205hlab-mirrors/authentik
2
0
Fork 0
mirror of https://github.com/goauthentik/authentik.git synced 2026-06-17 19:09:11 +03:00
Code Issues Packages Projects Releases Wiki Activity

outpost/proxyv2: fix stale session cookie causing 400 error in createState (#19026)

Browse Source
This commit is contained in:
Dominic R
2026-01-13 10:52:42 -05:00
committed by GitHub
parent a479c79b34
commit 3873f43ea3
2 changed files with 45 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/outpost/proxyv2/application/oauth_state.go
+9 -1
View File
@@ -71,7 +71,15 @@ func (a *Application) checkRedirectParam(r *http.Request) (string, bool) {
func (a *Application) createState(r *http.Request, w http.ResponseWriter, fwd string) (string, error) {
s, err := a.sessions.Get(r, a.SessionName())
if err != nil {
return "", fmt.Errorf("failed to get session: %w", err)
// Session file may not exist (e.g., after outpost restart or logout)
// Delete the stale session cookie and continue with the new empty session
a.log.WithError(err).Debug("failed to get session, clearing stale cookie")
s.Options.MaxAge = -1
if saveErr := s.Save(r, w); saveErr != nil {
a.log.WithError(saveErr).Warning("failed to delete stale session cookie")
}
// Get a fresh session after clearing the stale cookie
s, _ = a.sessions.Get(r, a.SessionName())
}
if s.ID == "" {
// Ensure session has an ID
internal/outpost/proxyv2/application/session_test.go
+36
View File
@@ -154,3 +154,39 @@ func TestStateFromRequestDeletesStaleCookie(t *testing.T) {
}
assert.True(t, foundDeleteCookie, "Expected stale session cookie to be deleted")
}
func TestCreateStateWithStaleCookie(t *testing.T) {
a := newTestApplication()
_ = a.configureProxy()
// Create a request with a stale session cookie (simulates outpost restart or user change)
req, _ := http.NewRequest("GET", "https://ext.t.goauthentik.io/outpost.goauthentik.io/start", nil)
// Add a cookie for a non-existent session
nonExistentSessionID := uuid.New().String()
req.AddCookie(&http.Cookie{
Name: a.SessionName(),
Value: "encoded_session_data_" + nonExistentSessionID,
Path: "/",
})
rr := httptest.NewRecorder()
// Call createState which should succeed despite the stale cookie
state, err := a.createState(req, rr, "/redirect")
// Verify createState succeeded
assert.NoError(t, err)
assert.NotEmpty(t, state)
// Verify the response includes a Set-Cookie header to delete the stale cookie
cookies := rr.Result().Cookies()
var foundDeleteCookie bool
for _, cookie := range cookies {
if cookie.Name == a.SessionName() && cookie.MaxAge < 0 {
foundDeleteCookie = true
break
}
}
assert.True(t, foundDeleteCookie, "Expected stale session cookie to be deleted")
}