From 14a675baf268dc34ee928163f7cd44e88224e9aa Mon Sep 17 00:00:00 2001 From: Kenneth Lee Date: Thu, 30 Oct 2025 14:30:46 -0400 Subject: [PATCH 1/2] feat: passes over SAML attr as headers in auth verify with login --- server/server.go | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/server/server.go b/server/server.go index 978105a..144cfc4 100644 --- a/server/server.go +++ b/server/server.go @@ -15,6 +15,7 @@ import ( "time" "go.uber.org/zap" + "gorm.io/gorm/logger" "github.com/crewjam/saml" "github.com/crewjam/saml/samlsp" @@ -125,7 +126,7 @@ func Start(ctx context.Context, listener net.Listener, logger *zap.Logger, cfg * app := http.HandlerFunc(proxy.handler) if cfg.AuthVerify { if cfg.AuthVerifyRequireLogin { - http.Handle(cfg.AuthVerifyPath, middleware.RequireAccount(http.HandlerFunc(noContentHandler))) + http.Handle(cfg.AuthVerifyPath, authVerifyWithLogin(proxy, middleware)) } else { http.Handle(cfg.AuthVerifyPath, authVerify(middleware)) } @@ -191,9 +192,21 @@ func setupHttpClient(idpCaFile string) (*http.Client, error) { return client, nil } -// HTTP handler that replies to each request with a “204 no content”. -func noContentHandler(w http.ResponseWriter, _ *http.Request) { - w.WriteHeader(http.StatusNoContent) +func authVerifyWithLogin(proxy *Proxy, middleware *samlsp.Middleware) http.Handler { + return middleware.RequireAccount(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + session := samlsp.SessionFromContext(r.Context()) + + sessionClaims, ok := session.(samlsp.JWTSessionClaims) + if !ok { + logger.Error("session is not expected type") + w.WriteHeader(http.StatusInternalServerError) + return + } + + proxy.addHeaders(sessionClaims, w.Header()) // pass over SAML attrs as headers + + w.WriteHeader(http.StatusNoContent) + })) } func authVerify(middleware *samlsp.Middleware) http.Handler { From 7435775d37244f314e7aa2a3dd68dfb6a07ee0e1 Mon Sep 17 00:00:00 2001 From: Kenneth Lee Date: Thu, 30 Oct 2025 15:57:58 -0400 Subject: [PATCH 2/2] chore: wrong dep --- server/server.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/server/server.go b/server/server.go index 144cfc4..7c25e90 100644 --- a/server/server.go +++ b/server/server.go @@ -15,7 +15,6 @@ import ( "time" "go.uber.org/zap" - "gorm.io/gorm/logger" "github.com/crewjam/saml" "github.com/crewjam/saml/samlsp" @@ -126,7 +125,7 @@ func Start(ctx context.Context, listener net.Listener, logger *zap.Logger, cfg * app := http.HandlerFunc(proxy.handler) if cfg.AuthVerify { if cfg.AuthVerifyRequireLogin { - http.Handle(cfg.AuthVerifyPath, authVerifyWithLogin(proxy, middleware)) + http.Handle(cfg.AuthVerifyPath, authVerifyWithLogin(logger, proxy, middleware)) } else { http.Handle(cfg.AuthVerifyPath, authVerify(middleware)) } @@ -192,7 +191,7 @@ func setupHttpClient(idpCaFile string) (*http.Client, error) { return client, nil } -func authVerifyWithLogin(proxy *Proxy, middleware *samlsp.Middleware) http.Handler { +func authVerifyWithLogin(logger *zap.Logger, proxy *Proxy, middleware *samlsp.Middleware) http.Handler { return middleware.RequireAccount(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { session := samlsp.SessionFromContext(r.Context())