Update metadata

check-spelling run (pull_request) for main

Signed-off-by: check-spelling-bot <check-spelling-bot@users.noreply.github.com>
on-behalf-of: @check-spelling <check-spelling-bot@check-spelling.dev>

.github/actions/spelling/expect.txt

@@ -341,6 +341,7 @@ xff
 XForwarded
 XNG
 XOB
+XOriginal
 XReal
 yae
 YAMLTo

docs/docs/CHANGELOG.md

@@ -12,7 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 
 <!-- This changes the project to: -->
-
+- Added a missing link to the Caddy installation environment in the installation documentation.
 - Downstream consumers can change the default [log/slog#Logger](https://pkg.go.dev/log/slog#Logger) instance that Anubis uses by setting `opts.Logger` to your slog instance of choice ([#864](https://github.com/TecharoHQ/anubis/issues/864)).
 - The [Thoth client](https://anubis.techaro.lol/docs/admin/thoth) is now public in the repo instead of being an internal package.
 - [Custom-AsyncHttpClient](https://github.com/AsyncHttpClient/async-http-client)'s default User-Agent has an increased weight by default ([#852](https://github.com/TecharoHQ/anubis/issues/852)).
@@ -40,12 +40,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Bump AI-robots.txt to version 1.39
 - Add a default block rule for Huawei Cloud.
 - Add a default block rule for Alibaba Cloud.
+- Add X-Request-URI support so that Subrequest Authentication has path support.
 
 ### Security-relevant changes
 
 #### Fix potential double-spend for challenges
 
-Anubis operates by issuing a challenge and having the client present a solution for that challenge. Challenges are identified by a unique UUID, which is tored in the database.
+Anubis operates by issuing a challenge and having the client present a solution for that challenge. Challenges are identified by a unique UUID, which is stored in the database.
 
 The problem is that a challenge could potentially be used twice by a dedicated attacker making a targeted attack against Anubis. Challenge records did not have a "spent" or "used" field. In total, a dedicated attacker could solve a challenge once and reuse that solution across multiple sessions in order to mint additional tokens.
 

docs/docs/admin/frameworks/wordpress.mdx

@@ -1,6 +1,6 @@
-# Wordpress
+# WordPress
 
-Wordpress is the most popular blog engine on the planet.
+WordPress is the most popular blog engine on the planet.
 
 ## Using a multi-site setup with Anubis
 
@@ -27,7 +27,7 @@ flowchart LR
     US --> |whatever you're doing| B
 ```
 
-Wordpress may not realize that the underlying connection is being done over HTTPS. This could lead to a redirect loop in the `/wp-admin/` routes. In order to fix this, add the following to your `wp-config.php` file:
+WordPress may not realize that the underlying connection is being done over HTTPS. This could lead to a redirect loop in the `/wp-admin/` routes. In order to fix this, add the following to your `wp-config.php` file:
 
 ```php
 if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
@@ -36,4 +36,4 @@ if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROT
 }
 ```
 
-This will make Wordpress think that your connection is over HTTPS instead of plain HTTP.
+This will make WordPress think that your connection is over HTTPS instead of plain HTTP.

docs/docs/admin/installation.mdx

@@ -178,6 +178,7 @@ Alternatively here is a key generated by your browser:
 To get Anubis filtering your traffic, you need to make sure it's added to your HTTP load balancer or platform configuration. See the [environments category](/docs/category/environments) for detailed information on individual environments.
 
 - [Apache](./environments/apache.mdx)
+- [Caddy](./environments/caddy.mdx)
 - [Docker compose](./environments/docker-compose.mdx)
 - [Kubernetes](./environments/kubernetes.mdx)
 - [Nginx](./environments/nginx.mdx)

lib/policy/checker.go

@@ -102,6 +102,13 @@ func NewPathChecker(rexStr string) (checker.Impl, error) {
 }
 
 func (pc *PathChecker) Check(r *http.Request) (bool, error) {
+	originalUrl := r.Header.Get("X-Original-URI")
+	if originalUrl != "" {
+		if pc.regexp.MatchString(originalUrl) {
+			return true, nil
+		}
+	}
+
 	if pc.regexp.MatchString(r.URL.Path) {
 		return true, nil
 	}

lib/policy/checker_test.go

@@ -198,3 +198,96 @@ func TestHeaderExistsChecker(t *testing.T) {
 		})
 	}
 }
+
+func TestPathChecker_XOriginalURI(t *testing.T) {
+	tests := []struct {
+		name          string
+		regex         string
+		xOriginalURI  string
+		urlPath       string
+		headerKey     string
+		expectedMatch bool
+		expectError   bool
+	}{
+		{
+			name:          "X-Original-URI matches regex (with trailing space - current typo)",
+			regex:         "^/api/.*",
+			xOriginalURI:  "/api/users",
+			urlPath:       "/different/path",
+			headerKey:     "X-Original-URI",
+			expectedMatch: true,
+			expectError:   false,
+		},
+		{
+			name:          "X-Original-URI doesn't match, falls back to URL.Path",
+			regex:         "^/admin/.*",
+			xOriginalURI:  "/api/users",
+			urlPath:       "/admin/dashboard",
+			headerKey:     "X-Original-URI",
+			expectedMatch: true,
+			expectError:   false,
+		},
+		{
+			name:          "Neither X-Original-URI nor URL.Path match",
+			regex:         "^/admin/.*",
+			xOriginalURI:  "/api/users",
+			urlPath:       "/public/info",
+			headerKey:     "X-Original-URI ",
+			expectedMatch: false,
+			expectError:   false,
+		},
+		{
+			name:          "Empty X-Original-URI, URL.Path matches",
+			regex:         "^/static/.*",
+			xOriginalURI:  "",
+			urlPath:       "/static/css/style.css",
+			headerKey:     "X-Original-URI",
+			expectedMatch: true,
+			expectError:   false,
+		},
+		{
+			name:          "Complex regex matching X-Original-URI",
+			regex:         `^/api/v[0-9]+/(users|posts)/[0-9]+$`,
+			xOriginalURI:  "/api/v1/users/123",
+			urlPath:       "/different",
+			headerKey:     "X-Original-URI",
+			expectedMatch: true,
+			expectError:   false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Create the PathChecker
+			pc, err := NewPathChecker(tt.regex)
+			if err != nil {
+				if !tt.expectError {
+					t.Fatalf("NewPathChecker() unexpected error: %v", err)
+				}
+				return
+			}
+
+			if tt.expectError {
+				t.Fatal("NewPathChecker() expected error but got none")
+			}
+
+			req, err := http.NewRequest("GET", "http://example.com"+tt.urlPath, nil)
+			if err != nil {
+				t.Fatalf("Failed to create request: %v", err)
+			}
+
+			if tt.xOriginalURI != "" {
+				req.Header.Set(tt.headerKey, tt.xOriginalURI)
+			}
+
+			match, err := pc.Check(req)
+			if err != nil {
+				t.Fatalf("Check() unexpected error: %v", err)
+			}
+
+			if match != tt.expectedMatch {
+				t.Errorf("Check() = %v, want %v", match, tt.expectedMatch)
+			}
+		})
+	}
+}

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "@techaro/anubis",
-  "version": "1.21.3",
+  "version": "1.22.0-pre1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@techaro/anubis",
-      "version": "1.21.3",
+      "version": "1.22.0-pre1",
       "license": "ISC",
       "dependencies": {
         "@aws-crypto/sha256-js": "^5.2.0"

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@techaro/anubis",
-  "version": "1.21.3",
+  "version": "1.22.0-pre1",
   "description": "",
   "main": "index.js",
   "scripts": {
@@ -30,4 +30,4 @@
   "dependencies": {
     "@aws-crypto/sha256-js": "^5.2.0"
   }
-}
+}