From d3bec635f8bfed6037dd166a7672e087196ac446 Mon Sep 17 00:00:00 2001 From: Stavros Date: Tue, 15 Jul 2025 01:34:25 +0300 Subject: [PATCH] fix: make tinyauth not "eat" the authorization header --- internal/auth/auth.go | 4 +++- internal/handlers/proxy.go | 18 +++++------------- internal/hooks/hooks.go | 13 +++++++------ 3 files changed, 15 insertions(+), 20 deletions(-) diff --git a/internal/auth/auth.go b/internal/auth/auth.go index 5f7ccfe..36e7db0 100644 --- a/internal/auth/auth.go +++ b/internal/auth/auth.go @@ -88,7 +88,9 @@ func (auth *Auth) SearchUser(username string) types.UserSearch { } } - return types.UserSearch{} + return types.UserSearch{ + Type: "unknown", + } } func (auth *Auth) VerifyUser(search types.UserSearch, password string) bool { diff --git a/internal/handlers/proxy.go b/internal/handlers/proxy.go index 8e15c68..fd87fd1 100644 --- a/internal/handlers/proxy.go +++ b/internal/handlers/proxy.go @@ -40,10 +40,7 @@ func (h *Handlers) ProxyHandler(c *gin.Context) { proto := c.Request.Header.Get("X-Forwarded-Proto") host := c.Request.Header.Get("X-Forwarded-Host") - // Remove the port from the host if it exists hostPortless := strings.Split(host, ":")[0] // *lol* - - // Get the id id := strings.Split(hostPortless, ".")[0] labels, err := h.Docker.GetLabels(id, hostPortless) @@ -66,10 +63,10 @@ func (h *Handlers) ProxyHandler(c *gin.Context) { ip := c.ClientIP() - // Check if the IP is in bypass list if h.Auth.BypassedIP(labels, ip) { - headersParsed := utils.ParseHeaders(labels.Headers) + c.Header("Authorization", c.Request.Header.Get("Authorization")) + headersParsed := utils.ParseHeaders(labels.Headers) for key, value := range headersParsed { log.Debug().Str("key", key).Msg("Setting header") c.Header(key, value) @@ -87,7 +84,6 @@ func (h *Handlers) ProxyHandler(c *gin.Context) { return } - // Check if the IP is allowed/blocked if !h.Auth.CheckIP(labels, ip) { if proxy.Proxy == "nginx" || !isBrowser { c.JSON(403, gin.H{ @@ -113,7 +109,6 @@ func (h *Handlers) ProxyHandler(c *gin.Context) { return } - // Check if auth is enabled authEnabled, err := h.Auth.AuthEnabled(uri, labels) if err != nil { log.Error().Err(err).Msg("Failed to check if app is allowed") @@ -129,8 +124,9 @@ func (h *Handlers) ProxyHandler(c *gin.Context) { return } - // If auth is not enabled, return 200 if !authEnabled { + c.Header("Authorization", c.Request.Header.Get("Authorization")) + headersParsed := utils.ParseHeaders(labels.Headers) for key, value := range headersParsed { log.Debug().Str("key", key).Msg("Setting header") @@ -150,7 +146,6 @@ func (h *Handlers) ProxyHandler(c *gin.Context) { return } - // Get user context userContext := h.Hooks.UseUserContext(c) // If we are using basic auth, we need to check if the user has totp and if it does then disable basic auth @@ -159,7 +154,6 @@ func (h *Handlers) ProxyHandler(c *gin.Context) { userContext.IsLoggedIn = false } - // Check if user is logged in if userContext.IsLoggedIn { log.Debug().Msg("Authenticated") @@ -200,7 +194,6 @@ func (h *Handlers) ProxyHandler(c *gin.Context) { return } - // Check groups if using OAuth if userContext.OAuth { groupOk := h.Auth.OAuthGroup(c, userContext, labels) @@ -239,19 +232,18 @@ func (h *Handlers) ProxyHandler(c *gin.Context) { } } + c.Header("Authorization", c.Request.Header.Get("Authorization")) c.Header("Remote-User", utils.SanitizeHeader(userContext.Username)) c.Header("Remote-Name", utils.SanitizeHeader(userContext.Name)) c.Header("Remote-Email", utils.SanitizeHeader(userContext.Email)) c.Header("Remote-Groups", utils.SanitizeHeader(userContext.OAuthGroups)) - // Set the rest of the headers parsedHeaders := utils.ParseHeaders(labels.Headers) for key, value := range parsedHeaders { log.Debug().Str("key", key).Msg("Setting header") c.Header(key, value) } - // Set basic auth headers if configured if labels.Basic.Username != "" && utils.GetSecret(labels.Basic.Password.Plain, labels.Basic.Password.File) != "" { log.Debug().Str("username", labels.Basic.Username).Msg("Setting basic auth headers") c.Header("Authorization", fmt.Sprintf("Basic %s", utils.GetBasicAuth(labels.Basic.Username, utils.GetSecret(labels.Basic.Password.Plain, labels.Basic.Password.File)))) diff --git a/internal/hooks/hooks.go b/internal/hooks/hooks.go index a442de2..c57b338 100644 --- a/internal/hooks/hooks.go +++ b/internal/hooks/hooks.go @@ -37,15 +37,15 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext { userSearch := hooks.Auth.SearchUser(basic.Username) - if userSearch.Type == "" { - log.Error().Str("username", basic.Username).Msg("User does not exist") - return types.UserContext{} + if userSearch.Type == "unkown" { + log.Warn().Str("username", basic.Username).Msg("Basic auth user does not exist, skipping") + goto session } // Verify the user if !hooks.Auth.VerifyUser(userSearch, basic.Password) { - log.Error().Str("username", basic.Username).Msg("Password incorrect") - return types.UserContext{} + log.Error().Str("username", basic.Username).Msg("Basic auth user password incorrect, skipping") + goto session } // Get the user type @@ -75,6 +75,7 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext { } +session: // Check cookie error after basic auth if err != nil { log.Error().Err(err).Msg("Failed to get session cookie") @@ -98,7 +99,7 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext { userSearch := hooks.Auth.SearchUser(cookie.Username) - if userSearch.Type == "" { + if userSearch.Type == "unknown" { log.Error().Str("username", cookie.Username).Msg("User does not exist") return types.UserContext{} }