Strip session_token on redirect

2026-04-16 15:26:40 +00:00 · 2026-02-10 18:27:03 +08:00
parent e2adef1eea
commit 6b00bb0a66
1 changed files with 16 additions and 1 deletions
--- a/proxy/internal/auth/middleware.go
+++ b/proxy/internal/auth/middleware.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"net/url"
 	"sync"
 	"time"

@@ -124,7 +125,8 @@ func (mw *Middleware) Protect(next http.Handler) http.Handler {
 				if cd := proxy.CapturedDataFromContext(r.Context()); cd != nil {
 					cd.SetOrigin(proxy.OriginAuth)
 				}
-				http.Redirect(w, r, r.URL.RequestURI(), http.StatusSeeOther)
+				redirectURL := stripSessionTokenParam(r.URL)
+				http.Redirect(w, r, redirectURL, http.StatusSeeOther)
 				return
 			}
 			methods[scheme.Type().String()] = promptData
@@ -173,3 +175,16 @@ func (mw *Middleware) RemoveDomain(domain string) {
 	defer mw.domainsMux.Unlock()
 	delete(mw.domains, domain)
 }
+
+// stripSessionTokenParam returns the request URI with the session_token query
+// parameter removed so it doesn't linger in the browser's address bar or history.
+func stripSessionTokenParam(u *url.URL) string {
+	q := u.Query()
+	if !q.Has("session_token") {
+		return u.RequestURI()
+	}
+	q.Del("session_token")
+	clean := *u
+	clean.RawQuery = q.Encode()
+	return clean.RequestURI()
+}