feat(oidc): restrict OIDC middleware to GET requests

Block non-GET and WebSocket requests through the OIDC middleware with a 403 Forbidden response. This avoids API clients receiving unexpected redirect and HTML response. Added a log to hint user to add bypass rule if needed. Also fix logout handler to not short-circuit middleware chain.
2026-03-30 13:51:52 +02:00 · 2026-02-13 23:48:18 +08:00
parent b4eb714553
commit 95ac659b1f
1 changed files with 14 additions and 1 deletions
--- a/internal/net/gphttp/middleware/oidc.go
+++ b/internal/net/gphttp/middleware/oidc.go
@@ -8,6 +8,7 @@ import (
 	"sync/atomic"

 	"github.com/yusing/godoxy/internal/auth"
+	"github.com/yusing/goutils/http/httpheaders"
 )

 type oidcMiddleware struct {
@@ -104,7 +105,7 @@ func (amw *oidcMiddleware) before(w http.ResponseWriter, r *http.Request) (proce

 	if r.URL.Path == auth.OIDCLogoutPath {
 		amw.auth.LogoutHandler(w, r)
-		return true
+		return false
 	}

 	err := amw.auth.CheckToken(r)
@@ -112,7 +113,19 @@ func (amw *oidcMiddleware) before(w http.ResponseWriter, r *http.Request) (proce
 		return true
 	}

+	isGet := r.Method == http.MethodGet
+	isWS := httpheaders.IsWebsocket(r.Header)
 	switch {
+	case r.Method == http.MethodHead:
+		w.WriteHeader(http.StatusOK)
+	case !isGet, isWS:
+		http.Error(w, err.Error(), http.StatusForbidden)
+		reqType := r.Method
+		if isWS {
+			reqType = "WebSocket"
+		}
+		OIDC.LogWarn(r).Msgf("[OIDC] %s request blocked.\nConsider adding bypass rule for this path if needed", reqType)
+		return false
 	case errors.Is(err, auth.ErrMissingOAuthToken):
 		amw.auth.HandleAuth(w, r)
 	default: