From 07e8042192d24a0d38effb5b6f86cfc3ef78f8f9 Mon Sep 17 00:00:00 2001
From: ctas582 <ctas582@users.noreply.github.com>
Date: Wed, 10 Apr 2019 16:18:06 +0100
Subject: [PATCH] Forward all header values from forward auth response

---
 middlewares/auth/forward.go      | 6 +++++-
 middlewares/auth/forward_test.go | 6 +++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/middlewares/auth/forward.go b/middlewares/auth/forward.go
index 7afc767c6..247f28c71 100644
--- a/middlewares/auth/forward.go
+++ b/middlewares/auth/forward.go
@@ -96,7 +96,11 @@ func Forward(config *types.Forward, w http.ResponseWriter, r *http.Request, next
 	}
 
 	for _, headerName := range config.AuthResponseHeaders {
-		r.Header.Set(headerName, forwardResponse.Header.Get(headerName))
+		headerKey := http.CanonicalHeaderKey(headerName)
+		r.Header.Del(headerKey)
+		if len(forwardResponse.Header[headerKey]) > 0 {
+			r.Header[headerKey] = append([]string(nil), forwardResponse.Header[headerKey]...)
+		}
 	}
 
 	r.RequestURI = r.URL.RequestURI()
diff --git a/middlewares/auth/forward_test.go b/middlewares/auth/forward_test.go
index a0364a030..43abe100e 100644
--- a/middlewares/auth/forward_test.go
+++ b/middlewares/auth/forward_test.go
@@ -50,6 +50,8 @@ func TestForwardAuthFail(t *testing.T) {
 func TestForwardAuthSuccess(t *testing.T) {
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("X-Auth-User", "user@example.com")
+		w.Header().Add("X-Auth-Group", "group1")
+		w.Header().Add("X-Auth-Group", "group2")
 		w.Header().Set("X-Auth-Secret", "secret")
 		fmt.Fprintln(w, "Success")
 	}))
@@ -58,13 +60,14 @@ func TestForwardAuthSuccess(t *testing.T) {
 	middleware, err := NewAuthenticator(&types.Auth{
 		Forward: &types.Forward{
 			Address:             server.URL,
-			AuthResponseHeaders: []string{"X-Auth-User"},
+			AuthResponseHeaders: []string{"X-Auth-User", "X-Auth-Group"},
 		},
 	}, &tracing.Tracing{})
 	assert.NoError(t, err, "there should be no error")
 
 	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		assert.Equal(t, "user@example.com", r.Header.Get("X-Auth-User"))
+		assert.Equal(t, []string{"group1", "group2"}, r.Header["X-Auth-Group"])
 		assert.Empty(t, r.Header.Get("X-Auth-Secret"))
 		fmt.Fprintln(w, "traefik")
 	})
@@ -74,6 +77,7 @@ func TestForwardAuthSuccess(t *testing.T) {
 	defer ts.Close()
 
 	req := testhelpers.MustNewRequest(http.MethodGet, ts.URL, nil)
+	req.Header.Set("X-Auth-Group", "admin_group")
 	res, err := http.DefaultClient.Do(req)
 	assert.NoError(t, err, "there should be no error")
 	assert.Equal(t, http.StatusOK, res.StatusCode, "they should be equal")