From 95ac659b1f28b8fc1a764507183b91d9b8c63f89 Mon Sep 17 00:00:00 2001 From: yusing Date: Fri, 13 Feb 2026 23:48:18 +0800 Subject: [PATCH] feat(oidc): restrict OIDC middleware to GET requests Block non-GET and WebSocket requests through the OIDC middleware with a 403 Forbidden response. This avoids API clients receiving unexpected redirect and HTML response. Added a log to hint user to add bypass rule if needed. Also fix logout handler to not short-circuit middleware chain. --- internal/net/gphttp/middleware/oidc.go | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/internal/net/gphttp/middleware/oidc.go b/internal/net/gphttp/middleware/oidc.go index 4ef673f4..0b7c20a7 100644 --- a/internal/net/gphttp/middleware/oidc.go +++ b/internal/net/gphttp/middleware/oidc.go @@ -8,6 +8,7 @@ import ( "sync/atomic" "github.com/yusing/godoxy/internal/auth" + "github.com/yusing/goutils/http/httpheaders" ) type oidcMiddleware struct { @@ -104,7 +105,7 @@ func (amw *oidcMiddleware) before(w http.ResponseWriter, r *http.Request) (proce if r.URL.Path == auth.OIDCLogoutPath { amw.auth.LogoutHandler(w, r) - return true + return false } err := amw.auth.CheckToken(r) @@ -112,7 +113,19 @@ func (amw *oidcMiddleware) before(w http.ResponseWriter, r *http.Request) (proce return true } + isGet := r.Method == http.MethodGet + isWS := httpheaders.IsWebsocket(r.Header) switch { + case r.Method == http.MethodHead: + w.WriteHeader(http.StatusOK) + case !isGet, isWS: + http.Error(w, err.Error(), http.StatusForbidden) + reqType := r.Method + if isWS { + reqType = "WebSocket" + } + OIDC.LogWarn(r).Msgf("[OIDC] %s request blocked.\nConsider adding bypass rule for this path if needed", reqType) + return false case errors.Is(err, auth.ErrMissingOAuthToken): amw.auth.HandleAuth(w, r) default: