)
return
}
if validDomains, found := oauthCfg.(map[string]interface{})["email_domains"]; found {