Check if a request doesn't come from a proxy when generating callback…

… url
akarmazyn · Aug 8, 2019 · 8a50c5e · 8a50c5e
1 parent bc76a28
commit 8a50c5e
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 3 deletions.
diff --git a/3rd-party-oauth-1.0-3.rockspec → 3rd-party-oauth-1.0-4.rockspec b/3rd-party-oauth-1.0-3.rockspec → 3rd-party-oauth-1.0-4.rockspec
@@ -1,5 +1,5 @@
 package = "3rd-party-oauth"
-version = "1.0-3"
+version = "1.0-4"
 source = {
   url = "git://github.com/akarmazyn/3rd-party-oauth"
 }

diff --git a/src/access.lua b/src/access.lua
@@ -24,7 +24,7 @@ local ngx = ngx
 local OAUTH_CALLBACK = "^%s/oauth2/callback(/?(\\?[^\\s]*)*)$"
 
 function _M.run(conf)
-    local callback_url = kong.request.get_scheme() .. "://" .. kong.request.get_host() ..  ":" .. kong.request.get_port() .. conf.path_prefix .. "/oauth2/callback"
+    local callback_url = get_callback_url(conf)
 
     -- check if we're calling the callback endpoint
     if ngx.re.match(ngx.var.request_uri, string.format(OAUTH_CALLBACK, conf.path_prefix)) then
@@ -125,7 +125,7 @@ function decode_token(token, conf)
 end
 
 -- Callback Handling
-function  handle_callback( conf, callback_url )
+function handle_callback( conf, callback_url )
     local args = ngx.req.get_uri_args()
 
     if args.code then
@@ -165,4 +165,22 @@ function  handle_callback( conf, callback_url )
     end
 end
 
+-- Builds a callback url taking into consideration any X-Forwarded headers
+function get_callback_url(conf)
+    local scheme = kong.request.get_forwarded_scheme();
+    if not scheme then
+        scheme = kong.request.get_scheme()
+    end
+    local host = kong.request.get_forwarded_host();
+    if not host then
+        host = kong.request.get_host()
+    end
+    local port = kong.request.get_forwarded_port();
+    if not port then
+        port = kong.request.get_port()
+    end
+
+    return scheme .. "://" .. host ..  ":" .. port .. conf.path_prefix .. "/oauth2/callback"
+end
+
 return _M