Do not respond with a "Location" header when redirects are disabled (TeslaGov#74)

hvt · web-flow · commit 8f39e48fbbee · 2022-08-15T09:51:50.000-04:00
* In the default nginx config (used in the Docker container), nginx listens on port 80

* Do not respond with a "Location" header when redirects are disabled
diff --git a/Makefile b/Makefile
@@ -46,7 +46,7 @@ stop-nginx:
 
 .PHONY: start-nginx
 start-nginx:
-	docker run --rm --name "${DOCKER_IMAGE_NAME}" -d -p 8000:8000 ${DOCKER_ORG_NAME}/${DOCKER_IMAGE_NAME}
+	docker run --rm --name "${DOCKER_IMAGE_NAME}" -d -p 8000:80 ${DOCKER_ORG_NAME}/${DOCKER_IMAGE_NAME}
 
 .PHONY: cp-bin
 cp-bin: start-nginx
@@ -70,4 +70,4 @@ test:
 	IMAGE_VERSION=${NGINX_VERSION} docker compose -f ./docker-compose-test.yml up --no-start
 	docker start ${COMPOSE_PROJECT_NAME}-nginx-1
 	docker start -a ${COMPOSE_PROJECT_NAME}-runner-1
-	docker compose -f ./docker-compose-test.yml down
+	docker compose -f ./docker-compose-test.yml down
diff --git a/src/ngx_http_auth_jwt_module.c b/src/ngx_http_auth_jwt_module.c
@@ -227,7 +227,7 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
 
 	if (jwtParseReturnCode != 0)
 	{
-		ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "failed to parse jwt");
+		ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "failed to parse jwt, error code %d", jwtParseReturnCode);
 		goto redirect;
 	}
 	
@@ -293,88 +293,87 @@ static ngx_int_t ngx_http_auth_jwt_handler(ngx_http_request_t *r)
 			jwt_free(jwt);
 		}
 
-		r->headers_out.___location = ngx_list_push(&r->headers_out.headers);
-		
-		if (r->headers_out.___location == NULL) 
+		if (jwtcf->auth_jwt_redirect)
 		{
-			ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
-		}
+			r->headers_out.___location = ngx_list_push(&r->headers_out.headers);
 
-		r->headers_out.___location->hash = 1;
-		r->headers_out.___location->key.len = sizeof("Location") - 1;
-		r->headers_out.___location->key.data = (u_char *) "Location";
+			if (r->headers_out.___location == NULL)
+			{
+				ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
+			}
 
