Fix LuCI menu authentication through proxy

This commit is contained in:
benya
2026-06-04 20:36:31 +03:00
parent ee80018652
commit 063374150c
2 changed files with 20 additions and 8 deletions

View File

@@ -1183,7 +1183,7 @@ func rewriteLuCIHeaders(header http.Header, prefix string) {
}
}
func rewriteLuCICookie(cookie, prefix string) string {
func rewriteLuCICookie(cookie, _ string) string {
parts := strings.Split(cookie, ";")
pathFound := false
for index := 1; index < len(parts); index++ {
@@ -1191,15 +1191,14 @@ func rewriteLuCICookie(cookie, prefix string) string {
if !strings.HasPrefix(strings.ToLower(attribute), "path=") {
continue
}
path := strings.TrimSpace(attribute[len("path="):])
if !strings.HasPrefix(path, "/") {
path = "/" + path
}
parts[index] = " Path=" + prefix + path
// LuCI themes and JavaScript use absolute /cgi-bin, /ubus and
// /luci-static requests. The auth cookie must cover those fallback
// routes as well as the session-prefixed entry point.
parts[index] = " Path=/"
pathFound = true
}
if !pathFound {
parts = append(parts, " Path="+prefix+"/")
parts = append(parts, " Path=/")
}
return strings.Join(parts, ";")
}

View File

@@ -432,7 +432,7 @@ func TestLuCIProxyRequiresActiveSessionAndRewritesPaths(t *testing.T) {
w.WriteHeader(http.StatusFound)
return
}
if r.URL.Path == "/cgi-bin/luci/admin/status/overview" {
if r.URL.Path == "/cgi-bin/luci/admin/status/overview" || r.URL.Path == "/cgi-bin/luci/admin/menu" {
cookie, err := r.Cookie("sysauth")
authenticated = err == nil && cookie.Value == "session-token"
if !authenticated {
@@ -548,6 +548,19 @@ func TestLuCIProxyRequiresActiveSessionAndRewritesPaths(t *testing.T) {
if resp.StatusCode != http.StatusOK || !authenticated {
t.Fatalf("LuCI login cookie was not preserved, status=%d authenticated=%t", resp.StatusCode, authenticated)
}
menuReq, err := http.NewRequest(http.MethodGet, srv.URL+"/cgi-bin/luci/admin/menu", nil)
if err != nil {
t.Fatal(err)
}
menuReq.Header.Set("Authorization", "Bearer operator-test")
menuResp, err := client.Do(menuReq)
if err != nil {
t.Fatal(err)
}
_ = menuResp.Body.Close()
if menuResp.StatusCode != http.StatusOK || !authenticated {
t.Fatalf("LuCI auth cookie was not sent to absolute menu route, status=%d authenticated=%t", menuResp.StatusCode, authenticated)
}
}
func TestServesStaticWebUI(t *testing.T) {