Reduce scope of trusted header auth #17483
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Only allow trusted header auth for the SessionsResource.
/nocl
Motivation and Context
Trusted header auth is only used until a session has been created for the user. From then on, if a session cookie is set on a request, it takes precedence over trusted headers to authenticate a request.
This was causing issues for proxied requests when a session expired. Our authentication chain would fail to authenticate the session cookie, because it was expired, and would then fall back to the next authentication method in the chain, which was trusted header auth. When trying to forward the request to other servers, we failed to extract an authentication token from the original request and caused the forwarded request to fail because it was unauthenticated.
With this fix, we are only allowing trusted header authentication for requests that target the sessions resource. Requests to other resources will fail fast if they require authentication but only have trusted header set.
For the mentioned scenario of session expiration, this will cause any background REST call to to a proxied endpoint fail with a 401 once the session expires, even if trusted headers are set. This in turn will cause the UI to call the sessions endpoint which will then refresh the session based on the trusted headers.
How Has This Been Tested?
See steps to reproduce here.