Apparently browsers do not always set origin

code-asher · code-asher · commit d854f4dcb445 · 2024-02-13T13:22:38.000-09:00
The referer check was not quite right either.
diff --git a/enterprise/coderd/identityprovider/middleware.go b/enterprise/coderd/identityprovider/middleware.go
@@ -12,17 +12,16 @@ import (
 
 // authorizeMW serves to remove some code from the primary authorize handler.
 // It decides when to show the html allow page, and when to just continue.
+// TODO: For now only browser-based auth flow is officially supported but in a
+// future PR we should support a cURL-based flow.
 func authorizeMW(accessURL *url.URL) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 			origin := r.Header.Get(httpmw.OriginHeader)
-			// TODO: The origin can be blank from some clients, like cURL.  For now
-			// only browser-based auth flow is officially supported but in a future PR
-			// we should support a cURL-based and blank origin flows.
 			originU, err := url.Parse(origin)
-			if err != nil || origin == "" {
+			if err != nil {
 				httpapi.Write(r.Context(), rw, http.StatusBadRequest, codersdk.Response{
-					Message: "Invalid or missing origin header.",
+					Message: "Invalid origin header.",
 					Detail:  err.Error(),
 				})
 				return
@@ -32,7 +31,7 @@ func authorizeMW(accessURL *url.URL) func(next http.Handler) http.Handler {
 			refererU, err := url.Parse(referer)
 			if err != nil {
 				httpapi.Write(r.Context(), rw, http.StatusBadRequest, codersdk.Response{
-					Message: "Invalid or missing referer header.",
+					Message: "Invalid referer header.",
 					Detail:  err.Error(),
 				})
 				return
@@ -41,80 +40,90 @@ func authorizeMW(accessURL *url.URL) func(next http.Handler) http.Handler {
 			app := httpmw.OAuth2ProviderApp(r)
 			ua := httpmw.UserAuthorization(r)
 
-			// If the request comes from outside, then we show the html allow page.
-			// TODO: Skip this step if the user has already clicked allow before, and
-			// we can just reuse the token.
-			if originU.Hostname() != accessURL.Hostname() && refererU.Path != "/login/oauth2/authorize" {
-				if r.URL.Query().Get("redirected") != "" {
-					site.RenderStaticErrorPage(rw, r, site.ErrorPageData{
-						Status:       http.StatusInternalServerError,
-						HideStatus:   false,
-						Title:        "Oauth Redirect Loop",
-						Description:  "Oauth redirect loop detected.",
-						RetryEnabled: false,
-						DashboardURL: accessURL.String(),
-						Warnings:     nil,
-					})
-					return
-				}
+			// url.Parse() allows empty URLs, which is fine because the origin is not
+			// always set by browsers (or other tools like cURL).  If the origin does
+			// exist, we will make sure it matches.  We require `referer` to be set at
+			// a minimum, however.
+			cameFromSelf := (origin == "" || originU.Hostname() == accessURL.Hostname()) &&
+				refererU.Hostname() == accessURL.Hostname() &&
+				refererU.Path == "/login/oauth2/authorize"
 
-				callbackURL, err := url.Parse(app.CallbackURL)
-				if err != nil {
-					site.RenderStaticErrorPage(rw, r, site.ErrorPageData{
-						Status:       http.StatusInternalServerError,
-						HideStatus:   false,
-						Title:        "Internal Server Error",
-						Description:  err.Error(),
-						RetryEnabled: false,
-						DashboardURL: accessURL.String(),
-						Warnings:     nil,
-					})
-					return
-				}
+			// If we were redirected here from this same page it means the user
+			// pressed the allow button so defer to the authorize handler which
+			// generates the code, otherwise show the HTML allow page.
+			// TODO: Skip this step if the user has already clicked allow before, and
+			//       we can just reuse the token.
+			if cameFromSelf {
+				next.ServeHTTP(rw, r)
+				return
+			}
 
-				// Extract the form parameters for two reasons:
-				// 1. We need the redirect URI to build the cancel URI.
-				// 2. Since validation will run once the user clicks "allow", it is
-				//    better to validate now to avoid wasting the user's time clicking a
-				//    button that will just error anyway.
-				params, validationErrs, err := extractAuthorizeParams(r, callbackURL)
-				if err != nil {
-					errStr := make([]string, len(validationErrs))
-					for i, err := range validationErrs {
-						errStr[i] = err.Detail
-					}
-					site.RenderStaticErrorPage(rw, r, site.ErrorPageData{
-						Status:       http.StatusBadRequest,
-						HideStatus:   false,
-						Title:        "Invalid Query Parameters",
-						Description:  "One or more query parameters are missing or invalid.",
-						RetryEnabled: false,
-						DashboardURL: accessURL.String(),
-						Warnings:     errStr,
-					})
-					return
-				}
+			if r.URL.Query().Get("redirected") != "" {
+				site.RenderStaticErrorPage(rw, r, site.ErrorPageData{
+					Status:       http.StatusInternalServerError,
+					HideStatus:   false,
+					Title:        "Oauth Redirect Loop",
+					Description:  "Oauth redirect loop detected.",
+					RetryEnabled: false,
+					DashboardURL: accessURL.String(),
+					Warnings:     nil,
+				})
+				return
+			}
 
