mirror of
https://github.com/nais/wonderwall.git
synced 2026-05-11 02:47:05 +00:00
fix(handler/url): use base64 encoding for redirects to preserve query parameters
Load balancers or reverse proxies may rewrite or modify the Location header and unescape its value, which would result in redirects not preserving the original set of query parameters. This was especially evident for autologins where we need to redirect to `/oauth2/login` with the `redirect` parameter containing the original requested URL so that the end-user ultimately ends up at the latter URL. We avoid this issue by base64-encoding the original URL, before passing it along as the intended redirect for the login route. To preserve existing behaviour, we use a separate query parameter for the `/oauth2/login`-endpoint that accepts and handles base64-encoded values.
This commit is contained in:
Trong Huu Nguyen
@@ -4,11 +4,11 @@ import (
|
||||
"fmt"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"net/url"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
|
||||
urlpkg "github.com/nais/wonderwall/pkg/handler/url"
|
||||
"github.com/nais/wonderwall/pkg/ingress"
|
||||
mw "github.com/nais/wonderwall/pkg/middleware"
|
||||
"github.com/nais/wonderwall/pkg/mock"
|
||||
@@ -78,12 +78,12 @@ func TestHandler_Retry(t *testing.T) {
|
||||
{
|
||||
name: "login path",
|
||||
request: httpRequest("/oauth2/login"),
|
||||
want: "/oauth2/login?redirect=" + url.QueryEscape("/"),
|
||||
want: "/oauth2/login?redirect-encoded=" + urlpkg.RedirectEncoded("/"),
|
||||
},
|
||||
{
|
||||
name: "callback path",
|
||||
request: httpRequest("/oauth2/callback"),
|
||||
want: "/oauth2/login?redirect=" + url.QueryEscape("/"),
|
||||
want: "/oauth2/login?redirect-encoded=" + urlpkg.RedirectEncoded("/"),
|
||||
},
|
||||
{
|
||||
name: "logout path",
|
||||
@@ -99,7 +99,7 @@ func TestHandler_Retry(t *testing.T) {
|
||||
name: "login with non-default ingress",
|
||||
request: httpRequest("/domene/oauth2/login"),
|
||||
ingress: "https://test.nav.no/domene",
|
||||
want: "/domene/oauth2/login?redirect=" + url.QueryEscape("/domene"),
|
||||
want: "/domene/oauth2/login?redirect-encoded=" + urlpkg.RedirectEncoded("/domene"),
|
||||
},
|
||||
{
|
||||
name: "logout with non-default ingress",
|
||||
@@ -110,103 +110,103 @@ func TestHandler_Retry(t *testing.T) {
|
||||
{
|
||||
name: "login with referer",
|
||||
request: httpRequest("/oauth2/login", "/api/me"),
|
||||
want: "/oauth2/login?redirect=" + url.QueryEscape("/api/me"),
|
||||
want: "/oauth2/login?redirect-encoded=" + urlpkg.RedirectEncoded("/api/me"),
|
||||
},
|
||||
{
|
||||
name: "login with referer on non-default ingress",
|
||||
request: httpRequest("/domene/oauth2/login", "/api/me"),
|
||||
ingress: "https://test.nav.no/domene",
|
||||
want: "/domene/oauth2/login?redirect=" + url.QueryEscape("/api/me"),
|
||||
want: "/domene/oauth2/login?redirect-encoded=" + urlpkg.RedirectEncoded("/api/me"),
|
||||
},
|
||||
{
|
||||
name: "login with root referer",
|
||||
request: httpRequest("/oauth2/login", "/"),
|
||||
want: "/oauth2/login?redirect=" + url.QueryEscape("/"),
|
||||
want: "/oauth2/login?redirect-encoded=" + urlpkg.RedirectEncoded("/"),
|
||||
},
|
||||
{
|
||||
name: "login with root referer on non-default ingress",
|
||||
request: httpRequest("/domene/oauth2/login", "/"),
|
||||
ingress: "https://test.nav.no/domene",
|
||||
want: "/domene/oauth2/login?redirect=" + url.QueryEscape("/"),
|
||||
want: "/domene/oauth2/login?redirect-encoded=" + urlpkg.RedirectEncoded("/"),
|
||||
},
|
||||
{
|
||||
name: "login with cookie referer",
|
||||
request: httpRequest("/oauth2/login"),
|
||||
loginCookie: &openid.LoginCookie{Referer: "/"},
|
||||
want: "/oauth2/login?redirect=" + url.QueryEscape("/"),
|
||||
want: "/oauth2/login?redirect-encoded=" + urlpkg.RedirectEncoded("/"),
|
||||
},
|
||||
{
|
||||
name: "login with empty cookie referer",
|
||||
request: httpRequest("/oauth2/login"),
|
||||
loginCookie: &openid.LoginCookie{Referer: ""},
|
||||
want: "/oauth2/login?redirect=" + url.QueryEscape("/"),
|
||||
want: "/oauth2/login?redirect-encoded=" + urlpkg.RedirectEncoded("/"),
|
||||
},
|
||||
{
|
||||
name: "login with cookie referer takes precedence over referer header",
|
||||
request: httpRequest("/oauth2/login", "/api/me"),
|
||||
loginCookie: &openid.LoginCookie{Referer: "/api/headers"},
