techies/authelia
1
0
Fork 0
mirror of https://github.com/0rangebananaspy/authelia.git synced 2024-09-14 22:47:21 +07:00
Code Issues Projects Releases Wiki Activity

[FEATURE] Support secure websocket connections. (#656)

Browse Source 
* Add WSS support for insecure scheme detection

WSS connections were broken by the introduction of this check. Adding WSS as a supported scheme for secure connections prevents a 401 being returned for an authorised connection.

* Add tests for WSS

Also extend HTTPS tests to ensure they do not catch WSS URLs
This commit is contained in:
Paul Williams 2020-02-27 23:28:53 +00:00 committed by GitHub
parent 82d8e1d57a
commit 829757d3bc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 28 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
internal/handlers/handler_verify.go
View File

@ -22,6 +22,10 @@ func isSchemeHTTPS(url *url.URL) bool {
return url.Scheme == "https" return url.Scheme == "https"
} }
func isSchemeWSS(url *url.URL) bool {
return url.Scheme == "wss"
}
// getOriginalURL extract the URL from the request headers (X-Original-URI or X-Forwarded-* headers). // getOriginalURL extract the URL from the request headers (X-Original-URI or X-Forwarded-* headers).
func getOriginalURL(ctx *middlewares.AutheliaCtx) (*url.URL, error) { func getOriginalURL(ctx *middlewares.AutheliaCtx) (*url.URL, error) {
originalURL := ctx.XOriginalURL() originalURL := ctx.XOriginalURL()
@ -207,8 +211,8 @@ func VerifyGet(ctx *middlewares.AutheliaCtx) {
return return
} }
if !isSchemeHTTPS(targetURL) { if !isSchemeHTTPS(targetURL) && !isSchemeWSS(targetURL) {
ctx.Logger.Error(fmt.Errorf("Scheme of target URL %s must be 'https' since cookies are "+ ctx.Logger.Error(fmt.Errorf("Scheme of target URL %s must be secure since cookies are "+
"only transported over a secure connection for security reasons", targetURL.String())) "only transported over a secure connection for security reasons", targetURL.String()))
ctx.ReplyUnauthorized() ctx.ReplyUnauthorized()
return return

22
internal/handlers/handler_verify_test.go
View File

@ -588,7 +588,29 @@ func TestSchemeIsHTTPS(t *testing.T) {
assert.False(t, isSchemeHTTPS( assert.False(t, isSchemeHTTPS(
GetURL("http://mytest.example.com/abc/?query=abc"))) GetURL("http://mytest.example.com/abc/?query=abc")))
assert.False(t, isSchemeHTTPS(
GetURL("ws://mytest.example.com/abc/?query=abc")))
assert.False(t, isSchemeHTTPS(
GetURL("wss://mytest.example.com/abc/?query=abc")))
assert.True(t, isSchemeHTTPS( assert.True(t, isSchemeHTTPS(
GetURL("https://mytest.example.com/abc/?query=abc"))) GetURL("https://mytest.example.com/abc/?query=abc")))
} }
func TestSchemeIsWSS(t *testing.T) {
GetURL := func(u string) *url.URL {
x, err := url.ParseRequestURI(u)
require.NoError(t, err)
return x
}
assert.False(t, isSchemeWSS(
GetURL("ws://mytest.example.com/abc/?query=abc")))
assert.False(t, isSchemeWSS(
GetURL("http://mytest.example.com/abc/?query=abc")))
assert.False(t, isSchemeWSS(
GetURL("https://mytest.example.com/abc/?query=abc")))
assert.True(t, isSchemeWSS(
GetURL("wss://mytest.example.com/abc/?query=abc")))
}