From 7579f92a08cde9939dac1fe19741d3996e61ae8b Mon Sep 17 00:00:00 2001 From: Boris Nagaev Date: Tue, 16 Apr 2024 18:20:32 -0300 Subject: [PATCH] auth: don't send client's headers back Create fresh http.Header object filled with the only header: "Content-Type: application/grpc". --- auth/authenticator.go | 5 ++++- auth/mock_authenticator.go | 6 +++++- proxy/proxy.go | 4 ++-- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/auth/authenticator.go b/auth/authenticator.go index b52eab9..5aef553 100644 --- a/auth/authenticator.go +++ b/auth/authenticator.go @@ -103,9 +103,12 @@ func (l *L402Authenticator) FreshChallengeHeader(r *http.Request, log.Errorf("Error serializing L402: %v", err) } + header := http.Header{ + "Content-Type": []string{"application/grpc"}, + } + str := fmt.Sprintf("macaroon=\"%s\", invoice=\"%s\"", base64.StdEncoding.EncodeToString(macBytes), paymentRequest) - header := r.Header // Old loop software (via ClientInterceptor code of aperture) looks // for "LSAT" in the first instance of WWW-Authenticate header, so diff --git a/auth/mock_authenticator.go b/auth/mock_authenticator.go index d5a9470..7f4c380 100644 --- a/auth/mock_authenticator.go +++ b/auth/mock_authenticator.go @@ -34,7 +34,10 @@ func (a MockAuthenticator) Accept(header *http.Header, _ string) bool { func (a MockAuthenticator) FreshChallengeHeader(r *http.Request, _ string, _ int64) (http.Header, error) { - header := r.Header + header := http.Header{ + "Content-Type": []string{"application/grpc"}, + } + str := "macaroon=\"AGIAJEemVQUTEyNCR0exk7ek9" + "0Cg==\", invoice=\"lnbc1500n1pw5kjhmpp5fu6xhthlt2vucm" + "zkx6c7wtlh2r625r30cyjsfqhu8rsx4xpz5lwqdpa2fjkzep6yptk" + @@ -44,5 +47,6 @@ func (a MockAuthenticator) FreshChallengeHeader(r *http.Request, "y3ngqjcym5a\"" header.Set("WWW-Authenticate", lsatAuthScheme+" "+str) header.Add("WWW-Authenticate", l402AuthScheme+" "+str) + return header, nil } diff --git a/proxy/proxy.go b/proxy/proxy.go index 3734d8e..1d2bf8f 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -398,8 +398,6 @@ func addCorsHeaders(header http.Header) { func (p *Proxy) handlePaymentRequired(w http.ResponseWriter, r *http.Request, serviceName string, servicePrice int64) { - addCorsHeaders(r.Header) - header, err := p.authenticator.FreshChallengeHeader( r, serviceName, servicePrice, ) @@ -412,6 +410,8 @@ func (p *Proxy) handlePaymentRequired(w http.ResponseWriter, r *http.Request, return } + addCorsHeaders(header) + for name, value := range header { w.Header().Set(name, value[0]) for i := 1; i < len(value); i++ {