|
||||
want: "/oauth2/login?redirect=" + url.QueryEscape("/api/headers"),
|
||||
want: "/oauth2/login?redirect-encoded=" + urlpkg.RedirectEncoded("/api/headers"),
|
||||
},
|
||||
{
|
||||
name: "login with cookie referer on non-default ingress",
|
||||
request: httpRequest("/domene/oauth2/login"),
|
||||
loginCookie: &openid.LoginCookie{Referer: "/domene/api/me"},
|
||||
ingress: "https://test.nav.no/domene",
|
||||
want: "/domene/oauth2/login?redirect=" + url.QueryEscape("/domene/api/me"),
|
||||
want: "/domene/oauth2/login?redirect-encoded=" + urlpkg.RedirectEncoded("/domene/api/me"),
|
||||
},
|
||||
{
|
||||
name: "login with redirect parameter set",
|
||||
request: httpRequest("/oauth2/login?redirect=/api/me"),
|
||||
want: "/oauth2/login?redirect=" + url.QueryEscape("/api/me"),
|
||||
want: "/oauth2/login?redirect-encoded=" + urlpkg.RedirectEncoded("/api/me"),
|
||||
},
|
||||
{
|
||||
name: "login with redirect parameter set and query parameters",
|
||||
request: httpRequest("/oauth2/login?redirect=/api/me?a=b%26c=d"),
|
||||
want: "/oauth2/login?redirect=" + url.QueryEscape("/api/me?a=b&c=d"),
|
||||
want: "/oauth2/login?redirect-encoded=" + urlpkg.RedirectEncoded("/api/me?a=b&c=d"),
|
||||
},
|
||||
{
|
||||
name: "login with redirect parameter set on non-default ingress",
|
||||
request: httpRequest("/domene/oauth2/login?redirect=/api/me"),
|
||||
ingress: "https://test.nav.no/domene",
|
||||
want: "/domene/oauth2/login?redirect=" + url.QueryEscape("/api/me"),
|
||||
want: "/domene/oauth2/login?redirect-encoded=" + urlpkg.RedirectEncoded("/api/me"),
|
||||
},
|
||||
{
|
||||
name: "login with redirect parameter set takes precedence over referer header",
|
||||
request: httpRequest("/oauth2/login?redirect=/other", "/api/me"),
|
||||
want: "/oauth2/login?redirect=" + url.QueryEscape("/other"),
|
||||
want: "/oauth2/login?redirect-encoded=" + urlpkg.RedirectEncoded("/other"),
|
||||
},
|
||||
{
|
||||
name: "login with redirect parameter set to relative root takes precedence over referer header",
|
||||
request: httpRequest("/oauth2/login?redirect=/", "/api/me"),
|
||||
want: "/oauth2/login?redirect=" + url.QueryEscape("/"),
|
||||
want: "/oauth2/login?redirect-encoded=" + urlpkg.RedirectEncoded("/"),
|
||||
},
|
||||
{
|
||||
name: "login with redirect parameter set to relative root on non-default ingress takes precedence over referer header",
|
||||
request: httpRequest("/domene/oauth2/login?redirect=/", "/api/me"),
|
||||
ingress: "https://test.nav.no/domene",
|
||||
want: "/domene/oauth2/login?redirect=" + url.QueryEscape("/"),
|
||||
want: "/domene/oauth2/login?redirect-encoded=" + urlpkg.RedirectEncoded("/"),
|
||||
},
|
||||
{
|
||||
name: "login with redirect parameter set to absolute url takes precedence over referer header",
|
||||
request: httpRequest("/oauth2/login?redirect=http://localhost:8080", "/api/me"),
|
||||
want: "/oauth2/login?redirect=" + url.QueryEscape("/"),
|
||||
want: "/oauth2/login?redirect-encoded=" + urlpkg.RedirectEncoded("/"),
|
||||
},
|
||||
{
|
||||
name: "login with redirect parameter set to absolute url with trailing slash takes precedence over referer header",
|
||||
request: httpRequest("/oauth2/login?redirect=http://localhost:8080/", "/api/me"),
|
||||
want: "/oauth2/login?redirect=" + url.QueryEscape("/"),
|
||||
want: "/oauth2/login?redirect-encoded=" + urlpkg.RedirectEncoded("/"),
|
||||
},
|
||||
{
|
||||
name: "login with redirect parameter set to absolute url on non-default ingress takes precedence over referer header",
|
||||
request: httpRequest("/domene/oauth2/login?redirect=http://localhost:8080/", "/api/me"),
|
||||
ingress: "https://test.nav.no/domene",
|
||||
want: "/domene/oauth2/login?redirect=" + url.QueryEscape("/"),
|
||||
want: "/domene/oauth2/login?redirect-encoded=" + urlpkg.RedirectEncoded("/"),
|
||||
},
|
||||
{
|
||||
name: "login with cookie referer takes precedence over redirect parameter",
|
||||
request: httpRequest("/oauth2/login?redirect=/other"),
|
||||
loginCookie: &openid.LoginCookie{Referer: "/domene/api/me"},
|
||||
want: "/oauth2/login?redirect=" + url.QueryEscape("/domene/api/me"),
|
||||
want: "/oauth2/login?redirect-encoded=" + urlpkg.RedirectEncoded("/domene/api/me"),
|
||||
},
|
||||
} {
|
||||
t.Run(test.name, func(t *testing.T) {
|
||||
|
||||
Reference in New Issue
Block a user