Skip to content

enhance: strip user session information before forwarding#19

Open
LaurenceJJones wants to merge 3 commits intofosrl:mainfrom
LaurenceJJones:strip-session-cookie
Open

enhance: strip user session information before forwarding#19
LaurenceJJones wants to merge 3 commits intofosrl:mainfrom
LaurenceJJones:strip-session-cookie

Conversation

@LaurenceJJones
Copy link
Member

@LaurenceJJones LaurenceJJones commented Mar 3, 2026
edited
Loading

Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.

Description

This PR introduces upstream request sanitization so Badger can consume session/auth data for validation while preventing those sensitive values from being forwarded to backend services.

Why

Badger should validate session material but not forward that sensitive session/auth context to downstream apps.

This change ensures:

  1. Least-privilege forwarding:
    Downstream receive identity context, not raw session secrets.

  2. Reduced leakage risk:
    Session tokens are removed from URL query, headers, and cookies before proxying (and logs/observability systems downstream are less likely to capture secrets).

  3. Consistent sanitization:
    Stripping is applied in one place for all supported transport paths (query params, headers, cookies).

  4. Traefik plugin compatibility:
    Implementation avoids APIs unavailable in Yaegi, preventing plugin load failures while keeping sanitization behavior intact.

What changed

  1. Strip session cookies:
  • Removes only cookies matching userSessionCookieName*
  • Preserves all other cookies untouched
  • Handles multiple Cookie headers
  • Uses Yaegi-compatible parsing logic (no net/http.ParseCookie)
  1. Strip session query params:
  • Removes resourceSessionRequestParam
  • Removes configured access-token query param (when set)
  1. Strip token headers:
  • Removes P-Access-Token-Id
  • Removes P-Access-Token
  1. Keep forwarded identity headers:
  • Continues to pass Remote-User, Remote-Email, Remote-Name, Remote-Role when session is valid

Behavior notes

  • Request cookies only carry name=value; Set-Cookie attributes (Path/Domain/SameSite/etc.) are response-side and are not modified here.
  • This logic avoids mutating unrelated cookies beyond normal header re-join formatting.

How to test?

Personally I setup a whoami container behind pangolin SSO and used an invite link, use a preauthenticated browser to access the resource, what was echoed to the page was all sensitive information being removed before forwarded to backend service but headers for user auth like remote-user are preserved.

@LaurenceJJones
Strip session cookie and query param before forwarding to backend
877363a 
  - Add stripSessionCookies() to remove session cookies from Cookie header
  - Add stripSessionParam() to remove session exchange query parameter from URL
  - Call both before forwarding request to backend on valid sessions
  - Backend now only receives user identity via Remote-* headers
@LaurenceJJones
fix: handle other fields and ensure cookie coverage
2902340
@LaurenceJJones
fix: traefik doesnt know cookies helpers
d81af67
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@LaurenceJJones