Add nginx auth_request support (#109)

robvanoostenrijk · itzg · web-flow · commit ec738fa43b1d · 2025-07-30T19:20:16.000-06:00
* Introduce AuthVerifyRequireLogin

---------

Co-authored-by: Geoff Bourne &lt;itzgeoff@gmail.com&gt;
diff --git a/server/config.go b/server/config.go
@@ -25,6 +25,7 @@ type Config struct {
 	AllowIdpInitiated       bool              `usage:"If set, allows for IdP initiated authentication flow"`
 	AuthVerify              bool              `usage:"Enables verify path endpoint for forward auth and trusts X-Forwarded headers"`
 	AuthVerifyPath          string            `default:"/_verify" usage:"Path under BaseUrl that will respond with a 200 when authenticated"`
+	AuthVerifyRequireLogin  bool              `usage:"If set, trigger a login if the user is not authenticated during verify"`
 	Debug                   bool              `usage:"Enable debug logs"`
 	StaticRelayState        string            `usage:"A fixed RelayState value, such as a short URL. Will be trimmed to 80 characters to conform with SAML. The default generates random bytes that are Base64 encoded."`
 	InitiateSessionPath     string            `usage:"If set, initiates a SAML authentication flow only when a user visits this path. This will allow anonymous users to access to the backend."`
diff --git a/server/server.go b/server/server.go
@@ -124,7 +124,11 @@ func Start(ctx context.Context, listener net.Listener, logger *zap.Logger, cfg *
 
 	app := http.HandlerFunc(proxy.handler)
 	if cfg.AuthVerify {
-		http.Handle(cfg.AuthVerifyPath, middleware.RequireAccount(http.HandlerFunc(noContentHandler)))
+		if cfg.AuthVerifyRequireLogin {
+			http.Handle(cfg.AuthVerifyPath, middleware.RequireAccount(http.HandlerFunc(noContentHandler)))
+		} else {
+			http.Handle(cfg.AuthVerifyPath, authVerify(middleware))
+		}
 	}
 
 	http.Handle("/saml/sign_in", http.HandlerFunc(middleware.HandleStartAuthFlow))
@@ -188,6 +192,25 @@ func setupHttpClient(idpCaFile string) (*http.Client, error) {
 }
 
 // HTTP handler that replies to each request with a “204 no content”.
-func noContentHandler(w http.ResponseWriter, r *http.Request) {
+func noContentHandler(w http.ResponseWriter, _ *http.Request) {
 	w.WriteHeader(http.StatusNoContent)
 }
+
+func authVerify(middleware *samlsp.Middleware) http.Handler {
+
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+
+		session, err := middleware.Session.GetSession(r)
+
+		if session != nil {
+			w.WriteHeader(http.StatusNoContent)
+			return
+		}
+
+		if err == samlsp.ErrNoSession {
+			w.WriteHeader(http.StatusUnauthorized)
+			return
+		}
+
+	})
+}
