feat: support HTTP redirect for forward authentication middleware in Traefik (#368)

* feat: support HTTP redirect for forward authentication middleware in Traefik * fix(docs): fix my terrible merge Signed-off-by: Jason Cameron <jasoncameron.all@gmail.com> * chore: fix typo in docs Signed-off-by: Jason Cameron <jasoncameron.all@gmail.com> * fix(ci): add forwardauth Signed-off-by: Jason Cameron <jasoncameron.all@gmail.com> * chore: improve doc, target must be a space * chore: changelog * fix: validate X-Forwarded headers and check redirect domain * chore: refactor error handling * fix(doc): cookie traefik * fix: tests merge * Update docs/docs/admin/environments/traefik.mdx Co-authored-by: Henri Vasserman <henv@hot.ee> Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Jason Cameron <git@jasoncameron.dev> Signed-off-by: Jason Cameron <jasoncameron.all@gmail.com> Signed-off-by: Xe Iaso <me@xeiaso.net> Co-authored-by: Jason Cameron <git@jasoncameron.dev> Co-authored-by: Jason Cameron <jasoncameron.all@gmail.com> Co-authored-by: Xe Iaso <me@xeiaso.net> Co-authored-by: Henri Vasserman <henv@hot.ee>
2025-08-13 02:59:45 +02:00 · 2025-08-13 02:59:45 +02:00 · a8b7b2ad7b
commit a8b7b2ad7b
parent 87651f9506
9 changed files with 128 additions and 87 deletions
--- a/lib/config.go
+++ b/lib/config.go
@ -44,6 +44,7 @@ type Options struct {
 	ServeRobotsTXT      bool
 	CookieSecure        bool
 	Logger              *slog.Logger
+	PublicUrl           string
 }

 func LoadPoliciesOrDefault(ctx context.Context, fname string, defaultDifficulty int) (*policy.ParsedConfig, error) {
--- a/lib/http.go
+++ b/lib/http.go
@ -1,9 +1,11 @@
 package lib

 import (
+	"errors"
 	"fmt"
 	"math/rand"
 	"net/http"
+	"net/url"
 	"regexp"
 	"slices"
 	"strings"
@ -115,8 +117,17 @@ func (s *Server) RenderIndex(w http.ResponseWriter, r *http.Request, cr policy.C
 	localizer := localization.GetLocalizer(r)

 	if returnHTTPStatusOnly {
-		w.WriteHeader(http.StatusUnauthorized)
-		w.Write([]byte(localizer.T("authorization_required")))
+		if s.opts.PublicUrl == "" {
+			w.WriteHeader(http.StatusUnauthorized)
+			w.Write([]byte(localizer.T("authorization_required")))
+		} else {
+			redirectURL, err := s.constructRedirectURL(r)
+			if err != nil {
+				s.respondWithStatus(w, r, err.Error(), http.StatusBadRequest)
+				return
+			}
+			http.Redirect(w, r, redirectURL, http.StatusTemporaryRedirect)
+		}
 		return
 	}

@ -196,6 +207,24 @@ func (s *Server) RenderIndex(w http.ResponseWriter, r *http.Request, cr policy.C
 	handler.ServeHTTP(w, r)
 }

+func (s *Server) constructRedirectURL(r *http.Request) (string, error) {
+	proto := r.Header.Get("X-Forwarded-Proto")
+	host := r.Header.Get("X-Forwarded-Host")
+	uri := r.Header.Get("X-Forwarded-Uri")
+
+	if proto == "" || host == "" || uri == "" {
+		return "", errors.New("missing required X-Forwarded-* headers")
+	}
+	// Check if host is allowed in RedirectDomains
+	if len(s.opts.RedirectDomains) > 0 && !slices.Contains(s.opts.RedirectDomains, host) {
+		return "", errors.New("redirect domain not allowed")
+	}
+
+	redir := proto + "://" + host + uri
+	escapedURL := url.QueryEscape(redir)
+	return fmt.Sprintf("%s/.within.website/?redir=%s", s.opts.PublicUrl, escapedURL), nil
+}
+
 func (s *Server) RenderBench(w http.ResponseWriter, r *http.Request) {
 	localizer := localization.GetLocalizer(r)

