gravitational · espadolini · Mar 22, 2024 · Mar 21, 2024 · Mar 22, 2024
diff --git a/lib/client/redirect.go b/lib/client/redirect.go
@@ -268,13 +268,14 @@ func (rd *Redirector) callback(w http.ResponseWriter, r *http.Request) (*auth.SS
 		return nil, trace.NotFound("path not found")
 	}
 
-	if r.URL.Query().Has("err") {
-		err := r.URL.Query().Get("err")
+	r.ParseForm()
+	if r.Form.Has("err") {
+		err := r.Form.Get("err")
 		return nil, trace.Errorf("identity provider callback failed with error: %v", err)
 	}
 
 	// Decrypt ciphertext to get login response.
-	plaintext, err := rd.key.Open([]byte(r.URL.Query().Get("response")))
+	plaintext, err := rd.key.Open([]byte(r.Form.Get("response")))
 	if err != nil {
 		return nil, trace.BadParameter("failed to decrypt response: in %v, err: %v", r.URL.String(), err)
 	}
@@ -301,12 +302,27 @@ func (rd *Redirector) Close() error {
 // and sends a result to the channel and redirect users to error page
 func (rd *Redirector) wrapCallback(fn func(http.ResponseWriter, *http.Request) (*auth.SSHLoginResponse, error)) http.Handler {
 	clone := *rd.proxyURL
+	origin := clone.String()
 	clone.Path = LoginFailedRedirectURL
 	errorURL := clone.String()
 	clone.Path = LoginSuccessRedirectURL
 	successURL := clone.String()
 
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Add("Access-Control-Allow-Origin", origin)
+		w.Header().Add("Access-Control-Allow-Methods", "GET, POST")
+		w.Header().Add("Access-Control-Allow-Private-Network", "true")
+		w.Header().Add("Allow", "GET, OPTIONS, POST")
+		switch r.Method {
+		default:
+			w.WriteHeader(http.StatusMethodNotAllowed)
+			return
+		case http.MethodOptions:
+			w.WriteHeader(http.StatusOK)
+			return
+		case http.MethodGet, http.MethodPost:
+		}
+
 		response, err := fn(w, r)
 		if err != nil {
 			if trace.IsNotFound(err) {
@@ -316,18 +332,15 @@ func (rd *Redirector) wrapCallback(fn func(http.ResponseWriter, *http.Request) (
 			select {
 			case rd.errorC <- err:
 			case <-rd.context.Done():
-				http.Redirect(w, r, errorURL, http.StatusFound)
-				return
 			}
 			http.Redirect(w, r, errorURL, http.StatusFound)
 			return
 		}
 		select {
 		case rd.responseC <- response:
+			http.Redirect(w, r, successURL, http.StatusFound)
 		case <-rd.context.Done():
 			http.Redirect(w, r, errorURL, http.StatusFound)
-			return
 		}
-		http.Redirect(w, r, successURL, http.StatusFound)
 	})
 }