diff --git a/server/http.go b/server/http.go index cc299c23683548e6e0f71ebab900e77f1d385bf4..a8227fef28fd0a8c311ee7b908acad18ad741a63 100644 --- a/server/http.go +++ b/server/http.go @@ -122,6 +122,13 @@ func New(loginService *LoginService, authClient authclient.Client, config *Confi return nil, err } root.Handle(h.urlFor("/favicon.ico"), siteFavicon) + } else if urlPrefix == "" { + // Block default favicon requests (created by error pages, or + // if we don't set a custom favicon) *before* the login + // handler runs, or it will invalidate the session! + root.HandleFunc(h.urlFor("/favicon.ico"), func(w http.ResponseWriter, r *http.Request) { + http.NotFound(w, r) + }) } // Serve static content to anyone. @@ -212,6 +219,13 @@ func (h *Server) loginCallback(ctx context.Context, username, password string, u // signing a token with the user's identity. The client is redirected back to // the original service, with the signed token. func (h *Server) handleGrantTicket(w http.ResponseWriter, req *http.Request) { + // We need this check here because this handler is usually + // mounted at the application root. + if req.URL.Path != h.urlFor("/") { + http.NotFound(w, req) + return + } + // Extract the authorization request parameters from the HTTP // request query args. // @@ -380,15 +394,6 @@ func parseEmbeddedTemplates() *template.Template { return root } -// Template helper function that encodes its input as JSON. -func toJSON(obj interface{}) string { - data, err := json.Marshal(obj) - if err != nil { - return "" - } - return string(data) -} - func sl2bl(sl []string) [][]byte { var out [][]byte for _, s := range sl { @@ -424,6 +429,15 @@ func intersectGroups(a, b []string) []string { return out } +// Template helper function that encodes its input as JSON. +func toJSON(obj interface{}) string { + data, err := json.Marshal(obj) + if err != nil { + return "" + } + return string(data) +} + // Return an integrity= attribute for the given URI (which should be // supplied without an eventual prefix). func sriIntegrity(uri string) template.HTML {