pomerium / pomerium / 24800708842

45%

Build Type

push

github

Committed by web-flow

Commit Message

pomerium/authorize: disable redirect when session passed in header or query string (#6289)

## Summary
During authorization an invalid session (expired, invalid or doesn't
exist) will result in a redirect to the authenticate service. However
sometimes this redirect should not happen: for gRPC/gRPC-web calls, json
requests, MCP requests, etc...

Add two more cases for when we should prevent the redirect:

- If the pomerium session/service account is found as an HTTP header
- If the pomerium session/service account is found as an HTTP request
URL query string parameter

In these cases initiating an interactive login doesn't make sense
because headers/query string parameters indicates that the user isn't
using cookies for authentication.

## Related issues
-
[ENG-3156](https://linear.app/pomerium/issue/ENG-3156/core-invalid-or-missing-service-accounts-should-result-in-forbidden)


## Checklist

- [x] reference any related issues
- [x] updated unit tests
- [ ] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [x] ready for review

Coverage Stats

31 of 33 new or added lines in 2 files covered. (93.94%)

49 existing lines in 8 files now uncovered.

35644 of 77906 relevant lines covered (45.75%)

115.54 hits per line