Skip to content

Commit 7354569

Browse files
illumeillume
authored
Merge pull request #3942 from skoeva/auth3-fix
backend: auth: Improve ParseClusterAndToken function
2 parents bb8bd91 + 5183f7a commit 7354569

File tree

2 files changed

+27
-1
lines changed

2 files changed

+27
-1
lines changed

backend/pkg/auth/auth.go

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -61,7 +61,8 @@ var clusterPathRegex = regexp.MustCompile(`^/clusters/([^/]+)/.*`)
6161
var bearerTokenRegex = regexp.MustCompile(`^[\x21-\x7E]+$`)
6262

6363
// ParseClusterAndToken extracts the cluster name from the URL path and
64-
// the Bearer token from the Authorization header of the HTTP request.
64+
// the Bearer token from the Authorization header of the HTTP request, falling
65+
// back to the cluster cookie when the header is missing.
6566
func ParseClusterAndToken(r *http.Request) (string, string) {
6667
cluster := ""
6768

@@ -70,6 +71,7 @@ func ParseClusterAndToken(r *http.Request) (string, string) {
7071
cluster = matches[1]
7172
}
7273

74+
// Try Authorization header first (for backward compatibility)
7375
token := strings.TrimSpace(r.Header.Get("Authorization"))
7476
if strings.Contains(token, ",") {
7577
return cluster, ""
@@ -80,6 +82,13 @@ func ParseClusterAndToken(r *http.Request) (string, string) {
8082
token = strings.TrimSpace(token[len(bearerPrefix):])
8183
}
8284

85+
// If no auth header, try cookie
86+
if token == "" && cluster != "" {
87+
if cookieToken, err := GetTokenFromCookie(r, cluster); err == nil && cookieToken != "" {
88+
token = cookieToken
89+
}
90+
}
91+
8392
if token != "" && !bearerTokenRegex.MatchString(token) {
8493
return cluster, ""
8594
}

backend/pkg/auth/auth_test.go

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -104,6 +104,7 @@ var parseClusterAndTokenTests = []struct {
104104
authHeader string
105105
wantCluster string
106106
wantToken string
107+
cookies []*http.Cookie
107108
}{
108109
{
109110
name: "standard case",
@@ -154,6 +155,18 @@ var parseClusterAndTokenTests = []struct {
154155
wantCluster: "",
155156
wantToken: "some-token",
156157
},
158+
{
159+
name: "cookie fallback when header missing",
160+
url: "/clusters/cookie-cluster/api",
161+
wantCluster: "cookie-cluster",
162+
wantToken: "cookie-token",
163+
cookies: []*http.Cookie{
164+
{
165+
Name: "headlamp-auth-cookie-cluster.0",
166+
Value: "cookie-token",
167+
},
168+
},
169+
},
157170
}
158171

159172
func TestParseClusterAndToken(t *testing.T) {
@@ -168,6 +181,10 @@ func TestParseClusterAndToken(t *testing.T) {
168181
req.Header.Set("Authorization", tt.authHeader)
169182
}
170183

184+
for _, cookie := range tt.cookies {
185+
req.AddCookie(cookie)
186+
}
187+
171188
cluster, token := auth.ParseClusterAndToken(req)
172189
if cluster != tt.wantCluster {
173190
t.Errorf("ParseClusterAndToken() got cluster %q, want %q", cluster, tt.wantCluster)

0 commit comments

Comments
 (0)