feat: also support x-fwd-scheme (#172)

adobe · Oct 27, 2022 · 845a5a0 · 845a5a0
1 parent 80e9f7b
commit 845a5a0
Show file tree

Hide file tree

Showing 4 changed files with 45 additions and 9 deletions.
diff --git a/src/utils/auth-cookie.js b/src/utils/auth-cookie.js
@@ -11,21 +11,21 @@
  */
 import { parse, serialize } from 'cookie';
 
-export function clearAuthCookie() {
+export function clearAuthCookie(secure) {
   return serialize('hlx-auth-token', '', {
     path: '/',
     httpOnly: true,
-    secure: true,
+    secure,
     expires: new Date(0),
     sameSite: 'lax',
   });
 }
 
-export function setAuthCookie(idToken) {
+export function setAuthCookie(idToken, secure) {
   return serialize('hlx-auth-token', idToken, {
     path: '/',
     httpOnly: true,
-    secure: true,
+    secure,
     sameSite: 'lax',
   });
 }

diff --git a/src/utils/auth.js b/src/utils/auth.js
@@ -91,7 +91,8 @@ function getRequestHostAndProto(state, req) {
   if (!host) {
     host = state.config.host;
   }
-  const proto = req.headers.get('x-forwarded-proto') || 'https';
+  // fastly overrides the x-forwarded-proto, so we use x-forwarded-scheme
+  const proto = req.headers.get('x-forwarded-scheme') || req.headers.get('x-forwarded-proto') || 'https';
   state.log.info(`request host is: ${host} (${proto})`);
   return {
     host,
@@ -218,7 +219,7 @@ export class AuthInfo {
     res.status = 302;
     res.body = '';
     res.headers.set('location', url.href);
-    res.headers.set('set-cookie', clearAuthCookie());
+    res.headers.set('set-cookie', clearAuthCookie(proto === 'https'));
     res.headers.set('cache-control', 'no-store, private, must-revalidate');
     res.error = 'moved';
   }
@@ -299,12 +300,12 @@ export class AuthInfo {
     // ctx.attributes.authInfo?.withCookieInvalid(false);
 
     const location = state.createExternalLocation(req.params.state.requestPath || '/');
-    log.info('[auth] redirecting to home page with id_token cookie', location);
+    log.info('[auth] redirecting to original page with hlx-auth-token cookie: ', location);
     res.status = 302;
     res.body = `please go to <a href="${location}">${location}</a>`;
     res.headers.set('location', location);
     res.headers.set('content-tye', 'text/plain');
-    res.headers.set('set-cookie', setAuthCookie(idToken));
+    res.headers.set('set-cookie', setAuthCookie(idToken, req.params.state.requestProto === 'https'));
     res.headers.set('cache-control', 'no-store, private, must-revalidate');
     res.error = 'moved';
   }

diff --git a/test/utils/auth-cookie.test.js b/test/utils/auth-cookie.test.js
@@ -16,12 +16,23 @@ import { clearAuthCookie, getAuthCookie, setAuthCookie } from '../../src/utils/a
 
 describe('Auth Cookie Test', () => {
   it('clears the auth cookie', () => {
-    assert.strictEqual(clearAuthCookie(), 'hlx-auth-token=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Secure; SameSite=Lax');
+    assert.strictEqual(clearAuthCookie(), 'hlx-auth-token=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; SameSite=Lax');
+  });
+
+  it('clears the auth cookie (secure)', () => {
+    assert.strictEqual(clearAuthCookie(true), 'hlx-auth-token=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Secure; SameSite=Lax');
   });
 
   it('sets the auth cookie', () => {
     assert.strictEqual(
       setAuthCookie('1234'),
+      'hlx-auth-token=1234; Path=/; HttpOnly; SameSite=Lax',
+    );
+  });
+
+  it('sets the auth cookie (secure)', () => {
+    assert.strictEqual(
+      setAuthCookie('1234', true),
       'hlx-auth-token=1234; Path=/; HttpOnly; Secure; SameSite=Lax',
     );
   });

diff --git a/test/utils/auth.test.js b/test/utils/auth.test.js
@@ -398,6 +398,30 @@ describe('AuthInfo tests', () => {
     });
   });
 
+  it('redirects to the login page (xfh, scheme)', async () => {
+    const authInfo = AuthInfo
+      .Default()
+      .withIdp(idpFakeTestIDP);
+
+    const state = new PipelineState({});
+    const req = new PipelineRequest('https://localhost', {
+      headers: {
+        'x-forwarded-host': 'localhost',
+        'x-forwarded-scheme': 'http',
+        'x-forwarded-proto': 'ftp',
+      },
+    });
+    const res = new PipelineResponse();
+    await authInfo.redirectToLogin(state, req, res);
+    assert.strictEqual(res.status, 302);
+    const reqState = new URL(res.headers.get('location')).searchParams.get('state');
+    assert.deepStrictEqual(decodeJwt(reqState), {
+      requestHost: 'localhost',
+      requestProto: 'http',
+      requestPath: '/',
+    });
+  });
+
   it('redirects to the login page (xfh - multi)', async () => {
     const authInfo = AuthInfo
       .Default()