Drop fallback to email when user is empty (#537)

This commit is contained in:
Joel Speed 2020-05-12 16:04:51 +01:00 committed by GitHub
parent 7cf685140b
commit 4e3dd09cf2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 18 additions and 9 deletions

View File

@ -25,9 +25,17 @@
- [#535](https://github.com/oauth2-proxy/oauth2-proxy/pull/535) Drop support for pre v3.1 cookies
- The encoding for session cookies was changed starting in v3.1.0, support for the previous encoding is now dropped
- If you are upgrading from a version earlier than this, please upgrade via a version between v3.1.0 and v5.1.1
- [#537](https://github.com/oauth2-proxy/oauth2-proxy/pull/537) Drop Fallback to Email if User not set
- Previously, when a session was loaded, if the User was not set, it would be replaced by the Email.
This behaviour was inconsistent as it required the session to be stored and then loaded to function properly.
- This behaviour has now been removed and the User field will remain empty if it was not set when the session was saved.
- In some scenarios `X-Forwarded-User` will now be empty. Use `X-Forwarded-Email` instead.
- In some scenarios, this may break setting Basic Auth on upstream or responses.
Use `--prefer-email-to-user` to restore falling back to the Email in these cases.
## Changes since v5.1.1
- [#537](https://github.com/oauth2-proxy/oauth2-proxy/pull/537) Drop Fallback to Email if User not set (@JoelSpeed)
- [#535](https://github.com/oauth2-proxy/oauth2-proxy/pull/535) Drop support for pre v3.1 cookies (@JoelSpeed)
- [#533](https://github.com/oauth2-proxy/oauth2-proxy/pull/487) Set up code coverage within Travis for Code Climate (@JoelSpeed)
- [#514](https://github.com/oauth2-proxy/oauth2-proxy/pull/514) Add basic string functions to templates

View File

@ -1048,10 +1048,14 @@ func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Req
}
}
if p.SetBasicAuth {
if session.User != "" {
switch {
case p.PreferEmailToUser && session.Email != "":
authVal := b64.StdEncoding.EncodeToString([]byte(session.Email + ":" + p.BasicAuthPassword))
rw.Header().Set("Authorization", "Basic "+authVal)
case session.User != "":
authVal := b64.StdEncoding.EncodeToString([]byte(session.User + ":" + p.BasicAuthPassword))
rw.Header().Set("Authorization", "Basic "+authVal)
} else {
default:
rw.Header().Del("Authorization")
}
}

View File

@ -956,7 +956,7 @@ func TestLoadCookiedSession(t *testing.T) {
session, err := pcTest.LoadCookiedSession()
assert.Equal(t, nil, err)
assert.Equal(t, startSession.Email, session.Email)
assert.Equal(t, "john.doe@example.com", session.User)
assert.Equal(t, "", session.User)
assert.Equal(t, startSession.AccessToken, session.AccessToken)
}

View File

@ -193,8 +193,5 @@ func DecodeSessionState(v string, c *encryption.Cipher) (*SessionState, error) {
}
}
}
if ss.User == "" {
ss.User = ss.Email
}
return ss, nil
}

View File

@ -33,7 +33,7 @@ func TestSessionStateSerialization(t *testing.T) {
ss, err := sessions.DecodeSessionState(encoded, c)
t.Logf("%#v", ss)
assert.Equal(t, nil, err)
assert.Equal(t, "user@domain.com", ss.User)
assert.Equal(t, "", ss.User)
assert.Equal(t, s.Email, ss.Email)
assert.Equal(t, s.PreferredUsername, ss.PreferredUsername)
assert.Equal(t, s.AccessToken, ss.AccessToken)
@ -112,7 +112,7 @@ func TestSessionStateSerializationNoCipher(t *testing.T) {
// only email should have been serialized
ss, err := sessions.DecodeSessionState(encoded, nil)
assert.Equal(t, nil, err)
assert.Equal(t, "user@domain.com", ss.User)
assert.Equal(t, "", ss.User)
assert.Equal(t, s.Email, ss.Email)
assert.Equal(t, s.PreferredUsername, ss.PreferredUsername)
assert.Equal(t, "", ss.AccessToken)
@ -226,7 +226,7 @@ func TestDecodeSessionState(t *testing.T) {
{
SessionState: sessions.SessionState{
Email: "user@domain.com",
User: "user@domain.com",
User: "",
},
Encoded: `{"Email":"user@domain.com"}`,
},