fix(server): respond with 404/405 appropriately (#3087)

This adjusts the not found handler to not respond with a 404 on not found endpoints that are part of the /api or /.well-known folders, and respond with a 405 when the method isn't implemented. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-04-04 09:58:01 +10:00 · 2022-04-04 09:58:01 +10:00 · 2502d89682
parent fa143ea029
commit 2502d89682
6 changed files with 91 additions and 6 deletions
--- a/internal/handlers/response.go
+++ b/internal/handlers/response.go
@ -190,3 +190,10 @@ func respondUnauthorized(ctx *middlewares.AutheliaCtx, message string) {
 	ctx.SetStatusCode(fasthttp.StatusUnauthorized)
 	ctx.SetJSONError(message)
 }
+
+// SetStatusCodeResponse writes a response status code and an appropriate body on either a
+// *fasthttp.RequestCtx or *middlewares.AutheliaCtx.
+func SetStatusCodeResponse(ctx responseWriter, statusCode int) {
+	ctx.SetStatusCode(statusCode)
+	ctx.SetBodyString(fmt.Sprintf("%d %s", statusCode, fasthttp.StatusMessage(statusCode)))
+}
--- a/internal/handlers/types.go
+++ b/internal/handlers/types.go
@ -1,6 +1,8 @@
 package handlers

 import (
+	"io"
+
 	"github.com/authelia/authelia/v4/internal/authentication"
 )

@ -124,3 +126,12 @@ type PassworPolicyBody struct {
 	RequireNumber    bool   `json:"require_number"`
 	RequireSpecial   bool   `json:"require_special"`
 }
+
+type responseWriter interface {
+	SetStatusCode(statusCode int)
+	SetBodyString(body string)
+	SetBody(body []byte)
+	SetContentType(contentType string)
+	SetContentTypeBytes(contentType []byte)
+	SetBodyStream(bodyStream io.Reader, bodySize int)
+}
--- a/internal/server/const.go
+++ b/internal/server/const.go
@ -8,7 +8,37 @@ const (
 	logoFile       = "logo.png"
 )

-var rootFiles = []string{"favicon.ico", "manifest.json", "robots.txt"}
+var (
+	rootFiles    = []string{"favicon.ico", "manifest.json", "robots.txt"}
+	swaggerFiles = []string{
+		"favicon-16x16.png",
+		"favicon-32x32.png",
+		"index.css",
+		"oauth2-redirect.html",
+		"swagger-initializer.js",
+		"swagger-ui-bundle.js",
+		"swagger-ui-bundle.js.map",
+		"swagger-ui-es-bundle-core.js",
+		"swagger-ui-es-bundle-core.js.map",
+		"swagger-ui-es-bundle.js",
+		"swagger-ui-es-bundle.js.map",
+		"swagger-ui-standalone-preset.js",
+		"swagger-ui-standalone-preset.js.map",
+		"swagger-ui.css",
+		"swagger-ui.css.map",
+		"swagger-ui.js",
+		"swagger-ui.js.map",
+	}
+
+	// Directories excluded from the not found handler proceeding to the next() handler.
+	httpServerDirs = []struct {
+		name, prefix string
+	}{
+		{name: "/api", prefix: "/api/"},
+		{name: "/.well-known", prefix: "/.well-known/"},
+		{name: "/static", prefix: "/static/"},
+	}
+)

 const (
 	dev = "dev"
--- a/internal/server/handler_notfound.go
+++ b/internal/server/handler_notfound.go
@ -0,0 +1,25 @@
+package server
+
+import (
+	"strings"
+
+	"github.com/valyala/fasthttp"
+
+	"github.com/authelia/authelia/v4/internal/handlers"
+)
+
+func handleNotFound(next fasthttp.RequestHandler) fasthttp.RequestHandler {
+	return func(ctx *fasthttp.RequestCtx) {
+		path := strings.ToLower(string(ctx.Path()))
+
+		for i := 0; i < len(httpServerDirs); i++ {
+			if path == httpServerDirs[i].name || strings.HasPrefix(path, httpServerDirs[i].prefix) {
+				handlers.SetStatusCodeResponse(ctx, fasthttp.StatusNotFound)
+
+				return
+			}
+		}
+
+		next(ctx)
+	}
+}
--- a/internal/server/server.go
+++ b/internal/server/server.go
@ -49,15 +49,18 @@ func registerRoutes(configuration schema.Configuration, providers middlewares.Pr
 	r.GET("/", autheliaMiddleware(serveIndexHandler))
 	r.OPTIONS("/", autheliaMiddleware(handleOPTIONS))

-	r.GET("/api/", autheliaMiddleware(serveSwaggerHandler))
-	r.GET("/api/"+apiFile, autheliaMiddleware(serveSwaggerAPIHandler))
-
 	for _, f := range rootFiles {
 		r.GET("/"+f, middlewares.AssetOverrideMiddleware(configuration.Server.AssetPath, embeddedFS))
 	}

+	r.GET("/api/", autheliaMiddleware(serveSwaggerHandler))
+	r.GET("/api/"+apiFile, autheliaMiddleware(serveSwaggerAPIHandler))
+
+	for _, file := range swaggerFiles {
+		r.GET("/api/"+file, embeddedFS)
+	}
+
 	r.GET("/static/{filepath:*}", middlewares.AssetOverrideMiddleware(configuration.Server.AssetPath, embeddedFS))
-	r.ANY("/api/{filepath:*}", embeddedFS)

 	r.GET("/api/health", autheliaMiddleware(handlers.HealthGet))
 	r.GET("/api/state", autheliaMiddleware(handlers.StateGet))
@ -155,7 +158,12 @@ func registerRoutes(configuration schema.Configuration, providers middlewares.Pr
 		r.GET("/debug/vars", expvarhandler.ExpvarHandler)
 	}

-	r.NotFound = autheliaMiddleware(serveIndexHandler)
+	r.NotFound = handleNotFound(autheliaMiddleware(serveIndexHandler))
+
+	r.HandleMethodNotAllowed = true
+	r.MethodNotAllowed = func(ctx *fasthttp.RequestCtx) {
+		handlers.SetStatusCodeResponse(ctx, fasthttp.StatusMethodNotAllowed)
+	}

 	handler := middlewares.LogRequestMiddleware(r.Handler)
 	if configuration.Server.Path != "" {
--- a/internal/suites/scenario_backend_protection_test.go
+++ b/internal/suites/scenario_backend_protection_test.go
@ -64,6 +64,10 @@ func (s *BackendProtectionScenario) TestInvalidEndpointsReturn404() {
 	s.AssertRequestStatusCode("POST", fmt.Sprintf("%s/api/not_existing/second", AutheliaBaseURL), 404)
 }

+func (s *BackendProtectionScenario) TestInvalidEndpointsReturn405() {
+	s.AssertRequestStatusCode("PUT", fmt.Sprintf("%s/api/configuration", AutheliaBaseURL), 405)
+}
+
 func TestRunBackendProtection(t *testing.T) {
 	if testing.Short() {
 		t.Skip("skipping suite test in short mode")