@ -255,7 +284,12 @@ func (s *Server) ServeHTTPNext(w http.ResponseWriter, r *http.Request) {
 			return
 		}

-		if (len(urlParsed.Host) > 0 && len(s.opts.RedirectDomains) != 0 && !slices.Contains(s.opts.RedirectDomains, urlParsed.Host)) || urlParsed.Host != r.URL.Host {
+		hostNotAllowed := len(urlParsed.Host) > 0 &&
+			len(s.opts.RedirectDomains) != 0 &&
+			!slices.Contains(s.opts.RedirectDomains, urlParsed.Host)
+		hostMismatch := r.URL.Host != "" && urlParsed.Host != r.URL.Host
+
+		if hostNotAllowed || hostMismatch {
 			s.respondWithStatus(w, r, localizer.T("redirect_domain_not_allowed"), http.StatusBadRequest)
 			return
 		}
--- a/lib/http_test.go
+++ b/lib/http_test.go
@ -1,10 +1,13 @@
 package lib

 import (
+	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"testing"

 	"github.com/TecharoHQ/anubis"
+	"github.com/TecharoHQ/anubis/lib/policy"
 )

 func TestSetCookie(t *testing.T) {
@ -129,3 +132,62 @@ func TestClearCookieWithDynamicDomain(t *testing.T) {
 		t.Errorf("wanted cookie max age of -1, got: %d", ckie.MaxAge)
 	}
 }
+
+func TestRenderIndexRedirect(t *testing.T) {
+	s := &Server{
+		opts: Options{
+			PublicUrl: "https://anubis.example.com",
+		},
+	}
+	req := httptest.NewRequest("GET", "/", nil)
+	req.Header.Set("X-Forwarded-Proto", "https")
+	req.Header.Set("X-Forwarded-Host", "example.com")
+	req.Header.Set("X-Forwarded-Uri", "/foo")
+
+	rr := httptest.NewRecorder()
+	s.RenderIndex(rr, req, policy.CheckResult{}, nil, true)
+
+	if rr.Code != http.StatusTemporaryRedirect {
+		t.Errorf("expected status %d, got %d", http.StatusTemporaryRedirect, rr.Code)
+	}
+	location := rr.Header().Get("Location")
+	parsedURL, err := url.Parse(location)
+	if err != nil {
+		t.Fatalf("failed to parse location URL %q: %v", location, err)
+	}
+
+	scheme := "https"
+	if parsedURL.Scheme != scheme {
+		t.Errorf("expected scheme to be %q, got %q", scheme, parsedURL.Scheme)
+	}
+
+	host := "anubis.example.com"
+	if parsedURL.Host != host {
+		t.Errorf("expected url to be %q, got %q", host, parsedURL.Host)
+	}
+
+	redir := parsedURL.Query().Get("redir")
+	expectedRedir := "https://example.com/foo"
+	if redir != expectedRedir {
+		t.Errorf("expected redir param to be %q, got %q", expectedRedir, redir)
+	}
+}
+
+func TestRenderIndexUnauthorized(t *testing.T) {
+	s := &Server{
+		opts: Options{
+			PublicUrl: "",
+		},
+	}
+	req := httptest.NewRequest("GET", "/", nil)
+	rr := httptest.NewRecorder()
+
+	s.RenderIndex(rr, req, policy.CheckResult{}, nil, true)
+
+	if rr.Code != http.StatusUnauthorized {
+		t.Errorf("expected status %d, got %d", http.StatusUnauthorized, rr.Code)
+	}
+	if body := rr.Body.String(); body != "Authorization required" {
+		t.Errorf("expected body %q, got %q", "Authorization required", body)
+	}
+}