-		if (r->method == NGX_HTTP_GET)
-		{
-			int loginlen;
-			char * scheme;
-			ngx_str_t server;
-			ngx_str_t uri_variable_name = ngx_string("request_uri");
-			ngx_int_t uri_variable_hash;
-			ngx_http_variable_value_t * request_uri_var;
-			ngx_str_t uri;
-			ngx_str_t uri_escaped;
-			uintptr_t escaped_len;
-
-			loginlen = jwtcf->auth_jwt_loginurl.len;
-			scheme = (r->connection->ssl) ? "https" : "http";
-			server = r->headers_in.server;
-
-			// get the URI
-			uri_variable_hash = ngx_hash_key(uri_variable_name.data, uri_variable_name.len);
-			request_uri_var = ngx_http_get_variable(r, &uri_variable_name, uri_variable_hash);
-
-			// get the URI
-			if(request_uri_var && !request_uri_var->not_found && request_uri_var->valid)
+			r->headers_out.___location->hash = 1;
+			r->headers_out.___location->key.len = sizeof("Location") - 1;
+			r->headers_out.___location->key.data = (u_char *) "Location";
+
+			if (r->method == NGX_HTTP_GET)
 			{
-				// ideally we would like the uri with the querystring parameters
-				uri.data = ngx_palloc(r->pool, request_uri_var->len);
-				uri.len = request_uri_var->len;
-				ngx_memcpy(uri.data, request_uri_var->data, request_uri_var->len);
+				int loginlen;
+				char * scheme;
+				ngx_str_t server;
+				ngx_str_t uri_variable_name = ngx_string("request_uri");
+				ngx_int_t uri_variable_hash;
+				ngx_http_variable_value_t * request_uri_var;
+				ngx_str_t uri;
+				ngx_str_t uri_escaped;
+				uintptr_t escaped_len;
+
+				loginlen = jwtcf->auth_jwt_loginurl.len;
+				scheme = (r->connection->ssl) ? "https" : "http";
+				server = r->headers_in.server;
+
+				// get the URI
+				uri_variable_hash = ngx_hash_key(uri_variable_name.data, uri_variable_name.len);
+				request_uri_var = ngx_http_get_variable(r, &uri_variable_name, uri_variable_hash);
+
+				// get the URI
+				if(request_uri_var && !request_uri_var->not_found && request_uri_var->valid)
+				{
+					// ideally we would like the uri with the querystring parameters
+					uri.data = ngx_palloc(r->pool, request_uri_var->len);
+					uri.len = request_uri_var->len;
+					ngx_memcpy(uri.data, request_uri_var->data, request_uri_var->len);
+				}
+				else
+				{
+					// fallback to the querystring without params
+					uri = r->uri;
+				}
+
+				// escape the URI
+				escaped_len = 2 * ngx_escape_uri(NULL, uri.data, uri.len, NGX_ESCAPE_ARGS) + uri.len;
+				uri_escaped.data = ngx_palloc(r->pool, escaped_len);
+				uri_escaped.len = escaped_len;
+				ngx_escape_uri(uri_escaped.data, uri.data, uri.len, NGX_ESCAPE_ARGS);
+
+				r->headers_out.___location->value.len = loginlen + sizeof("?return_url=") - 1 + strlen(scheme) + sizeof("://") - 1 + server.len + uri_escaped.len;
+				return_url = ngx_palloc(r->pool, r->headers_out.___location->value.len);
+				ngx_memcpy(return_url, jwtcf->auth_jwt_loginurl.data, jwtcf->auth_jwt_loginurl.len);
+				int return_url_idx = jwtcf->auth_jwt_loginurl.len;
+				ngx_memcpy(return_url+return_url_idx, "?return_url=", sizeof("?return_url=") - 1);
+				return_url_idx += sizeof("?return_url=") - 1;
+				ngx_memcpy(return_url+return_url_idx, scheme, strlen(scheme));
+				return_url_idx += strlen(scheme);
+				ngx_memcpy(return_url+return_url_idx, "://", sizeof("://") - 1);
+				return_url_idx += sizeof("://") - 1;
+				ngx_memcpy(return_url+return_url_idx, server.data, server.len);
+				return_url_idx += server.len;
+				ngx_memcpy(return_url+return_url_idx, uri_escaped.data, uri_escaped.len);
+				return_url_idx += uri_escaped.len;
+				r->headers_out.___location->value.data = (u_char *)return_url;
 			}
 			else
 			{
-				// fallback to the querystring without params
-				uri = r->uri;
+				// for non-get requests, redirect to the login page without a return URL
+				r->headers_out.___location->value.len = jwtcf->auth_jwt_loginurl.len;
+				r->headers_out.___location->value.data = jwtcf->auth_jwt_loginurl.data;
 			}
 
-			// escape the URI
-			escaped_len = 2 * ngx_escape_uri(NULL, uri.data, uri.len, NGX_ESCAPE_ARGS) + uri.len;
-			uri_escaped.data = ngx_palloc(r->pool, escaped_len);
-			uri_escaped.len = escaped_len;
-			ngx_escape_uri(uri_escaped.data, uri.data, uri.len, NGX_ESCAPE_ARGS);
-
-			r->headers_out.___location->value.len = loginlen + sizeof("?return_url=") - 1 + strlen(scheme) + sizeof("://") - 1 + server.len + uri_escaped.len;
-			return_url = ngx_palloc(r->pool, r->headers_out.___location->value.len);
-			ngx_memcpy(return_url, jwtcf->auth_jwt_loginurl.data, jwtcf->auth_jwt_loginurl.len);
-			int return_url_idx = jwtcf->auth_jwt_loginurl.len;
-			ngx_memcpy(return_url+return_url_idx, "?return_url=", sizeof("?return_url=") - 1);
-			return_url_idx += sizeof("?return_url=") - 1;
-			ngx_memcpy(return_url+return_url_idx, scheme, strlen(scheme));
-			return_url_idx += strlen(scheme);
-			ngx_memcpy(return_url+return_url_idx, "://", sizeof("://") - 1);
-			return_url_idx += sizeof("://") - 1;
-			ngx_memcpy(return_url+return_url_idx, server.data, server.len);
-			return_url_idx += server.len;
-			ngx_memcpy(return_url+return_url_idx, uri_escaped.data, uri_escaped.len);
-			return_url_idx += uri_escaped.len;
-			r->headers_out.___location->value.data = (u_char *)return_url;
-		}
-		else
-		{
-			// for non-get requests, redirect to the login page without a return URL
-			r->headers_out.___location->value.len = jwtcf->auth_jwt_loginurl.len;
-			r->headers_out.___location->value.data = jwtcf->auth_jwt_loginurl.data;
-		}
-
-		if (jwtcf->auth_jwt_redirect)
-		{
 			return NGX_HTTP_MOVED_TEMPORARILY;
 		}
-		else
-		{
-			return NGX_HTTP_UNAUTHORIZED;
-		}
+
+		// When no redirect is needed, no "Location" header construction is needed, and we can respond with a 401
+		return NGX_HTTP_UNAUTHORIZED;
 }
 
 
