diff --git a/internal/outpost/proxyv2/application/utils.go b/internal/outpost/proxyv2/application/utils.go index d2423e125..fe7c88a7b 100644 --- a/internal/outpost/proxyv2/application/utils.go +++ b/internal/outpost/proxyv2/application/utils.go @@ -6,7 +6,9 @@ import ( "net/url" "path" "strconv" + "strings" + "goauthentik.io/api" "goauthentik.io/internal/outpost/proxyv2/constants" ) @@ -20,6 +22,33 @@ func urlJoin(originalUrl string, newPath string) string { } func (a *Application) redirectToStart(rw http.ResponseWriter, r *http.Request) { + s, err := a.sessions.Get(r, constants.SeesionName) + if err == nil { + a.log.WithError(err).Warning("failed to decode session") + } + redirectUrl := r.URL.String() + // simple way to copy the URL + u, _ := url.Parse(redirectUrl) + // In proxy and forward_single mode we only have one URL that we route on + // if we somehow got here without that URL, make sure we're at least redirected back to it + if a.Mode() == api.PROXYMODE_PROXY || a.Mode() == api.PROXYMODE_FORWARD_SINGLE { + u.Host = a.proxyConfig.ExternalHost + } + if a.Mode() == api.PROXYMODE_FORWARD_DOMAIN { + dom := strings.TrimPrefix(*a.proxyConfig.CookieDomain, ".") + // In forward_domain we only check that the current URL's host + // ends with the cookie domain (remove the leading period if set) + if !strings.HasSuffix(r.URL.Hostname(), dom) { + a.log.WithField("url", r.URL.String()).WithField("cd", dom).Warning("Invalid redirect found") + redirectUrl = "" + } + } + s.Values[constants.SessionRedirect] = redirectUrl + err = s.Save(r, rw) + if err != nil { + a.log.WithError(err).Warning("failed to save session before redirect") + } + authUrl := urlJoin(a.proxyConfig.ExternalHost, "/akprox/start") http.Redirect(rw, r, authUrl, http.StatusFound) } diff --git a/lifecycle/wait_for_db.py b/lifecycle/wait_for_db.py index f466068b4..e412e79be 100755 --- a/lifecycle/wait_for_db.py +++ b/lifecycle/wait_for_db.py @@ -2,6 +2,7 @@ """This file needs to be run from the root of the project to correctly import authentik. This is done by the dockerfile.""" from json import dumps +from sys import exit as sysexit from sys import stderr from time import sleep, time @@ -28,7 +29,7 @@ def j_print(event: str, log_level: str = "info", **kwargs): # Sanity check, ensure SECRET_KEY is set before we even check for database connectivity if CONFIG.y("secret_key") is None or len(CONFIG.y("secret_key")) == 0: j_print("Secret key missing, check https://goauthentik.io/docs/installation/.") - exit(1) + sysexit(1) while True: