Skip to content

Avoid authorizing incorrectly on HTTP 302 redirect#58

Merged
brianbeck-google merged 1 commit into
google:masterfrom
jvgogh:master
Jun 16, 2026
Merged

Avoid authorizing incorrectly on HTTP 302 redirect#58
brianbeck-google merged 1 commit into
google:masterfrom
jvgogh:master

Conversation

@jvgogh

@jvgogh jvgogh commented Oct 2, 2025

Copy link
Copy Markdown
Contributor

The sample & common way of verifying a specific user is authenticated is to use curl to check if a certain http query completes correctly.

The -f or --fail flag passed to curl ensures zero vs non zero exit code based on http code.

Unfortunately there is a corner case where a http redirect (302 status code) is by default not followed by curl AND it returns a zero exit code, accidentally considering any badge swipe valid.

This is especially problematic as many cloud services, including AppEngine have set up an automatic redirect from http to https, making it so that a typo of http instead of https might accidentally make any badge swipe authenticate.

This change adds the -L flag to the sample .ini which will instruct curl to follow redirects instead of returning on http status code 302.

The sample & common way of verifying a specific user is authenticated
is to use curl to check if a certain http query completes correctly.

The -f or --fail flag passed to curl ensures zero vs non zero exit code
based on http code.

Unfortunately there is a corner case where a http redirect (302 status code)
is by default not followed by curl AND it returns a zero exit code,
accidentally considering any badge swipe valid.

This is especially problematic as many cloud services, including AppEngine
have set up an automatic redirect from http to https, making it so that
a typo of http instead of https might accidentally make any badge swipe
authenticate.

This change adds the -L flag to the sample .ini which will instruct curl
to follow redirects instead of returning on http status code 302.
@brianbeck-google

Copy link
Copy Markdown
Collaborator

Please sync to HEAD and pick up #60

That should fix the build failures.

@brianbeck-google brianbeck-google self-assigned this Jun 16, 2026
@brianbeck-google

Copy link
Copy Markdown
Collaborator

I cloned this locally, rebased, and confirmed that lint/test still pass: https://github.com/brianbeck-google/makerspace-auth/tree/jvg58

Given that this change is comment-only this is not surprising. Rebasing and merging as is.

@brianbeck-google
brianbeck-google merged commit 69d5bc1 into google:master Jun 16, 2026
1 of 5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants