Merge pull request #34076 from mbohlool/c

Automatic merge from submit-queue Remove headers that are unnecessary for proxy target Some headers like authorization is unnecessary to pass to the proxy target. We should start removing these headers in proxy requests.
2025-07-23 19:56:01 +00:00 · 2016-10-06 15:19:38 -07:00 · 2016-10-06 15:19:38 -07:00 · c1d2b61d79
commit c1d2b61d79
parent 808ed6bfd0 7e80ab2401
2 changed files with 13 additions and 3 deletions
--- a/pkg/auth/handlers/handlers.go
+++ b/pkg/auth/handlers/handlers.go
@ -43,7 +43,8 @@ func init() {

 // WithAuthentication creates an http handler that tries to authenticate the given request as a user, and then
 // stores any such user found onto the provided context for the request. If authentication fails or returns an error
-// the failed handler is used. On success, handler is invoked to serve the request.
+// the failed handler is used. On success, "Authorization" header is removed from the request and handler
+// is invoked to serve the request.
 func WithAuthentication(handler http.Handler, mapper api.RequestContextMapper, auth authenticator.Request, failed http.Handler) http.Handler {
 	if auth == nil {
 		glog.Warningf("Authentication is disabled")
@ -60,6 +61,9 @@ func WithAuthentication(handler http.Handler, mapper api.RequestContextMapper, a
 				return
 			}

+			// authorization header is not required anymore in case of a successful authentication.
+			req.Header.Del("Authorization")
+
 			if ctx, ok := mapper.Get(req); ok {
 				mapper.Update(req, api.WithUser(ctx, user))
 			}
--- a/pkg/auth/handlers/handlers_test.go
+++ b/pkg/auth/handlers/handlers_test.go
@ -40,18 +40,24 @@ func TestAuthenticateRequest(t *testing.T) {
 			if user == nil || !ok {
 				t.Errorf("no user stored in context: %#v", ctx)
 			}
+			if req.Header.Get("Authorization") != "" {
+				t.Errorf("Authorization header should be removed from request on success: %#v", req)
+			}
 			close(success)
 		}),
 		contextMapper,
 		authenticator.RequestFunc(func(req *http.Request) (user.Info, bool, error) {
-			return &user.DefaultInfo{Name: "user"}, true, nil
+			if req.Header.Get("Authorization") == "Something" {
+				return &user.DefaultInfo{Name: "user"}, true, nil
+			}
+			return nil, false, errors.New("Authorization header is missing.")
 		}),
 		http.HandlerFunc(func(_ http.ResponseWriter, _ *http.Request) {
 			t.Errorf("unexpected call to failed")
 		}),
 	)

-	auth.ServeHTTP(httptest.NewRecorder(), &http.Request{})
+	auth.ServeHTTP(httptest.NewRecorder(), &http.Request{Header: map[string][]string{"Authorization": {"Something"}}})

 	<-success
 	empty, err := api.IsEmpty(contextMapper)