Remove unnecessary authorization headers after authorization is successful
This commit is contained in:
@@ -43,7 +43,8 @@ func init() {
|
||||
|
||||
// WithAuthentication creates an http handler that tries to authenticate the given request as a user, and then
|
||||
// stores any such user found onto the provided context for the request. If authentication fails or returns an error
|
||||
// the failed handler is used. On success, handler is invoked to serve the request.
|
||||
// the failed handler is used. On success, "Authorization" header is removed from the request and handler
|
||||
// is invoked to serve the request.
|
||||
func WithAuthentication(handler http.Handler, mapper api.RequestContextMapper, auth authenticator.Request, failed http.Handler) http.Handler {
|
||||
if auth == nil {
|
||||
glog.Warningf("Authentication is disabled")
|
||||
@@ -60,6 +61,9 @@ func WithAuthentication(handler http.Handler, mapper api.RequestContextMapper, a
|
||||
return
|
||||
}
|
||||
|
||||
// authorization header is not required anymore in case of a successful authentication.
|
||||
req.Header.Del("Authorization")
|
||||
|
||||
if ctx, ok := mapper.Get(req); ok {
|
||||
mapper.Update(req, api.WithUser(ctx, user))
|
||||
}
|
||||
|
@@ -40,18 +40,24 @@ func TestAuthenticateRequest(t *testing.T) {
|
||||
if user == nil || !ok {
|
||||
t.Errorf("no user stored in context: %#v", ctx)
|
||||
}
|
||||
if req.Header.Get("Authorization") != "" {
|
||||
t.Errorf("Authorization header should be removed from request on success: %#v", req)
|
||||
}
|
||||
close(success)
|
||||
}),
|
||||
contextMapper,
|
||||
authenticator.RequestFunc(func(req *http.Request) (user.Info, bool, error) {
|
||||
if req.Header.Get("Authorization") == "Something" {
|
||||
return &user.DefaultInfo{Name: "user"}, true, nil
|
||||
}
|
||||
return nil, false, errors.New("Authorization header is missing.")
|
||||
}),
|
||||
http.HandlerFunc(func(_ http.ResponseWriter, _ *http.Request) {
|
||||
t.Errorf("unexpected call to failed")
|
||||
}),
|
||||
)
|
||||
|
||||
auth.ServeHTTP(httptest.NewRecorder(), &http.Request{})
|
||||
auth.ServeHTTP(httptest.NewRecorder(), &http.Request{Header: map[string][]string{"Authorization": {"Something"}}})
|
||||
|
||||
<-success
|
||||
empty, err := api.IsEmpty(contextMapper)
|
||||
|
Reference in New Issue
Block a user