proxy: fix bug that would allow failed refresh session to continue (#762

)

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

internal/httputil/errors.go

@@ -2,6 +2,7 @@ package httputil
 
 import (
 	"encoding/json"
+	"errors"
 	"html/template"
 	"net/http"
 
@@ -11,6 +12,8 @@ import (
 	"github.com/pomerium/pomerium/internal/version"
 )
 
+var ErrRedirectOnly = errors.New("httputil: redirecting to authenticate service")
+
 var errorTemplate = template.Must(frontend.NewTemplates())
 var fullVersion = version.FullVersion()
 
@@ -60,11 +63,14 @@ type errResponse struct {
 // It does not otherwise end the request; the caller should ensure no further
 // writes are done to w.
 func (e *HTTPError) ErrorResponse(w http.ResponseWriter, r *http.Request) {
+	log.FromRequest(r).Info().Err(e).Msg("httputil: ErrorResponse")
+	if errors.Is(e, ErrRedirectOnly) {
+		return
+	}
 	// indicate to clients that the error originates from Pomerium, not the app
 	w.Header().Set(HeaderPomeriumResponse, "true")
 	w.WriteHeader(e.Status)
 
-	log.FromRequest(r).Info().Err(e).Msg("httputil: ErrorResponse")
 	var requestID string
 	if id, ok := log.IDFromRequest(r); ok {
 		requestID = id

proxy/middleware.go

@@ -85,7 +85,7 @@ func (p *Proxy) redirectToSignin(w http.ResponseWriter, r *http.Request) error {
 	log.FromRequest(r).Debug().Str("url", signinURL.String()).Msg("proxy: redirectToSignin")
 	httputil.Redirect(w, r, urlutil.NewSignedURL(p.SharedKey, &signinURL).String(), http.StatusFound)
 	p.sessionStore.ClearSession(w, r)
-	return nil
+	return httputil.ErrRedirectOnly
 }
 
 // AuthorizeSession is middleware to enforce a user is authorized for a request.