From 3ba2eae20e993f56dcc14aa6ed8e6bb19bcda398 Mon Sep 17 00:00:00 2001 From: James Elliott Date: Wed, 21 Dec 2022 18:47:20 +1100 Subject: [PATCH] fix(server): verify endpoint 405ing non-get/head reqs (#4607) Fixes an issue specific to envoy that prevents the verify endpoint working with requests not using the GET or HEAD methods. --- api/openapi.yml | 234 ++++++++++++++++++++++++++++++++++++ internal/server/handlers.go | 7 +- 2 files changed, 236 insertions(+), 5 deletions(-) diff --git a/api/openapi.yml b/api/openapi.yml index f0f991d1d..33ff52d0d 100644 --- a/api/openapi.yml +++ b/api/openapi.yml @@ -175,6 +175,240 @@ paths: description: Unauthorized security: - authelia_auth: [] + options: + tags: + - Authentication + summary: Verification + description: > + The verify endpoint provides the ability to verify if a user has the necessary permissions to access a specified + domain. + parameters: + - $ref: '#/components/parameters/originalURLParam' + - $ref: '#/components/parameters/forwardedMethodParam' + - $ref: '#/components/parameters/authParam' + responses: + "200": + description: Successful Operation + headers: + remote-user: + description: Username + schema: + type: string + example: john + remote-name: + description: Name + schema: + type: string + example: John Doe + remote-email: + description: Email + schema: + type: string + example: john.doe@authelia.com + remote-groups: + description: Comma separated list of Groups + schema: + type: string + example: admin,devs + "401": + description: Unauthorized + security: + - authelia_auth: [] + post: + tags: + - Authentication + summary: Verification + description: > + The verify endpoint provides the ability to verify if a user has the necessary permissions to access a specified + domain. + parameters: + - $ref: '#/components/parameters/originalURLParam' + - $ref: '#/components/parameters/forwardedMethodParam' + - $ref: '#/components/parameters/authParam' + responses: + "200": + description: Successful Operation + headers: + remote-user: + description: Username + schema: + type: string + example: john + remote-name: + description: Name + schema: + type: string + example: John Doe + remote-email: + description: Email + schema: + type: string + example: john.doe@authelia.com + remote-groups: + description: Comma separated list of Groups + schema: + type: string + example: admin,devs + "401": + description: Unauthorized + security: + - authelia_auth: [] + put: + tags: + - Authentication + summary: Verification + description: > + The verify endpoint provides the ability to verify if a user has the necessary permissions to access a specified + domain. + parameters: + - $ref: '#/components/parameters/originalURLParam' + - $ref: '#/components/parameters/forwardedMethodParam' + - $ref: '#/components/parameters/authParam' + responses: + "200": + description: Successful Operation + headers: + remote-user: + description: Username + schema: + type: string + example: john + remote-name: + description: Name + schema: + type: string + example: John Doe + remote-email: + description: Email + schema: + type: string + example: john.doe@authelia.com + remote-groups: + description: Comma separated list of Groups + schema: + type: string + example: admin,devs + "401": + description: Unauthorized + security: + - authelia_auth: [] + patch: + tags: + - Authentication + summary: Verification + description: > + The verify endpoint provides the ability to verify if a user has the necessary permissions to access a specified + domain. + parameters: + - $ref: '#/components/parameters/originalURLParam' + - $ref: '#/components/parameters/forwardedMethodParam' + - $ref: '#/components/parameters/authParam' + responses: + "200": + description: Successful Operation + headers: + remote-user: + description: Username + schema: + type: string + example: john + remote-name: + description: Name + schema: + type: string + example: John Doe + remote-email: + description: Email + schema: + type: string + example: john.doe@authelia.com + remote-groups: + description: Comma separated list of Groups + schema: + type: string + example: admin,devs + "401": + description: Unauthorized + security: + - authelia_auth: [] + delete: + tags: + - Authentication + summary: Verification + description: > + The verify endpoint provides the ability to verify if a user has the necessary permissions to access a specified + domain. + parameters: + - $ref: '#/components/parameters/originalURLParam' + - $ref: '#/components/parameters/forwardedMethodParam' + - $ref: '#/components/parameters/authParam' + responses: + "200": + description: Successful Operation + headers: + remote-user: + description: Username + schema: + type: string + example: john + remote-name: + description: Name + schema: + type: string + example: John Doe + remote-email: + description: Email + schema: + type: string + example: john.doe@authelia.com + remote-groups: + description: Comma separated list of Groups + schema: + type: string + example: admin,devs + "401": + description: Unauthorized + security: + - authelia_auth: [] + trace: + tags: + - Authentication + summary: Verification + description: > + The verify endpoint provides the ability to verify if a user has the necessary permissions to access a specified + domain. + parameters: + - $ref: '#/components/parameters/originalURLParam' + - $ref: '#/components/parameters/forwardedMethodParam' + - $ref: '#/components/parameters/authParam' + responses: + "200": + description: Successful Operation + headers: + remote-user: + description: Username + schema: + type: string + example: john + remote-name: + description: Name + schema: + type: string + example: John Doe + remote-email: + description: Email + schema: + type: string + example: john.doe@authelia.com + remote-groups: + description: Comma separated list of Groups + schema: + type: string + example: admin,devs + "401": + description: Unauthorized + security: + - authelia_auth: [] /api/firstfactor: post: tags: diff --git a/internal/server/handlers.go b/internal/server/handlers.go index 729eb93b3..d9b4fdbfc 100644 --- a/internal/server/handlers.go +++ b/internal/server/handlers.go @@ -153,11 +153,8 @@ func handleRouter(config schema.Configuration, providers middlewares.Providers) metricsVRMW := middlewares.NewMetricsVerifyRequest(providers.Metrics) - r.GET("/api/verify", middlewares.Wrap(metricsVRMW, middleware(handlers.VerifyGET(config.AuthenticationBackend)))) - r.HEAD("/api/verify", middlewares.Wrap(metricsVRMW, middleware(handlers.VerifyGET(config.AuthenticationBackend)))) - - r.GET("/api/verify/{path:*}", middlewares.Wrap(metricsVRMW, middleware(handlers.VerifyGET(config.AuthenticationBackend)))) - r.HEAD("/api/verify/{path:*}", middlewares.Wrap(metricsVRMW, middleware(handlers.VerifyGET(config.AuthenticationBackend)))) + r.ANY("/api/verify", middlewares.Wrap(metricsVRMW, middleware(handlers.VerifyGET(config.AuthenticationBackend)))) + r.ANY("/api/verify/{path:*}", middlewares.Wrap(metricsVRMW, middleware(handlers.VerifyGET(config.AuthenticationBackend)))) r.POST("/api/checks/safe-redirection", middlewareAPI(handlers.CheckSafeRedirectionPOST))