diff options
| author | James Elliott <james-d-elliott@users.noreply.github.com> | 2023-01-25 20:36:40 +1100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-01-25 20:36:40 +1100 |
| commit | 65705a646dfd31e4477af3ffb35c584eb49346a4 (patch) | |
| tree | 882b5df73348c5fc6471e57ef6787c4b04cb68f4 /internal/handlers/handler_authz_impl_forwardauth.go | |
| parent | 78064dec2e9b48308b71ff8862b27e6f8ded5d56 (diff) | |
feat(server): customizable authz endpoints (#4296)
This allows users to customize the authz endpoints.
Closes #2753, Fixes #3716
Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
Diffstat (limited to 'internal/handlers/handler_authz_impl_forwardauth.go')
| -rw-r--r-- | internal/handlers/handler_authz_impl_forwardauth.go | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/internal/handlers/handler_authz_impl_forwardauth.go b/internal/handlers/handler_authz_impl_forwardauth.go new file mode 100644 index 000000000..a042c13bb --- /dev/null +++ b/internal/handlers/handler_authz_impl_forwardauth.go @@ -0,0 +1,55 @@ +package handlers + +import ( + "fmt" + "net/url" + + "github.com/valyala/fasthttp" + + "github.com/authelia/authelia/v4/internal/authorization" + "github.com/authelia/authelia/v4/internal/middlewares" +) + +func handleAuthzGetObjectForwardAuth(ctx *middlewares.AutheliaCtx) (object authorization.Object, err error) { + protocol, host, uri := ctx.XForwardedProto(), ctx.XForwardedHost(), ctx.XForwardedURI() + + var ( + targetURL *url.URL + method []byte + ) + + if targetURL, err = getRequestURIFromForwardedHeaders(protocol, host, uri); err != nil { + return object, fmt.Errorf("failed to get target URL: %w", err) + } + + if method = ctx.XForwardedMethod(); len(method) == 0 { + return object, fmt.Errorf("header 'X-Forwarded-Method' is empty") + } + + if hasInvalidMethodCharacters(method) { + return object, fmt.Errorf("header 'X-Forwarded-Method' with value '%s' has invalid characters", method) + } + + return authorization.NewObjectRaw(targetURL, method), nil +} + +func handleAuthzUnauthorizedForwardAuth(ctx *middlewares.AutheliaCtx, authn *Authn, redirectionURL *url.URL) { + var ( + statusCode int + ) + + switch { + case ctx.IsXHR() || !ctx.AcceptsMIME("text/html"): + statusCode = fasthttp.StatusUnauthorized + default: + switch authn.Object.Method { + case fasthttp.MethodGet, fasthttp.MethodOptions, fasthttp.MethodHead: + statusCode = fasthttp.StatusFound + default: + statusCode = fasthttp.StatusSeeOther + } + } + + ctx.Logger.Infof("Access to %s (method %s) is not authorized to user %s, responding with status code %d with location redirect to %s", authn.Object.String(), authn.Method, authn.Username, statusCode, redirectionURL) + ctx.SpecialRedirect(redirectionURL.String(), statusCode) +} |