add preserve_path option for cookie session to not override the path …

…in the request
ory · aeneasr · Nov 25, 2019 · Nov 14, 2019 · Nov 14, 2019 · f6a84c39c235e6464476949eb3c0255b453f8943
commit f6a84c39c235e6464476949eb3c0255b453f8943
@@ -22,6 +22,11 @@
       },
       "title": "Only Cookies",
       "description": "A list of possible cookies to look for on incoming requests, and will fallthrough to the next authenticator if none of the passed cookies are set on the request."
+    },
+    "preserve_path": {
+      "title": "Preserve Path",
+      "type": "boolean",
+      "description": "When set to true, any path specified in `check_session_url` will be preserved instead of overwriting the path with the path from the original request"
     }
   },
   "required": [

@@ -215,6 +215,11 @@
           },
           "title": "Only Cookies",
           "description": "A list of possible cookies to look for on incoming requests, and will fallthrough to the next authenticator if none of the passed cookies are set on the request."
+        },
+        "preserve_path": {
+          "title": "Preserve Path",
+          "type": "boolean",
+          "description": "When set to true, any path specified in `check_session_url` will be preserved instead of overwriting the path with the path from the original request"
         }
       },
       "required": [
@@ -1242,4 +1247,4 @@
   },
   "required": [],
   "additionalProperties": false
-}
+}
@@ -19,6 +19,7 @@ type AuthenticatorCookieSessionFilter struct {
 type AuthenticatorCookieSessionConfiguration struct {
 	Only            []string `json:"only"`
 	CheckSessionURL string   `json:"check_session_url"`
+	PreservePath    bool     `json:"preserve_path"`
 }
 
 type AuthenticatorCookieSession struct {
@@ -64,7 +65,8 @@ func (a *AuthenticatorCookieSession) Authenticate(r *http.Request, config json.R
 	}
 
 	origin := cf.CheckSessionURL
-	body, err := forwardRequestToSessionStore(r, origin)
+	preservePath := cf.PreservePath
+	body, err := forwardRequestToSessionStore(r, origin, preservePath)
 	if err != nil {
 		return nil, helper.ErrForbidden.WithReason(err.Error()).WithTrace(err)
 	}
@@ -96,12 +98,15 @@ func cookieSessionResponsible(r *http.Request, only []string) bool {
 	return false
 }
 
-func forwardRequestToSessionStore(r *http.Request, checkSessionURL string) (json.RawMessage, error) {
+func forwardRequestToSessionStore(r *http.Request, checkSessionURL string, preservePath bool) (json.RawMessage, error) {
 	reqUrl, err := url.Parse(checkSessionURL)
 	if err != nil {
 		return nil, helper.ErrForbidden.WithReason(err.Error()).WithTrace(err)
 	}
-	reqUrl.Path = r.URL.Path
+
+	if !preservePath {
+		reqUrl.Path = r.URL.Path
+	}
 
 	res, err := http.DefaultClient.Do(&http.Request{
 		Method: r.Method,

@@ -68,6 +68,22 @@ func TestAuthenticatorCookieSession(t *testing.T) {
 			assert.Equal(t, &AuthenticationSession{Subject: "123"}, session)
 		})
 
+		t.Run("description=should pass through method and headers ONLY to auth server when PreservePath is true", func(t *testing.T) {
+			testServer, requestRecorder := makeServer(200, `{"subject": "123"}`)
+			session, err := pipelineAuthenticator.Authenticate(
+				makeRequest("PUT", "/users/123?query=string", map[string]string{"sessionid": "zyx"}, ""),
+				json.RawMessage(fmt.Sprintf(`{"check_session_url": "%s", "preserve_path": true}`, testServer.URL)),
+				nil,
+			)
+			require.NoError(t, err, "%#v", errors.Cause(err))
+			assert.Len(t, requestRecorder.requests, 1)
+			r := requestRecorder.requests[0]
+			assert.Equal(t, r.Method, "PUT")
+			assert.Equal(t, r.URL.Path, "/")
+			assert.Equal(t, r.Header.Get("Cookie"), "sessionid=zyx")
+			assert.Equal(t, &AuthenticationSession{Subject: "123"}, session)
+		})
+
 		t.Run("description=does not pass request body through to auth server", func(t *testing.T) {
 			testServer, requestRecorder := makeServer(200, `{}`)
 			pipelineAuthenticator.Authenticate(