-				cancel := params.redirectURL
-				cancelQuery := params.redirectURL.Query()
-				cancelQuery.Add("error", "access_denied")
-				cancel.RawQuery = cancelQuery.Encode()
+			callbackURL, err := url.Parse(app.CallbackURL)
+			if err != nil {
+				site.RenderStaticErrorPage(rw, r, site.ErrorPageData{
+					Status:       http.StatusInternalServerError,
+					HideStatus:   false,
+					Title:        "Internal Server Error",
+					Description:  err.Error(),
+					RetryEnabled: false,
+					DashboardURL: accessURL.String(),
+					Warnings:     nil,
+				})
+				return
+			}
 
-				redirect := r.URL
-				vals := redirect.Query()
-				vals.Add("redirected", "true")
-				r.URL.RawQuery = vals.Encode()
-				site.RenderOAuthAllowPage(rw, r, site.RenderOAuthAllowData{
-					AppIcon:     app.Icon,
-					AppName:     app.Name,
-					CancelURI:   cancel.String(),
-					RedirectURI: r.URL.String(),
-					Username:    ua.ActorName,
+			// Extract the form parameters for two reasons:
+			// 1. We need the redirect URI to build the cancel URI.
+			// 2. Since validation will run once the user clicks "allow", it is
+			//    better to validate now to avoid wasting the user's time clicking a
+			//    button that will just error anyway.
+			params, validationErrs, err := extractAuthorizeParams(r, callbackURL)
+			if err != nil {
+				errStr := make([]string, len(validationErrs))
+				for i, err := range validationErrs {
+					errStr[i] = err.Detail
+				}
+				site.RenderStaticErrorPage(rw, r, site.ErrorPageData{
+					Status:       http.StatusBadRequest,
+					HideStatus:   false,
+					Title:        "Invalid Query Parameters",
+					Description:  "One or more query parameters are missing or invalid.",
+					RetryEnabled: false,
+					DashboardURL: accessURL.String(),
+					Warnings:     errStr,
 				})
 				return
 			}
 
-			next.ServeHTTP(rw, r)
+			cancel := params.redirectURL
+			cancelQuery := params.redirectURL.Query()
+			cancelQuery.Add("error", "access_denied")
+			cancel.RawQuery = cancelQuery.Encode()
+
+			redirect := r.URL
+			vals := redirect.Query()
+			vals.Add("redirected", "true") // For loop detection.
+			r.URL.RawQuery = vals.Encode()
+			site.RenderOAuthAllowPage(rw, r, site.RenderOAuthAllowData{
+				AppIcon:     app.Icon,
+				AppName:     app.Name,
+				CancelURI:   cancel.String(),
+				RedirectURI: r.URL.String(),
+				Username:    ua.ActorName,
+			})
 		})
 	}
 }
diff --git a/enterprise/coderd/oauth2_test.go b/enterprise/coderd/oauth2_test.go
@@ -19,7 +19,6 @@ import (
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/dbtestutil"
 	"github.com/coder/coder/v2/coderd/database/dbtime"
-	"github.com/coder/coder/v2/coderd/httpmw"
 	"github.com/coder/coder/v2/coderd/userpassword"
 	"github.com/coder/coder/v2/coderd/util/ptr"
 	"github.com/coder/coder/v2/codersdk"
@@ -1131,13 +1130,10 @@ func authorizationFlow(ctx context.Context, client *codersdk.Client, cfg *oauth2
 				return http.ErrUseLastResponse
 			}
 			return client.Request(ctx, req.Method, req.URL.String(), nil, func(req *http.Request) {
-				// Set some headers so the request bypasses the HTML page (normally you
+				// Set the referer so the request bypasses the HTML page (normally you
 				// have to click "allow" first, and the way we detect that is using the
-				// origin and referer headers).
-				// Normally origin does not include the path, but it is not relevant to
-				// the check we make.
-				req.Header.Set(httpmw.OriginHeader, client.URL.String())
-				req.Header.Set("Referer", client.URL.String())
+				// referer header).
+				req.Header.Set("Referer", req.URL.String())
 			})
 		},
 	)
