sendnrw/netbird
2
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-04-18 16:26:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

Strip session_token on redirect

Browse Source
This commit is contained in:
Viktor Liu
2026-02-10 18:27:03 +08:00
parent e2adef1eea
commit 6b00bb0a66
1 changed files with 16 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
proxy/internal/auth/middleware.go
View File

@@ -7,6 +7,7 @@ import (
"fmt" "fmt"
"net" "net"
"net/http" "net/http"
"net/url"
"sync" "sync"
"time" "time"
@@ -124,7 +125,8 @@ func (mw *Middleware) Protect(next http.Handler) http.Handler {
if cd := proxy.CapturedDataFromContext(r.Context()); cd != nil { if cd := proxy.CapturedDataFromContext(r.Context()); cd != nil {
cd.SetOrigin(proxy.OriginAuth) cd.SetOrigin(proxy.OriginAuth)
} }
http.Redirect(w, r, r.URL.RequestURI(), http.StatusSeeOther) redirectURL := stripSessionTokenParam(r.URL)
http.Redirect(w, r, redirectURL, http.StatusSeeOther)
return return
} }
methods[scheme.Type().String()] = promptData methods[scheme.Type().String()] = promptData
@@ -173,3 +175,16 @@ func (mw *Middleware) RemoveDomain(domain string) {
defer mw.domainsMux.Unlock() defer mw.domainsMux.Unlock()
delete(mw.domains, domain) delete(mw.domains, domain)
} }
// stripSessionTokenParam returns the request URI with the session_token query
// parameter removed so it doesn't linger in the browser's address bar or history.
func stripSessionTokenParam(u *url.URL) string {
q := u.Query()
if !q.Has("session_token") {
return u.RequestURI()
}
q.Del("session_token")
clean := *u
clean.RawQuery = q.Encode()
return clean.RequestURI()
}