remove authorizationUrl redirect (#824)

qiwzhang · web-flow · commit 621211d1c72e · 2021-01-05T15:27:56.000-08:00
Signed-off-by: Wayne Zhang &lt;qiwzhang@google.com&gt;
diff --git a/src/nginx/error.cc b/src/nginx/error.cc
@@ -47,16 +47,9 @@ ngx_str_t application_grpc = ngx_string("application/grpc");
 
 ngx_str_t www_authenticate = ngx_string("WWW-Authenticate");
 const u_char www_authenticate_lowcase[] = "www-authenticate";
-ngx_str_t kLocation = ngx_string("Location");
-const u_char kLocationLowcase[] = "location";
 ngx_str_t missing_credential = ngx_string("Bearer");
 ngx_str_t invalid_token = ngx_string("Bearer, error=\"invalid_token\"");
 
-const char *kInvalidAuthToken =
-    "JWT validation failed: Missing or invalid credentials";
-const char *kExpiredAuthToken =
-    "JWT validation failed: TIME_CONSTRAINT_FAILURE";
-
 ngx_http_output_header_filter_pt ngx_http_next_header_filter;
 ngx_http_output_body_filter_pt ngx_http_next_body_filter;
 
@@ -109,39 +102,6 @@ ngx_int_t ngx_esp_handle_www_authenticate(ngx_http_request_t *r,
   return NGX_OK;
 }
 
-// If authentication fails, and authorization url is not empty,
-// Reply 302 and authorization url.
-ngx_int_t ngx_esp_handle_authorization_url(ngx_http_request_t *r,
-                                           ngx_esp_request_ctx_t *ctx) {
-  if (ctx && ctx->status.code() == Code::UNAUTHENTICATED &&
-      ctx->status.error_cause() == utils::Status::AUTH &&
-      (ctx->status.message() == kInvalidAuthToken ||
-       ctx->status.message() == kExpiredAuthToken)) {
-    std::string url = ctx->request_handler->GetAuthorizationUrl();
-    if (!url.empty()) {
-      r->headers_out.status = NGX_HTTP_MOVED_TEMPORARILY;
-
-      ngx_table_elt_t *loc;
-      loc = reinterpret_cast<ngx_table_elt_t *>(
-          ngx_list_push(&r->headers_out.headers));
-      if (loc == nullptr) {
-        return NGX_ERROR;
-      }
-
-      loc->key = kLocation;
-      loc->lowcase_key = const_cast<u_char *>(kLocationLowcase);
-      loc->hash = ngx_hash_key(const_cast<u_char *>(kLocationLowcase),
-                               sizeof(kLocationLowcase) - 1);
-
-      ngx_str_copy_from_std(r->pool, url, &loc->value);
-      ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
-                     "ESP authorization_url: %V", &loc->value);
-      r->headers_out.location = loc;
-    }
-  }
-  return NGX_OK;
-}
-
 ngx_int_t ngx_esp_error_header_filter(ngx_http_request_t *r) {
   ngx_esp_request_ctx_t *ctx = reinterpret_cast<ngx_esp_request_ctx_t *>(
       ngx_http_get_module_ctx(r, ngx_esp_module));
@@ -170,9 +130,6 @@ ngx_int_t ngx_esp_error_header_filter(ngx_http_request_t *r) {
       ngx_int_t ret;
       ret = ngx_esp_handle_www_authenticate(r, ctx);
       if (ret != NGX_OK) return ret;
-
-      ret = ngx_esp_handle_authorization_url(r, ctx);
-      if (ret != NGX_OK) return ret;
     }
 
     // Clear headers (refilled by subsequent NGX header filters)
diff --git a/src/nginx/t/BUILD b/src/nginx/t/BUILD
@@ -57,7 +57,6 @@ nginx_suite(
         "auth_ok_check_fail.t",
         "auth_pass_user_info.t",
         "auth_pkey_cache.t",
-        "auth_redirect.t",
         "auth_remove_user_info.t",
         "auth_unreachable_pkey.t",
         "new_http.t",
diff --git a/src/nginx/t/auth_redirect.t b/src/nginx/t/auth_redirect.t
