wn/traefik-forward-auth
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Warn when using http without insecure cookie

Browse Source 
Closes #114
This commit is contained in:
Thom Seddon 2020-05-12 13:20:51 +01:00
parent eec62eb03a
commit a668454a11
2 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
internal/server.go
View File

@ -193,6 +193,12 @@ func (s *Server) authRedirect(logger *logrus.Entry, w http.ResponseWriter, r *ht
csrf := MakeCSRFCookie(r, nonce) csrf := MakeCSRFCookie(r, nonce)
http.SetCookie(w, csrf) http.SetCookie(w, csrf)
if !config.InsecureCookie && r.Header.Get("X-Forwarded-Proto") != "https" {
logger.Warn("You are using \"secure\" cookies for a request that was not " +
"received via https. You should either redirect to https or pass the " +
"\"insecure-cookie\" config option to permit cookies via http.")
}
// Forward them on // Forward them on
loginURL := p.GetLoginURL(redirectUri(r), MakeState(r, p, nonce)) loginURL := p.GetLoginURL(redirectUri(r), MakeState(r, p, nonce))
http.Redirect(w, r, loginURL, http.StatusTemporaryRedirect) http.Redirect(w, r, loginURL, http.StatusTemporaryRedirect)
@ -209,6 +215,7 @@ func (s *Server) logger(r *http.Request, handler, rule, msg string) *logrus.Entr
"handler": handler, "handler": handler,
"rule": rule, "rule": rule,
"method": r.Header.Get("X-Forwarded-Method"), "method": r.Header.Get("X-Forwarded-Method"),
"proto": r.Header.Get("X-Forwarded-Proto"),
"host": r.Header.Get("X-Forwarded-Host"), "host": r.Header.Get("X-Forwarded-Host"),
"uri": r.Header.Get("X-Forwarded-Uri"), "uri": r.Header.Get("X-Forwarded-Uri"),
"source_ip": r.Header.Get("X-Forwarded-For"), "source_ip": r.Header.Get("X-Forwarded-For"),

12
internal/server_test.go
View File

@ -10,6 +10,8 @@ import (
"testing" "testing"
"time" "time"
"github.com/sirupsen/logrus"
"github.com/sirupsen/logrus/hooks/test"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
"golang.org/x/oauth2" "golang.org/x/oauth2"
@ -32,6 +34,8 @@ func init() {
func TestServerAuthHandlerInvalid(t *testing.T) { func TestServerAuthHandlerInvalid(t *testing.T) {
assert := assert.New(t) assert := assert.New(t)
config = newDefaultConfig() config = newDefaultConfig()
var hook *test.Hook
log, hook = test.NewNullLogger()
// Should redirect vanilla request to login url // Should redirect vanilla request to login url
req := newDefaultHttpRequest("/foo") req := newDefaultHttpRequest("/foo")
@ -53,6 +57,14 @@ func TestServerAuthHandlerInvalid(t *testing.T) {
assert.Equal("google", parts[1]) assert.Equal("google", parts[1])
assert.Equal("http://example.com/foo", parts[2]) assert.Equal("http://example.com/foo", parts[2])
// Should warn as using http without insecure cookie
logs := hook.AllEntries()
assert.Len(logs, 1)
assert.Equal("You are using \"secure\" cookies for a request that was not "+
"received via https. You should either redirect to https or pass the "+
"\"insecure-cookie\" config option to permit cookies via http.", logs[0].Message)
assert.Equal(logrus.WarnLevel, logs[0].Level)
// Should catch invalid cookie // Should catch invalid cookie
req = newDefaultHttpRequest("/foo") req = newDefaultHttpRequest("/foo")
c := MakeCookie(req, "test@example.com") c := MakeCookie(req, "test@example.com")