Support placeholders in failure redirect

[itskenny0]

Hey there,

I'm using reauth with a custom LDAP authenticator.

I would like to redirect the user to the URL they originally tried to access after the authentication. The method I tried is to add the request URI to the redirect using a placeholder, which unfortunately doesn't seem to be supported by reauth.

This is what I'm trying to do:

reauth {
  path /
  except /auth
  failure redirect target=/auth/?redir={uri}
  upstream url=https://example.org/caddy.php,cookies=true
}

Unfortunately, {uri} is not replaced by the value behind it but left as-is. I'm open to alternative solutions of course :)

For clarification: The authenticator starts a PHP session, sets a server-side variable marking the session as authenticated and sets a cookie with the session ID. The upstream URL verifies the session and returns 200 when authenticated, 401 if not.

This works great, but a user accessing http://example.org/somefolder/ is redirected to /auth/, which doesn't know where the user originally tried to go.

Thanks for this really useful plugin!

Best, kenny

[freman]

I can make this work, my only concern being some malicious component injecting a rogue uri.

I might implement it such as there's a whitelist of domains, and/or it accepts relative paths. Probably a little paranoid on my part, but meh 😬

Edit. Actually, brain just kicked in, that level of paranoia is up to you to implement...

[itskenny0]

I will mostly only be throwing the URI into a header("Redirect: $uri"); I might be wrong, but I see little attack vector here :)

[freman]

You should still be checking that uri is something you want to support, otherwise I could call

https://yoursite.com/auth/?redir=https://someroguesite.com/stealcookie

and depending on how you set that cookie (it is perfectly valid to use cross domain cookies in some instances, for example with central company auth and various domains and subdomains for tooling) you could leak information

This https://github.com/freman/caddy-reauth/commit/8c7aedb578b9fbe1ee0544723d9aba157e39ce82 should fix your templating, I'll tag the version and update the caddy website.

[freman]

If you want to pull and build yourself, you can have the fixes today

Otherwise you'll have to wait for the next minor release of caddy (thanks cloudflare)

see: https://twitter.com/mholt6/status/981702670028124160

[itskenny0]

Thanks a lot! Looking forward to playing with this.

[freman]

Everything builds, release 1.0.14 is now available in caddy