search

buzzfeed / sso

sso, aka S.S.Octopus, aka octoboi, is a single sign-on solution for securing internal services
MIT License
3.09k stars 186 forks source link

SKIP_AUTH_PREFLIGHT does not seem to work #258

Closed erewok closed 4 years ago

erewok commented 4 years ago

Describe the bug While running the sso-proxy (version 2.0.0) application in a Docker container with the environment variable SKIP_AUTH_PREFLIGHT set to "true", the OPTIONS preflight requests are receiving 301 status codes, which browsers such as Chrome and Firefox will interpret as a failed preflight check. I expected these to make it to my upstream resource and the response returned directly instead of receiving a 301 response.

To Reproduce Steps to reproduce the behavior:

  1. Run the sso-proxy Docker container with env var SKIP_AUTH_PREFLIGHT set to "true".
  2. Construct a preflighted request (see below) to a separate domain protected by the same sso-proxy.
  3. In network console see the 301 redirect response.

Sample preflighted request:

const xhr = new XMLHttpRequest();
xhr.open('POST', 'https://bar.other/resources/post-here/');
xhr.setRequestHeader('Ping-Other', 'pingpong');
xhr.setRequestHeader('Content-Type', 'application/json');
xhr.onreadystatechange = handler;
xhr.send('{"key": "value"}');

Expected behavior OPTIONS preflight requests should be forwarded upstream when SKIP_AUTH_PREFLIGHT and should return the proxied response directly (instead of 301). (Note: I see in the tests an expected return value of http.StatusOK with skipAuthPreflight set to true).

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

erewok commented 4 years ago

Turns out this was probably user error: we had some bad URIs and our upstream was responding with a 301. Apologies for the mistake.