From 7e80ab2401e4a7f66449e83ff9bb2332cd004cc0 Mon Sep 17 00:00:00 2001 From: mbohlool Date: Thu, 6 Oct 2016 10:17:01 -0700 Subject: [PATCH] Remove unnecessary authorization headers after authorization is successful --- pkg/auth/handlers/handlers.go | 6 +++++- pkg/auth/handlers/handlers_test.go | 10 ++++++++-- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/pkg/auth/handlers/handlers.go b/pkg/auth/handlers/handlers.go index 215032ff12d..791df294344 100644 --- a/pkg/auth/handlers/handlers.go +++ b/pkg/auth/handlers/handlers.go @@ -43,7 +43,8 @@ func init() { // WithAuthentication creates an http handler that tries to authenticate the given request as a user, and then // stores any such user found onto the provided context for the request. If authentication fails or returns an error -// the failed handler is used. On success, handler is invoked to serve the request. +// the failed handler is used. On success, "Authorization" header is removed from the request and handler +// is invoked to serve the request. func WithAuthentication(handler http.Handler, mapper api.RequestContextMapper, auth authenticator.Request, failed http.Handler) http.Handler { if auth == nil { glog.Warningf("Authentication is disabled") @@ -60,6 +61,9 @@ func WithAuthentication(handler http.Handler, mapper api.RequestContextMapper, a return } + // authorization header is not required anymore in case of a successful authentication. + req.Header.Del("Authorization") + if ctx, ok := mapper.Get(req); ok { mapper.Update(req, api.WithUser(ctx, user)) } diff --git a/pkg/auth/handlers/handlers_test.go b/pkg/auth/handlers/handlers_test.go index 141f41fcc2c..0c616ce1247 100644 --- a/pkg/auth/handlers/handlers_test.go +++ b/pkg/auth/handlers/handlers_test.go @@ -40,18 +40,24 @@ func TestAuthenticateRequest(t *testing.T) { if user == nil || !ok { t.Errorf("no user stored in context: %#v", ctx) } + if req.Header.Get("Authorization") != "" { + t.Errorf("Authorization header should be removed from request on success: %#v", req) + } close(success) }), contextMapper, authenticator.RequestFunc(func(req *http.Request) (user.Info, bool, error) { - return &user.DefaultInfo{Name: "user"}, true, nil + if req.Header.Get("Authorization") == "Something" { + return &user.DefaultInfo{Name: "user"}, true, nil + } + return nil, false, errors.New("Authorization header is missing.") }), http.HandlerFunc(func(_ http.ResponseWriter, _ *http.Request) { t.Errorf("unexpected call to failed") }), ) - auth.ServeHTTP(httptest.NewRecorder(), &http.Request{}) + auth.ServeHTTP(httptest.NewRecorder(), &http.Request{Header: map[string][]string{"Authorization": {"Something"}}}) <-success empty, err := api.IsEmpty(contextMapper)