Allow MFA devices with / in names to be deleted from UI#11011
Allow MFA devices with / in names to be deleted from UI#11011probakowski wants to merge 1 commit into
/ in names to be deleted from UI#11011Conversation
/ in names to be deleted/ in names to be deleted from UI
There was a problem hiding this comment.
This change fixes the problem with /webapi/mfa/token/:token/devices/:devicename endpoint, but does not address other endpoints with exact same problem e.g. /webapi/sites/:site/desktops/:desktopName.
I believe the proper fix should be done at the library level, e.g. by forking httprouter and applying julienschmidt/httprouter#209 which was raised to address this exact issue, or in any other way which ensures syntax :param works with encoded parameter values.
Doing so will also work towards resolving #10576
| if err := h.GetProxyClient().DeleteMFADeviceSync(r.Context(), &proto.DeleteMFADeviceSyncRequest{ | ||
| TokenID: p.ByName("token"), | ||
| DeviceName: p.ByName("devicename"), | ||
| DeviceName: p.ByName("devicename")[1:], |
There was a problem hiding this comment.
what does this change do?
| _, err = clt.Delete(ctx, pack.clt.Endpoint("webapi", "mfa", "token", privilegeToken, "devices", enc)) | ||
| require.NoError(t, err) |
There was a problem hiding this comment.
While we're here testing this, any cases where there should be an error? Can you try to delete a device that doesn't exist, or you don't have permissions for?
|
I went ahead and tested (#11068) that the comprehensive fix appears to be to:
What do you think? To be clear, I think we want to reference our own fork of |
|
@probakowski @Tener Hey guys, if we're going in a different direction like @Tener mentioned, should this one be closed? |
Yeah, I think this makes sense. The tests are definitely useful to show the issue is fixed though. |
|
Yes, that makes sense, I'll close this one |
Currently MFA devices with
/in names can't be removed from UI becausehttproutercan't match correct route as it sees additional path segments despite:devicenamebeing correctly escaped (go doesn't treat encoded reserved characters as different from unescaped, deviating from RFC).This change fixes that by using catch-all route instead, which captures all characters past
/device.