Elide cookie upstream (fixes #49) (#51)

* fix typo * add e2e test checking for lack of cookie * scrub cookie upstream (fixes #49) * remove unnecessary comment * filter out all cookie chunks
sevensolutions · Jan 20, 2025 · ed39fcd · ed39fcd
1 parent d80dcd1
commit ed39fcd
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 1 deletion.
diff --git a/cookie.go b/cookie.go
@@ -72,6 +72,22 @@ func getChunkedCookieCount(req *http.Request, cookieName string) (int, error) {
 
 	return chunkCount, nil
 }
+func getChunkedCookieNames(req *http.Request, cookieName string) (map[string]struct{}, error) {
+	cookieNames := make(map[string]struct{})
+	chunkCount, err := getChunkedCookieCount(req, cookieName)
+	if err != nil {
+		return nil, err
+	}
+	if chunkCount == 0 {
+		cookieNames[cookieName] = struct{}{}
+	} else {
+		cookieNames[cookieName+"Chunks"] = struct{}{}
+		for i := 0; i < chunkCount; i++ {
+			cookieNames[fmt.Sprintf("%s%d", cookieName, i+1)] = struct{}{}
+		}
+	}
+	return cookieNames, nil
+}
 func (toa *TraefikOidcAuth) clearChunkedCookie(rw http.ResponseWriter, req *http.Request, cookieName string) error {
 	chunkCount, err := getChunkedCookieCount(req, cookieName)
 	if err != nil {

diff --git a/e2e/tests/dex/simple-login.spec.ts b/e2e/tests/dex/simple-login.spec.ts
@@ -77,7 +77,7 @@ test("login https", async ({ page }) => {
   expect(response.status()).toBe(200);
 });
 
-// Seems like logout is not supported by dey yet :(
+// Seems like logout is not supported by dex yet :(
 // https://github.com/dexidp/dex/issues/1697
 // test("logout", async ({ page }) => {
 //   await page.goto("http://localhost:9080");
@@ -134,6 +134,10 @@ http:
 
   const staticHeaderExists = await page.locator(`text=X-Static-Header: 42`).isVisible();
   expect(staticHeaderExists).toBeTruthy();
+
+  // Authorization cookie should not be present in the rendered contents
+  const pageText = await page.innerText("html");
+  expect(pageText).not.toMatch(/Cookie:\s*(?:^|\s|;)\s*Authorization\s*=\s*[^;\r\n]+/);
 });
 
 test("test authorization", async ({ page }) => {

diff --git a/main.go b/main.go
@@ -132,6 +132,7 @@ func (toa *TraefikOidcAuth) ServeHTTP(rw http.ResponseWriter, req *http.Request)
 		}
 
 		// Forward the request
+		toa.sanitizeForUpstream(req)
 		toa.next.ServeHTTP(rw, req)
 		return
 	} else {
@@ -144,6 +145,21 @@ func (toa *TraefikOidcAuth) ServeHTTP(rw http.ResponseWriter, req *http.Request)
 	toa.handleUnauthorized(rw, req)
 }
 
+func (toa *TraefikOidcAuth) sanitizeForUpstream(req *http.Request) {
+	// Remove the session cookie from the request before forwarding
+	keepCookies := make([]*http.Cookie, 0)
+	dontSendUpstreamCookieNames, _ := getChunkedCookieNames(req, toa.Config.SessionCookie.Name)
+	for _, c := range req.Cookies() {
+		if _, ok := dontSendUpstreamCookieNames[c.Name]; !ok {
+			keepCookies = append(keepCookies, c)
+		}
+	}
+	req.Header.Del("Cookie")
+	for _, c := range keepCookies {
+		req.AddCookie(c)
+	}
+}
+
 func (toa *TraefikOidcAuth) attachHeaders(req *http.Request, session *SessionState, claims map[string]interface{}) error {
 	if toa.Config.Headers != nil {
 		evalContext := make(map[string]interface{})