mirror of
https://github.com/goauthentik/authentik
synced 2026-04-25 17:15:26 +02:00
17ab3a4b73
Use r.URL.EscapedPath() instead of r.URL.Path when building the redirect URL in redirectToStart(). The decoded Path field converts %2F to /, which url.JoinPath then collapses via path.Clean, stripping encoded slashes from the URL. EscapedPath() preserves the original encoding, fixing 301 redirects that break apps like RabbitMQ which use %2F in their API paths.
100 lines
3.6 KiB
Go
100 lines
3.6 KiB
Go
package application
|
|
|
|
import (
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"goauthentik.io/api/v3"
|
|
"goauthentik.io/internal/outpost/proxyv2/constants"
|
|
)
|
|
|
|
func TestRedirectToStart_Proxy(t *testing.T) {
|
|
a := newTestApplication()
|
|
a.proxyConfig.Mode = api.PROXYMODE_PROXY.Ptr()
|
|
a.proxyConfig.ExternalHost = "https://test.goauthentik.io"
|
|
req, _ := http.NewRequest("GET", "/foo/bar/baz", nil)
|
|
|
|
rr := httptest.NewRecorder()
|
|
a.redirectToStart(rr, req)
|
|
|
|
assert.Equal(t, http.StatusFound, rr.Code)
|
|
loc, _ := rr.Result().Location()
|
|
assert.Equal(t, "https://test.goauthentik.io/outpost.goauthentik.io/start?rd=https%3A%2F%2Ftest.goauthentik.io%2Ffoo%2Fbar%2Fbaz", loc.String())
|
|
|
|
s, _ := a.sessions.Get(req, a.SessionName())
|
|
assert.Equal(t, "https://test.goauthentik.io/foo/bar/baz", s.Values[constants.SessionRedirect])
|
|
}
|
|
|
|
func TestRedirectToStart_Proxy_EncodedSlash(t *testing.T) {
|
|
a := newTestApplication()
|
|
a.proxyConfig.Mode = api.PROXYMODE_PROXY.Ptr()
|
|
a.proxyConfig.ExternalHost = "https://test.goauthentik.io"
|
|
// %2F is a URL-encoded forward slash, used by apps like RabbitMQ in queue paths
|
|
req, _ := http.NewRequest("GET", "/api/queues/%2F/MYChannelCreated", nil)
|
|
|
|
rr := httptest.NewRecorder()
|
|
a.redirectToStart(rr, req)
|
|
|
|
assert.Equal(t, http.StatusFound, rr.Code)
|
|
loc, _ := rr.Result().Location()
|
|
assert.Contains(t, loc.String(), "%252F", "encoded slash %2F must be preserved in redirect URL")
|
|
|
|
s, _ := a.sessions.Get(req, a.SessionName())
|
|
assert.Contains(t, s.Values[constants.SessionRedirect].(string), "%2F", "encoded slash %2F must be preserved in session redirect")
|
|
}
|
|
|
|
func TestRedirectToStart_Forward(t *testing.T) {
|
|
a := newTestApplication()
|
|
a.proxyConfig.Mode = api.PROXYMODE_FORWARD_SINGLE.Ptr()
|
|
a.proxyConfig.ExternalHost = "https://test.goauthentik.io"
|
|
req, _ := http.NewRequest("GET", "/foo/bar/baz", nil)
|
|
|
|
rr := httptest.NewRecorder()
|
|
a.redirectToStart(rr, req)
|
|
|
|
assert.Equal(t, http.StatusFound, rr.Code)
|
|
loc, _ := rr.Result().Location()
|
|
assert.Equal(t, "https://test.goauthentik.io/outpost.goauthentik.io/start?rd=https%3A%2F%2Ftest.goauthentik.io%2Ffoo%2Fbar%2Fbaz", loc.String())
|
|
|
|
s, _ := a.sessions.Get(req, a.SessionName())
|
|
assert.Equal(t, "https://test.goauthentik.io/foo/bar/baz", s.Values[constants.SessionRedirect])
|
|
}
|
|
|
|
func TestRedirectToStart_Forward_Domain_Invalid(t *testing.T) {
|
|
a := newTestApplication()
|
|
a.proxyConfig.CookieDomain = new("foo")
|
|
a.proxyConfig.Mode = api.PROXYMODE_FORWARD_DOMAIN.Ptr()
|
|
a.proxyConfig.ExternalHost = "https://test.goauthentik.io"
|
|
req, _ := http.NewRequest("GET", "/foo/bar/baz", nil)
|
|
|
|
rr := httptest.NewRecorder()
|
|
a.redirectToStart(rr, req)
|
|
|
|
assert.Equal(t, http.StatusFound, rr.Code)
|
|
loc, _ := rr.Result().Location()
|
|
assert.Equal(t, "https://test.goauthentik.io/outpost.goauthentik.io/start?rd=https%3A%2F%2Ftest.goauthentik.io", loc.String())
|
|
|
|
s, _ := a.sessions.Get(req, a.SessionName())
|
|
assert.Equal(t, "https://test.goauthentik.io", s.Values[constants.SessionRedirect])
|
|
}
|
|
|
|
func TestRedirectToStart_Forward_Domain(t *testing.T) {
|
|
a := newTestApplication()
|
|
a.proxyConfig.CookieDomain = new("goauthentik.io")
|
|
a.proxyConfig.Mode = api.PROXYMODE_FORWARD_DOMAIN.Ptr()
|
|
a.proxyConfig.ExternalHost = "https://test.goauthentik.io"
|
|
req, _ := http.NewRequest("GET", "/foo/bar/baz", nil)
|
|
|
|
rr := httptest.NewRecorder()
|
|
a.redirectToStart(rr, req)
|
|
|
|
assert.Equal(t, http.StatusFound, rr.Code)
|
|
loc, _ := rr.Result().Location()
|
|
assert.Equal(t, "https://test.goauthentik.io/outpost.goauthentik.io/start?rd=https%3A%2F%2Ftest.goauthentik.io", loc.String())
|
|
|
|
s, _ := a.sessions.Get(req, a.SessionName())
|
|
assert.Equal(t, "https://test.goauthentik.io", s.Values[constants.SessionRedirect])
|
|
}
|