Strip "Bearer " from authz query and header if they're present

I noticed while testing XRootD's ability to use a Pelican director as its redirector (defined via the `pss.origin` directive), that XRootD will take a token passed to it via an Authorization header and convert it directly into an authz URL query that gets passed to the director. For the director to return a valid redirect URL, the "Bearer " prefix must be stripped.
jhiemstrawisc · Oct 9, 2023 · 92d7113 · 92d7113
1 parent f4776f7
commit 92d7113
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/director/redirect.go b/director/redirect.go
@@ -77,8 +77,12 @@ func getRealIP(ginCtx *gin.Context) (ipAddr netip.Addr, err error) {
 func getAuthzEscaped(req *http.Request) (authzEscaped string) {
 	if authzQuery := req.URL.Query()["authz"]; len(authzQuery) > 0 {
 		authzEscaped = authzQuery[0]
+		// if the authz URL query is coming from XRootD, it probably has a "Bearer " tacked in front
+		// even though it's coming via a URL
+		authzEscaped = strings.TrimPrefix(authzEscaped, "Bearer ")
 	} else if authzHeader := req.Header["Authorization"]; len(authzHeader) > 0 {
 		authzEscaped = url.QueryEscape(authzHeader[0])
+		authzEscaped = strings.TrimPrefix(authzEscaped, "Bearer ")
 	}
 	return
 }