ccm,ocm: block API key headers from being forwarded upstream

2026-04-14 04:38:28 +10:00 · 2026-03-14 22:04:45 +08:00
parent 56af7313b2
commit bc6e72408d
13 changed files with 60 additions and 4 deletions
--- a/service/ccm/credential_default.go
+++ b/service/ccm/credential_default.go
@@ -715,7 +715,7 @@ func (c *defaultCredential) buildProxyRequest(ctx context.Context, original *htt
 	}

 	for key, values := range original.Header {
-		if !isHopByHopHeader(key) && !isReverseProxyHeader(key) && key != "Authorization" {
+		if !isHopByHopHeader(key) && !isReverseProxyHeader(key) && !isAPIKeyHeader(key) && key != "Authorization" {
 			proxyRequest.Header[key] = values
 		}
 	}
--- a/service/ccm/credential_external.go
+++ b/service/ccm/credential_external.go
@@ -371,7 +371,7 @@ func (c *externalCredential) buildProxyRequest(ctx context.Context, original *ht
 	}

 	for key, values := range original.Header {
-		if !isHopByHopHeader(key) && !isReverseProxyHeader(key) && key != "Authorization" {
+		if !isHopByHopHeader(key) && !isReverseProxyHeader(key) && !isAPIKeyHeader(key) && key != "Authorization" {
 			proxyRequest.Header[key] = values
 		}
 	}
--- a/service/ccm/reverse.go
+++ b/service/ccm/reverse.go
@@ -57,6 +57,12 @@ func (s *Service) handleReverseConnect(ctx context.Context, w http.ResponseWrite
 		return
 	}

+	if r.Header.Get("X-Api-Key") != "" || r.Header.Get("Api-Key") != "" {
+		writeJSONError(w, r, http.StatusBadRequest, "invalid_request_error",
+			"API key authentication is not supported; use Authorization: Bearer with a CCM user token")
+		return
+	}
+
 	authHeader := r.Header.Get("Authorization")
 	if authHeader == "" {
 		writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "missing api key")
--- a/service/ccm/service.go
+++ b/service/ccm/service.go
@@ -139,6 +139,15 @@ func isReverseProxyHeader(header string) bool {
 	}
 }

+func isAPIKeyHeader(header string) bool {
+	switch strings.ToLower(header) {
+	case "x-api-key", "api-key":
+		return true
+	default:
+		return false
+	}
+}
+
 type Service struct {
 	boxService.Adapter
 	ctx           context.Context
--- a/service/ccm/service_handler.go
+++ b/service/ccm/service_handler.go
@@ -104,6 +104,12 @@ func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	if r.Header.Get("X-Api-Key") != "" || r.Header.Get("Api-Key") != "" {
+		writeJSONError(w, r, http.StatusBadRequest, "invalid_request_error",
+			"API key authentication is not supported; use Authorization: Bearer with a CCM user token")
+		return
+	}
+
 	var username string
 	if len(s.options.Users) > 0 {
 		authHeader := r.Header.Get("Authorization")
--- a/service/ccm/service_status.go
+++ b/service/ccm/service_status.go
@@ -20,6 +20,12 @@ func (s *Service) handleStatusEndpoint(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	if r.Header.Get("X-Api-Key") != "" || r.Header.Get("Api-Key") != "" {
+		writeJSONError(w, r, http.StatusBadRequest, "invalid_request_error",
+			"API key authentication is not supported; use Authorization: Bearer with a CCM user token")
+		return
+	}
+
 	authHeader := r.Header.Get("Authorization")
 	if authHeader == "" {
 		writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "missing api key")
--- a/service/ocm/credential_default.go
+++ b/service/ocm/credential_default.go
@@ -730,7 +730,7 @@ func (c *defaultCredential) buildProxyRequest(ctx context.Context, original *htt
 	}

 	for key, values := range original.Header {
-		if !isHopByHopHeader(key) && !isReverseProxyHeader(key) && key != "Authorization" {
+		if !isHopByHopHeader(key) && !isReverseProxyHeader(key) && !isAPIKeyHeader(key) && key != "Authorization" {
 			proxyRequest.Header[key] = values
 		}
 	}
--- a/service/ocm/credential_external.go
+++ b/service/ocm/credential_external.go
@@ -395,7 +395,7 @@ func (c *externalCredential) buildProxyRequest(ctx context.Context, original *ht
 	}

 	for key, values := range original.Header {
-		if !isHopByHopHeader(key) && !isReverseProxyHeader(key) && key != "Authorization" {
+		if !isHopByHopHeader(key) && !isReverseProxyHeader(key) && !isAPIKeyHeader(key) && key != "Authorization" {
 			proxyRequest.Header[key] = values
 		}
 	}
--- a/service/ocm/reverse.go
+++ b/service/ocm/reverse.go
@@ -57,6 +57,12 @@ func (s *Service) handleReverseConnect(ctx context.Context, w http.ResponseWrite
 		return
 	}

+	if r.Header.Get("X-Api-Key") != "" || r.Header.Get("Api-Key") != "" {
+		writeJSONError(w, r, http.StatusBadRequest, "invalid_request_error",
+			"API key authentication is not supported; use Authorization: Bearer with an OCM user token")
+		return
+	}
+
 	authHeader := r.Header.Get("Authorization")
 	if authHeader == "" {
 		writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "missing api key")
--- a/service/ocm/service.go
+++ b/service/ocm/service.go
@@ -152,6 +152,15 @@ func isReverseProxyHeader(header string) bool {
 	}
 }

+func isAPIKeyHeader(header string) bool {
+	switch strings.ToLower(header) {
+	case "x-api-key", "api-key":
+		return true
+	default:
+		return false
+	}
+}
+
 type Service struct {
 	boxService.Adapter
 	ctx             context.Context
--- a/service/ocm/service_handler.go
+++ b/service/ocm/service_handler.go
@@ -80,6 +80,12 @@ func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	if r.Header.Get("X-Api-Key") != "" || r.Header.Get("Api-Key") != "" {
+		writeJSONError(w, r, http.StatusBadRequest, "invalid_request_error",
+			"API key authentication is not supported; use Authorization: Bearer with an OCM user token")
+		return
+	}
+
 	var username string
 	if len(s.options.Users) > 0 {
 		authHeader := r.Header.Get("Authorization")
--- a/service/ocm/service_status.go
+++ b/service/ocm/service_status.go
@@ -20,6 +20,12 @@ func (s *Service) handleStatusEndpoint(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	if r.Header.Get("X-Api-Key") != "" || r.Header.Get("Api-Key") != "" {
+		writeJSONError(w, r, http.StatusBadRequest, "invalid_request_error",
+			"API key authentication is not supported; use Authorization: Bearer with an OCM user token")
+		return
+	}
+
 	authHeader := r.Header.Get("Authorization")
 	if authHeader == "" {
 		writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "missing api key")
--- a/service/ocm/service_websocket.go
+++ b/service/ocm/service_websocket.go
@@ -82,6 +82,8 @@ func isForwardableWebSocketRequestHeader(key string) bool {
 	switch {
 	case lowerKey == "authorization":
 		return false
+	case lowerKey == "x-api-key" || lowerKey == "api-key":
+		return false
 	case strings.HasPrefix(lowerKey, "sec-websocket-"):
 		return false
 	default: