From f6b144a0fa0b8100d54133edf65f27609b012d75 Mon Sep 17 00:00:00 2001 From: Jens L Date: Sun, 6 Aug 2023 01:18:20 +0200 Subject: [PATCH] providers/proxy: only intercept auth header when a value is set (#6488) Signed-off-by: Jens Langhammer --- .../proxyv2/application/mode_common.go | 41 +++++++++++-------- 1 file changed, 25 insertions(+), 16 deletions(-) diff --git a/internal/outpost/proxyv2/application/mode_common.go b/internal/outpost/proxyv2/application/mode_common.go index 883686032..d2eac42cb 100644 --- a/internal/outpost/proxyv2/application/mode_common.go +++ b/internal/outpost/proxyv2/application/mode_common.go @@ -13,6 +13,30 @@ import ( "goauthentik.io/internal/constants" ) +// Attempt to set basic auth based on user's attributes +func (a *Application) setAuthorizationHeader(headers http.Header, c *Claims) { + if !*a.proxyConfig.BasicAuthEnabled { + return + } + userAttributes := c.Proxy.UserAttributes + var ok bool + var password string + if password, ok = userAttributes[*a.proxyConfig.BasicAuthPasswordAttribute].(string); !ok { + password = "" + } + // Check if we should use email or a custom attribute as username + var username string + if username, ok = userAttributes[*a.proxyConfig.BasicAuthUserAttribute].(string); !ok { + username = c.Email + } + if username == "" && password == "" { + return + } + authVal := base64.StdEncoding.EncodeToString([]byte(username + ":" + password)) + a.log.WithField("username", username).Trace("setting http basic auth") + headers.Set("Authorization", fmt.Sprintf("Basic %s", authVal)) +} + func (a *Application) addHeaders(headers http.Header, c *Claims) { // https://goauthentik.io/docs/providers/proxy/proxy headers.Set("X-authentik-username", c.PreferredUsername) @@ -33,22 +57,7 @@ func (a *Application) addHeaders(headers http.Header, c *Claims) { return } userAttributes := c.Proxy.UserAttributes - // Attempt to set basic auth based on user's attributes - if *a.proxyConfig.BasicAuthEnabled { - var ok bool - var password string - if password, ok = userAttributes[*a.proxyConfig.BasicAuthPasswordAttribute].(string); !ok { - password = "" - } - // Check if we should use email or a custom attribute as username - var username string - if username, ok = userAttributes[*a.proxyConfig.BasicAuthUserAttribute].(string); !ok { - username = c.Email - } - authVal := base64.StdEncoding.EncodeToString([]byte(username + ":" + password)) - a.log.WithField("username", username).Trace("setting http basic auth") - headers.Set("Authorization", fmt.Sprintf("Basic %s", authVal)) - } + a.setAuthorizationHeader(headers, c) // Check if user has additional headers set that we should sent if additionalHeaders, ok := userAttributes["additionalHeaders"].(map[string]interface{}); ok { a.log.WithField("headers", additionalHeaders).Trace("setting additional headers")