auth: bypass cookie auth for grafana bearer token

sni · Apr 15, 2024 · 21ef579 · 21ef579
1 parent 089a3e2
commit 21ef579
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/script/thruk_auth b/script/thruk_auth
@@ -69,6 +69,7 @@ my $line_regex          = qr|^/(.*?)/(.*?)/____/(.*)$|mx;
 my $prefix              = $urlprefix; $prefix =~ s|^/||mx;
 # if changed, adjust AddDefaults.pm as well
 my $pass_regex          = qr#^$prefix(themes|javascript|cache|vendor|images|usercontent|cgi\-bin/(login|remote|restricted)\.cgi)#mx;
+my $bearer_pass_regex   = qr#/grafana/api/#mx;
 my $cookie_regex        = qr/thruk_auth=(\w+)/mx;
 my $last_cache_clean    = 0;
 
@@ -181,6 +182,12 @@ sub process {
     # direct access with basic auth
     if($extra->[1]) {
         my $auth = $extra->[1];
+        # passthrough some bearer token urls
+        if($auth =~ m|^Bearer\s+|mxi && $path =~ m|$bearer_pass_regex|mx) {
+            _debug("pass $path") if $verbose > 1;
+            return "/pass/$path";
+        }
+
         # use session cache for a few seconds
         my $cached        = $sessioncache->{$auth};
         my $cache_timeout = (defined $cached && $cached->{'failed'}) ? $sessionfailtimeout : $sessioncachetimeout;