Merge pull request #52 from route443/main

Fix: ZoneSync delays in some installations caused problems Fix: Double URL encoding in proxy upstream after internalRedirect
nginxinc · Apr 20, 2022 · 62b5e04 · 62b5e04
2 parents db991ec + bd4e9cb
commit 62b5e04
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 3 deletions.
diff --git a/openid_connect.js b/openid_connect.js
@@ -7,7 +7,30 @@ var newSession = false; // Used by oidcAuth() and validateIdToken()
 
 export default {auth, codeExchange, validateIdToken, logout};
 
-function auth(r) {
+function retryOriginalRequest(r) {
+    delete r.headersOut["WWW-Authenticate"]; // Remove evidence of original failed auth_jwt
+    r.internalRedirect(r.variables.uri + r.variables.is_args + (r.variables.args || ''));
+}
+
+// If the ID token has not been synced yet, poll the variable every 100ms until
+// get a value or after a timeout.
+function waitForSessionSync(r, timeLeft) {
+    if (r.variables.session_jwt) {
+        retryOriginalRequest(r);
+    } else if (timeLeft > 0) {
+        setTimeout(waitForSessionSync, 100, r, timeLeft - 100);
+    } else {
+        auth(r, true);
+    }
+}
+
+function auth(r, afterSyncCheck) {
+    // If a cookie was sent but the ID token is not in the key-value database, wait for the token to be in sync.
+    if (r.variables.cookie_auth_token && !r.variables.session_jwt && !afterSyncCheck && r.variables.zone_sync_leeway > 0) {
+        waitForSessionSync(r, r.variables.zone_sync_leeway);
+        return;
+    }
+
     if (!r.variables.refresh_token || r.variables.refresh_token == "-") {
         newSession = true;
 
@@ -88,8 +111,7 @@ function auth(r) {
                             r.variables.refresh_token = tokenset.refresh_token; // Update key-value store
                         }
 
-                        delete r.headersOut["WWW-Authenticate"]; // Remove evidence of original failed auth_jwt
-                        r.internalRedirect(r.variables.request_uri); // Continue processing original request
+                        retryOriginalRequest(r); // Continue processing original request
                     }
                 );
             } catch (e) {

diff --git a/openid_connect_configuration.conf b/openid_connect_configuration.conf
@@ -43,6 +43,16 @@ map $host $oidc_hmac_key {
     default "ChangeMe";
 }
 
+map $host $zone_sync_leeway {
+    # Specifies the maximum timeout for synchronizing ID tokens between cluster
+    # nodes when you use shared memory zone content sync. This option is only
+    # recommended for scenarios where cluster nodes can randomly process
+    # requests from user agents and there may be a situation where node "A"
+    # successfully received a token, and node "B" receives the next request in
+    # less than zone_sync_interval.
+    default 0; # Time in milliseconds, e.g. (zone_sync_interval * 2 * 1000)
+}
+
 map $proto $oidc_cookie_flags {
     http  "Path=/; SameSite=lax;"; # For HTTP/plaintext testing
     https "Path=/; SameSite=lax; HttpOnly; Secure;"; # Production recommendation