pangolin_mirror/badger
1
0
Fork 0
mirror of https://github.com/fosrl/badger.git synced 2026-03-26 20:46:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

Strip session cookie and query param before forwarding to backend

Browse Source 
- Add stripSessionCookies() to remove session cookies from Cookie header
  - Add stripSessionParam() to remove session exchange query parameter from URL
  - Call both before forwarding request to backend on valid sessions
  - Backend now only receives user identity via Remote-* headers
This commit is contained in:
Laurence
2026-03-02 16:48:46 +00:00
parent e0a2d76844
commit 877363a686
1 changed files with 41 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
main.go
View File

@@ -312,6 +312,9 @@ func (p *Badger) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
req.Header.Add("Remote-Role", *result.Data.Role) req.Header.Add("Remote-Role", *result.Data.Role)
} }
p.stripSessionCookies(req)
p.stripSessionParam(req)
fmt.Println("Badger: Valid session") fmt.Println("Badger: Valid session")
p.next.ServeHTTP(rw, req) p.next.ServeHTTP(rw, req)
return return
@@ -414,6 +417,44 @@ func (p *Badger) getRealIP(req *http.Request) string {
return ip return ip
} }
func (p *Badger) stripSessionParam(req *http.Request) {
query := req.URL.Query()
if query.Has(p.resourceSessionRequestParam) {
query.Del(p.resourceSessionRequestParam)
req.URL.RawQuery = query.Encode()
}
}
// stripSessionCookies removes session cookies from the request before forwarding to the backend.
// We parse the Cookie header as a string rather than using req.Cookies() + re-encoding so we
// preserve the exact header format; the Cookie request header only carries name=value pairs
// (domain/path are Set-Cookie response attributes and are not sent in requests per RFC 6265).
func (p *Badger) stripSessionCookies(req *http.Request) {
cookieHeader := req.Header.Get("Cookie")
if cookieHeader == "" {
return
}
var remaining []string
for part := range strings.SplitSeq(cookieHeader, ";") {
part = strings.TrimSpace(part)
if part == "" {
continue
}
parts := strings.SplitN(part, "=", 2)
name := strings.TrimSpace(parts[0])
if !strings.HasPrefix(name, p.userSessionCookieName) {
remaining = append(remaining, part)
}
}
if len(remaining) > 0 {
req.Header.Set("Cookie", strings.Join(remaining, "; "))
} else {
req.Header.Del("Cookie")
}
}
func (p *Badger) isTrustedIP(remoteAddr string) bool { func (p *Badger) isTrustedIP(remoteAddr string) bool {
ipStr, _, err := net.SplitHostPort(remoteAddr) ipStr, _, err := net.SplitHostPort(remoteAddr)
if err != nil { if err != nil {