fix(docker-desktop): support auth cookies [BE-11134] (#12108)

2025-07-25 00:09:40 +02:00 · 2024-08-21 18:21:51 +12:00 · 2024-08-21 18:21:51 +12:00 · f016b31388
commit f016b31388
parent 8cd53a4b7a
8 changed files with 70 additions and 38 deletions
--- a/api/http/csrf/csrf.go
+++ b/api/http/csrf/csrf.go
@ -4,6 +4,7 @@ import (
 	"crypto/rand"
 	"fmt"
 	"net/http"
+	"os"

 	"github.com/portainer/portainer/api/http/security"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
@ -13,6 +14,13 @@ import (
 )

 func WithProtect(handler http.Handler) (http.Handler, error) {
+	// IsDockerDesktopExtension is used to check if we should skip csrf checks in the request bouncer (ShouldSkipCSRFCheck)
+	// DOCKER_EXTENSION is set to '1' in build/docker-extension/docker-compose.yml
+	isDockerDesktopExtension := false
+	if val, ok := os.LookupEnv("DOCKER_EXTENSION"); ok && val == "1" {
+		isDockerDesktopExtension = true
+	}
+
 	handler = withSendCSRFToken(handler)

 	token := make([]byte, 32)
@ -26,7 +34,7 @@ func WithProtect(handler http.Handler) (http.Handler, error) {
 		gorillacsrf.Secure(false),
 	)(handler)

-	return withSkipCSRF(handler), nil
+	return withSkipCSRF(handler, isDockerDesktopExtension), nil
 }

 func withSendCSRFToken(handler http.Handler) http.Handler {
@ -45,9 +53,9 @@ func withSendCSRFToken(handler http.Handler) http.Handler {
 	})
 }

-func withSkipCSRF(handler http.Handler) http.Handler {
+func withSkipCSRF(handler http.Handler, isDockerDesktopExtension bool) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		skip, err := security.ShouldSkipCSRFCheck(r)
+		skip, err := security.ShouldSkipCSRFCheck(r, isDockerDesktopExtension)
 		if err != nil {
 			httperror.WriteError(w, http.StatusForbidden, err.Error(), err)