allow using the X-Forwarded-Prefix header for path prefix

colearendt · colearendt · commit 377478261bbd · 2022-12-02T10:24:32.000-05:00
In most (all?) cases, traefik makes the forwardAuth request at
the root of the server (/). This means that the user's
requested path is lost. However, the prefix is sent along with
the `X-Forwarded-Prefix` header, so we use that in addition
to the requested path if the requested path is empty.
diff --git a/internal/auth.go b/internal/auth.go
@@ -128,9 +128,17 @@ func redirectBase(r *http.Request) string {
 	return fmt.Sprintf("%s://%s", r.Header.Get("X-Forwarded-Proto"), r.Host)
 }
 
-// Return url
+// returnUrl is the URL that we will return to after authentication. Uses the `X-Forwarded-Prefix` header if provided,
+// since traefik just requests the root (i.e. r.URL.Path is almost always /)
 func returnUrl(r *http.Request) string {
-	return fmt.Sprintf("%s%s", redirectBase(r), r.URL.Path)
+	fwdUri := r.URL.Path
+	if r.URL.Path == "" || r.URL.Path == "/" {
+		headerPrefix := r.Header.Get("X-Forwarded-Prefix")
+		if headerPrefix != "" && headerPrefix != "/" {
+			fwdUri = headerPrefix
+		}
+	}
+	return fmt.Sprintf("%s%s", redirectBase(r), fwdUri)
 }
 
 // Get oauth redirect uri
diff --git a/internal/auth_test.go b/internal/auth_test.go
@@ -392,6 +392,23 @@ func TestMakeState(t *testing.T) {
 	p3 := provider.GenericOAuth{}
 	state = MakeState(r, &p3, "nonce")
 	assert.Equal("nonce:generic-oauth:http://example.com/hello", state)
+
+	// Test at the root, but with a forwarded prefix
+	// this is how traefik forwards the request path information
+	r = httptest.NewRequest("GET", "http://example.com", nil)
+	r.Header.Add("X-Forwarded-Proto", "https")
+	r.Header.Add("X-Forwarded-Prefix", "/other/path")
+	p4 := provider.GenericOAuth{}
+	state = MakeState(r, &p4, "nonce")
+	assert.Equal("nonce:generic-oauth:https://example.com/other/path", state)
+
+	// Path and a forwarded prefix should use the path
+	r = httptest.NewRequest("GET", "http://example.com/multi/path", nil)
+	r.Header.Add("X-Forwarded-Proto", "https")
+	r.Header.Add("X-Forwarded-Prefix", "/something")
+	p5 := provider.GenericOAuth{}
+	state = MakeState(r, &p5, "nonce")
+	assert.Equal("nonce:generic-oauth:https://example.com/multi/path", state)
 }
 
 func TestAuthNonce(t *testing.T) {
