Don't pass the Authorization header to the backends

2018-07-16 13:52:03 +02:00 · 2018-07-16 13:52:03 +02:00 · 9ce444b91a
commit 9ce444b91a
parent ae8be89767
40 changed files with 445 additions and 130 deletions
--- a/middlewares/auth/authenticator.go
+++ b/middlewares/auth/authenticator.go
@ -26,6 +26,10 @@ type tracingAuthenticator struct {
 	clientSpanKind bool
 }

+const (
+	authorizationHeader = "Authorization"
+)
+
 // NewAuthenticator builds a new Authenticator given a config
 func NewAuthenticator(authConfig *types.Auth, tracingMiddleware *tracing.Tracing) (*Authenticator, error) {
 	if authConfig == nil {
@ -86,6 +90,10 @@ func createAuthDigestHandler(digestAuth *goauth.DigestAuth, authConfig *types.Au
 			if authConfig.HeaderField != "" {
 				r.Header[authConfig.HeaderField] = []string{username}
 			}
+			if authConfig.Digest.RemoveHeader {
+				log.Debugf("Remove the Authorization header from the Digest auth")
+				r.Header.Del(authorizationHeader)
+			}
 			next.ServeHTTP(w, r)
 		}
 	})
@ -101,6 +109,10 @@ func createAuthBasicHandler(basicAuth *goauth.BasicAuth, authConfig *types.Auth)
 			if authConfig.HeaderField != "" {
 				r.Header[authConfig.HeaderField] = []string{username}
 			}
+			if authConfig.Basic.RemoveHeader {
+				log.Debugf("Remove the Authorization header from the Basic auth")
+				r.Header.Del(authorizationHeader)
+			}
 			next.ServeHTTP(w, r)
 		}
 	})