feat: add allowed_* constraint option to proxy endpoint query string (#2841)

* Add check for constraints to the proxy endpoint * Add tests for allowed_groups query string * Add this feature to the changelog * Apply suggestions from code review Co-authored-by: Jan Larwig <jan@larwig.com> * Use explicit key names in TestProxyAllowedGroups * Document the query parameters on proxy endpoint * Comment was copied from the AuthOnly handler but on closer inspection is not relevant here replacing comment with one more relevant --------- Signed-off-by: Jan Larwig <jan@larwig.com> Co-authored-by: Jan Larwig <jan@larwig.com>
2025-12-19 23:52:17 +02:00 · 2025-11-08 06:58:34 -06:00
parent 22053dcade
commit fcc2db040e
4 changed files with 88 additions and 5 deletions
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -1012,6 +1012,13 @@ func (p *OAuthProxy) Proxy(rw http.ResponseWriter, req *http.Request) {
 	session, err := p.getAuthenticatedSession(rw, req)
 	switch err {
 	case nil:
+		// Check against our authorization constraints and return forbidden
+		// if this request fails to satisfy them.
+		if !authOnlyAuthorize(req, session) {
+			http.Error(rw, http.StatusText(http.StatusForbidden), http.StatusForbidden)
+			return
+		}
+
 		// we are authenticated
 		p.addHeadersForProxying(rw, session)
 		p.headersChain.Then(p.upstreamProxy).ServeHTTP(rw, req)