ory · jrester · Dec 28, 2022 · Jan 27, 2023 · Mar 18, 2023 · Mar 18, 2023
@@ -41,13 +41,16 @@ func NewJudgeHandler(r decisionHandlerRegistry) *DecisionHandler {
 
 func (h *DecisionHandler) ServeHTTP(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
 	if len(r.URL.Path) >= len(DecisionPath) && r.URL.Path[:len(DecisionPath)] == DecisionPath {
-		r.Method = x.OrDefaultString(r.Header.Get(xForwardedMethod), r.Method)
-		r.URL.Scheme = x.OrDefaultString(r.Header.Get(xForwardedProto),
-			x.IfThenElseString(r.TLS != nil, "https", "http"))
-		r.URL.Host = x.OrDefaultString(r.Header.Get(xForwardedHost), r.Host)
-		r.URL.Path = x.OrDefaultString(strings.SplitN(r.Header.Get(xForwardedUri), "?", 2)[0], r.URL.Path[len(DecisionPath):])
-
-		h.decisions(w, r)
+		// Clone the request, instead of modifing the incoming request directly.
+		// This is nevessary because the middleware would otherwise use the method from "X-Forwarded-Method" for the response
+		// although the original request had another method, which leads to problems with the HEAD method.
+		// For more information see: https://github.com/thomseddon/traefik-forward-auth/issues/156
+		forwardedReq := r.Clone(r.Context())
+		forwardedReq.Method = x.OrDefaultString(r.Header.Get(xForwardedMethod), r.Method)
+		forwardedReq.URL.Scheme = x.OrDefaultString(r.Header.Get(xForwardedProto), x.IfThenElseString(r.TLS != nil, "https", "http"))
+		forwardedReq.URL.Host = x.OrDefaultString(r.Header.Get(xForwardedHost), r.Host)
+		forwardedReq.URL.Path = x.OrDefaultString(strings.SplitN(r.Header.Get(xForwardedUri), "?", 2)[0], r.URL.Path[len(DecisionPath):])
+		h.decisions(w, forwardedReq)
 	} else {
 		next(w, r)
 	}

@@ -14,6 +14,7 @@ import (
 	"net/url"
 	"strconv"
 	"testing"
+	"time"
 
 	"github.com/julienschmidt/httprouter"
 	"github.com/stretchr/testify/assert"
@@ -22,6 +23,7 @@ import (
 	"github.com/urfave/negroni"
 
 	"github.com/ory/herodot"
+	"github.com/ory/x/configx"
 	"github.com/ory/x/logrusx"
 
 	"github.com/ory/oathkeeper/api"
@@ -33,7 +35,7 @@ import (
 )
 
 func TestDecisionAPI(t *testing.T) {
-	conf := internal.NewConfigurationWithDefaults()
+	conf := internal.NewConfigurationWithDefaults(configx.SkipValidation())
 	conf.SetForTest(t, configuration.AuthenticatorNoopIsEnabled, true)
 	conf.SetForTest(t, configuration.AuthenticatorUnauthorizedIsEnabled, true)
 	conf.SetForTest(t, configuration.AuthenticatorAnonymousIsEnabled, true)
@@ -299,6 +301,29 @@ func TestDecisionAPI(t *testing.T) {
 			code:  http.StatusOK,
 			authz: "",
 		},
+		{
+			d:   "HEAD request should not result in an read timeout",
+			url: ts.URL + "/decisions" + "/authn-anon/authz-allow/cred-noop/1234",
+			rulesRegexp: []rule.Rule{{
+				Match:          &rule.Match{Methods: []string{"HEAD"}, URL: ts.URL + "/authn-anon/authz-allow/cred-noop/<[0-9]+>"},
+				Authenticators: []rule.Handler{{Handler: "anonymous"}},
+				Authorizer:     rule.Handler{Handler: "allow"},
+				Mutators:       []rule.Handler{{Handler: "noop"}},
+				Upstream:       rule.Upstream{URL: ""},
+			}},
+			rulesGlob: []rule.Rule{{
+				Match:          &rule.Match{Methods: []string{"HEAD"}, URL: ts.URL + "/authn-anon/authz-allow/cred-noop/<[0-9]*>"},
+				Authenticators: []rule.Handler{{Handler: "anonymous"}},
+				Authorizer:     rule.Handler{Handler: "allow"},
+				Mutators:       []rule.Handler{{Handler: "noop"}},
+				Upstream:       rule.Upstream{URL: ""},
+			}},
+			transform: func(r *http.Request) {
+				r.Header.Add("X-Forwarded-Method", "HEAD")
+			},
+			code:  http.StatusOK,
+			authz: "",
+		},
 	} {
 		t.Run(fmt.Sprintf("case=%d/description=%s", k, tc.d), func(t *testing.T) {
 			testFunc := func(strategy configuration.MatchingStrategy) {
@@ -309,7 +334,10 @@ func TestDecisionAPI(t *testing.T) {
 					tc.transform(req)
 				}
 
-				res, err := http.DefaultClient.Do(req)
+				httpClient := http.Client{
+					Timeout: 2 * time.Second,
+				}
+				res, err := httpClient.Do(req)
 				require.NoError(t, err)
 
 				entireBody, err := io.ReadAll(res.Body)