Cutlery/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2026-05-23 07:12:30 -04:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

caddyauth: set user placeholders before auth rejection (#7685)
Tests / test (s390x on IBM Z) (push) Has been skipped
Details
Tests / goreleaser-check (push) Has been skipped
Details
Tests / test (./cmd/caddy/caddy, ~1.26.0, ubuntu-latest, 0, 1.26, linux) (push) Failing after 1m19s
Details
Cross-Build / build (~1.26.0, 1.26, aix) (push) Failing after 2m12s
Details
Cross-Build / build (~1.26.0, 1.26, dragonfly) (push) Successful in 1m32s
Details
Cross-Build / build (~1.26.0, 1.26, illumos) (push) Successful in 1m22s
Details
Cross-Build / build (~1.26.0, 1.26, darwin) (push) Successful in 4m16s
Details
Cross-Build / build (~1.26.0, 1.26, freebsd) (push) Successful in 2m32s
Details
Cross-Build / build (~1.26.0, 1.26, linux) (push) Successful in 1m23s
Details
Cross-Build / build (~1.26.0, 1.26, netbsd) (push) Successful in 2m11s
Details
Cross-Build / build (~1.26.0, 1.26, solaris) (push) Successful in 1m23s
Details
Cross-Build / build (~1.26.0, 1.26, openbsd) (push) Successful in 2m37s
Details
Lint / lint (ubuntu-latest, linux) (push) Failing after 1m45s
Details
Cross-Build / build (~1.26.0, 1.26, windows) (push) Successful in 2m27s
Details
Lint / dependency-review (push) Failing after 56s
Details
Lint / govulncheck (push) Successful in 2m26s
Details
OpenSSF Scorecard supply-chain security / Scorecard analysis (push) Failing after 6m31s
Details
Tests / test (./cmd/caddy/caddy, ~1.26.0, macos-14, 0, 1.26, mac) (push) Has been cancelled
Details
Tests / test (./cmd/caddy/caddy.exe, ~1.26.0, windows-latest, True, 1.26, windows) (push) Has been cancelled
Details
Lint / lint (macos-14, mac) (push) Has been cancelled
Details
Lint / lint (windows-latest, windows) (push) Has been cancelled
Details

Browse Source 
* caddyauth: set user placeholders before auth rejection
* docs: update auth placeholder comment
This commit is contained in:
Rayan Salhab
2026-05-03 06:40:11 +03:00
committed by GitHub
parent ef496e58ef
commit 7e77eec0ae
2 changed files with 90 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/caddyhttp/caddyauth/caddyauth.go
+8 -7
View File
@@ -32,10 +32,10 @@ func init() {
// Authentication is a middleware which provides user authentication.
// Rejects requests with HTTP 401 if the request is not authenticated.
//
// After a successful authentication, the placeholder
// When an authentication provider returns user information, the placeholder
// `{http.auth.user.id}` will be set to the username, and also
// `{http.auth.user.*}` placeholders may be set for any authentication
// modules that provide user metadata.
// modules that provide user metadata, even if authentication is rejected.
//
// In case of an error, the placeholder `{http.auth.<provider>.error}`
// will be set to the error message returned by the authentication
@@ -91,6 +91,12 @@ func (a Authentication) ServeHTTP(w http.ResponseWriter, r *http.Request, next c
repl.Set("http.auth."+provName+".error", err.Error())
continue
}
if authed || user.ID != "" || len(user.Metadata) > 0 {
repl.Set("http.auth.user.id", user.ID)
for k, v := range user.Metadata {
repl.Set("http.auth.user."+k, v)
}
}
if authed {
break
}
@@ -99,11 +105,6 @@ func (a Authentication) ServeHTTP(w http.ResponseWriter, r *http.Request, next c
return caddyhttp.Error(http.StatusUnauthorized, fmt.Errorf("not authenticated"))
}
repl.Set("http.auth.user.id", user.ID)
for k, v := range user.Metadata {
repl.Set("http.auth.user."+k, v)
}
return next.ServeHTTP(w, r)
}
modules/caddyhttp/caddyauth/caddyauth_test.go
+82
View File
@@ -0,0 +1,82 @@
// Copyright 2015 Matthew Holt and The Caddy Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package caddyauth
import (
"context"
"errors"
"net/http"
"net/http/httptest"
"testing"
"github.com/caddyserver/caddy/v2"
"github.com/caddyserver/caddy/v2/modules/caddyhttp"
)
func TestAuthenticationSetsUserPlaceholdersOnUnauthorized(t *testing.T) {
repl := caddy.NewReplacer()
req := httptest.NewRequest(http.MethodGet, "/", nil)
req = req.WithContext(context.WithValue(req.Context(), caddy.ReplacerCtxKey, repl))
a := Authentication{
Providers: map[string]Authenticator{
"test": staticAuthenticator{
user: User{
ID: "alice",
Metadata: map[string]string{
"role": "admin",
},
},
},
},
}
nextCalled := false
err := a.ServeHTTP(httptest.NewRecorder(), req, caddyhttp.HandlerFunc(func(http.ResponseWriter, *http.Request) error {
nextCalled = true
return nil
}))
if err == nil {
t.Fatal("expected unauthorized error")
}
var handlerErr caddyhttp.HandlerError
if !errors.As(err, &handlerErr) {
t.Fatalf("expected caddyhttp.HandlerError, got %T", err)
}
if handlerErr.StatusCode != http.StatusUnauthorized {
t.Fatalf("expected status %d, got %d", http.StatusUnauthorized, handlerErr.StatusCode)
}
if nextCalled {
t.Fatal("next handler was called")
}
if got, ok := repl.GetString("http.auth.user.id"); !ok || got != "alice" {
t.Fatalf("expected http.auth.user.id to be alice, got %q (ok=%v)", got, ok)
}
if got, ok := repl.GetString("http.auth.user.role"); !ok || got != "admin" {
t.Fatalf("expected http.auth.user.role to be admin, got %q (ok=%v)", got, ok)
}
}
type staticAuthenticator struct {
user User
authed bool
err error
}
func (s staticAuthenticator) Authenticate(http.ResponseWriter, *http.Request) (User, bool, error) {
return s.user, s.authed, s.err
}