clusterfuzz icon indicating copy to clipboard operation
clusterfuzz copied to clipboard
verified publisher icon google

use request host value instead of auth domain when proxying

Open qyeo-sc opened this issue 1 year ago • 5 comments

This modifies how the target URL for proxying auth requests is instantiated, instead of using auth.auth_domain, it uses request.host which achieves the same behavior, but is more robust in the sense that it'd allow setups that are behind some kind of beyond corp/zero trust proxy more easily.

qyeo-sc avatar Jun 29 '24 09:06 qyeo-sc

Can you be more clear about what problem this is solving?

jonathanmetzman avatar Jul 01 '24 16:07 jonathanmetzman

/gcbrun

jonathanmetzman avatar Jul 01 '24 16:07 jonathanmetzman

@jonathanmetzman : sure thing.

Imagine a set up where clusterfuzz is behind a virtualhost proxy, the front domain is front-server.com, and the back domain is back-server.com. The main blocker here is that for the oauth proxy to work, auth.auth_domain() needs to return front-server.com so that the oauth redirect URI works correctly. But, in this setup, the value of request.url is https://back-server.com/__/auth/path, and so request.url.replace("front-server.com", auth.real_auth_domain(), 1) does nothing.

All the code is trying to do here is replace the host value in the URL https://back-server.com/__/auth/path with the value returned from auth.real_auth_domain(), which we can achieve with the change proposed in this PR.

qyeo-sc avatar Jul 01 '24 16:07 qyeo-sc

@jonathanmetzman I can't view the reason why the clusterfuzz-testing-public job is failing, could you take a look?

qyeo-sc avatar Jul 05 '24 08:07 qyeo-sc

/gcbrun

oliverchang avatar Jul 24 '24 04:07 oliverchang