whitelist depending on the URI

2026-01-08 05:09:46 -06:00 · 2020-12-01 17:10:04 +01:00
parent 348c54f2e7
commit 28e8f75ebd
3 changed files with 21 additions and 3 deletions
--- a/proxy/pkg/middleware/authentication.go
+++ b/proxy/pkg/middleware/authentication.go
@@ -9,6 +9,11 @@ import (

 var SupportedAuthStrategies []string

+// ProxyWwwAuthenticate is a list of endpoints that do not rely on reva underlying authentication, such as ocs.
+// services that fallback to reva authentication are declared in the "frontend" command on OCIS.
+// TODO this should be a regexp, or it can be confused with routes that contain "/ocs" somewhere along the URI
+var ProxyWwwAuthenticate = []string{"ocs"}
+
 type statusRecorder struct {
 	http.ResponseWriter
 	status int
--- a/proxy/pkg/middleware/basic_auth.go
+++ b/proxy/pkg/middleware/basic_auth.go
@@ -35,7 +35,11 @@ func BasicAuth(optionSetters ...Option) func(next http.Handler) http.Handler {
 					// if we want to prevent duplicated Www-Authenticate headers coming from Reva consider using w.Header().Del("Www-Authenticate")
 					// but this will require the proxy being aware of endpoints which authentication fallback to Reva.
 					if !h.isPublicLink(req) {
-						w.Header().Add("Www-Authenticate", fmt.Sprintf("%v realm=\"%s\", charset=\"UTF-8\"", "Basic", req.Host))
+						for i := 0; i < len(ProxyWwwAuthenticate); i++ {
+							if strings.Contains(req.RequestURI, fmt.Sprintf("/%v/", ProxyWwwAuthenticate[i])) {
+								w.Header().Add("Www-Authenticate", fmt.Sprintf("%v realm=\"%s\", charset=\"UTF-8\"", "Basic", req.Host))
+							}
+						}
 					}
 					next.ServeHTTP(w, req)
 					return
@@ -43,7 +47,11 @@ func BasicAuth(optionSetters ...Option) func(next http.Handler) http.Handler {

 				account, ok := h.getAccount(req)
 				if !ok {
-					w.Header().Add("Www-Authenticate", fmt.Sprintf("%v realm=\"%s\", charset=\"UTF-8\"", "Basic", req.Host))
+					for i := 0; i < len(ProxyWwwAuthenticate); i++ {
+						if strings.Contains(req.RequestURI, fmt.Sprintf("/%v/", ProxyWwwAuthenticate[i])) {
+							w.Header().Add("Www-Authenticate", fmt.Sprintf("%v realm=\"%s\", charset=\"UTF-8\"", "Basic", req.Host))
+						}
+					}
 					w.WriteHeader(http.StatusUnauthorized)
 					return
 				}
--- a/proxy/pkg/middleware/oidc_auth.go
+++ b/proxy/pkg/middleware/oidc_auth.go
@@ -47,7 +47,12 @@ func OIDCAuth(optionSetters ...Option) func(next http.Handler) http.Handler {
 				// this means that requests such as:
 				// curl -v -k -u admin:admin -H "depth: 0" -X PROPFIND https://localhost:9200/remote.php/dav/files | xmllint --format -
 				// even when succeeding, will contain a Www-Authenticate header.
-				w.Header().Add("Www-Authenticate", fmt.Sprintf("%v realm=\"%s\", charset=\"UTF-8\"", "Bearer", req.Host))
+
+				for i := 0; i < len(ProxyWwwAuthenticate); i++ {
+					if strings.Contains(req.RequestURI, fmt.Sprintf("/%v/", ProxyWwwAuthenticate[i])) {
+						w.Header().Add("Www-Authenticate", fmt.Sprintf("%v realm=\"%s\", charset=\"UTF-8\"", "Bearer", req.Host))
+					}
+				}
 				next.ServeHTTP(w, req)
 				return
 			}