Update metadata

check-spelling run (pull_request) for main Signed-off-by: check-spelling-bot <check-spelling-bot@users.noreply.github.com> on-behalf-of: @check-spelling <check-spelling-bot@check-spelling.dev>
lib/checker: Implement X-Original-URI support (#1015 )
2026-04-19 14:46:39 +00:00 · 2025-08-24 17:34:10 -04:00 · 2025-08-23 23:14:37 -04:00 · 2025-08-24 03:12:08 +00:00 · 2025-08-24 02:52:09 +00:00
5 changed files with 108 additions and 6 deletions
@@ -341,6 +341,7 @@ xff
 XForwarded
 XNG
 XOB
+XOriginal
 XReal
 yae
 YAMLTo
@@ -12,7 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]

 <!-- This changes the project to: -->
- Added a missiling link to the Caddy installation environment in the installation documentation.
+- Added a missing link to the Caddy installation environment in the installation documentation.
 - Downstream consumers can change the default [log/slog#Logger](https://pkg.go.dev/log/slog#Logger) instance that Anubis uses by setting `opts.Logger` to your slog instance of choice ([#864](https://github.com/TecharoHQ/anubis/issues/864)).
 - The [Thoth client](https://anubis.techaro.lol/docs/admin/thoth) is now public in the repo instead of being an internal package.
 - [Custom-AsyncHttpClient](https://github.com/AsyncHttpClient/async-http-client)'s default User-Agent has an increased weight by default ([#852](https://github.com/TecharoHQ/anubis/issues/852)).
@@ -40,12 +40,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Bump AI-robots.txt to version 1.39
 - Add a default block rule for Huawei Cloud.
 - Add a default block rule for Alibaba Cloud.
+- Add X-Request-URI support so that Subrequest Authentication has path support.

 ### Security-relevant changes

 #### Fix potential double-spend for challenges

-Anubis operates by issuing a challenge and having the client present a solution for that challenge. Challenges are identified by a unique UUID, which is tored in the database.
+Anubis operates by issuing a challenge and having the client present a solution for that challenge. Challenges are identified by a unique UUID, which is stored in the database.

 The problem is that a challenge could potentially be used twice by a dedicated attacker making a targeted attack against Anubis. Challenge records did not have a "spent" or "used" field. In total, a dedicated attacker could solve a challenge once and reuse that solution across multiple sessions in order to mint additional tokens.

@@ -1,6 +1,6 @@
-# Wordpress
+# WordPress

-Wordpress is the most popular blog engine on the planet.
+WordPress is the most popular blog engine on the planet.

 ## Using a multi-site setup with Anubis

@@ -27,7 +27,7 @@ flowchart LR
    US --> |whatever you're doing| B
 ```

-Wordpress may not realize that the underlying connection is being done over HTTPS. This could lead to a redirect loop in the `/wp-admin/` routes. In order to fix this, add the following to your `wp-config.php` file:
+WordPress may not realize that the underlying connection is being done over HTTPS. This could lead to a redirect loop in the `/wp-admin/` routes. In order to fix this, add the following to your `wp-config.php` file:

 ```php
 if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
@@ -36,4 +36,4 @@ if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROT
 }
 ```

-This will make Wordpress think that your connection is over HTTPS instead of plain HTTP.
+This will make WordPress think that your connection is over HTTPS instead of plain HTTP.
@@ -102,6 +102,13 @@ func NewPathChecker(rexStr string) (checker.Impl, error) {
 }

 func (pc *PathChecker) Check(r *http.Request) (bool, error) {
+	originalUrl := r.Header.Get("X-Original-URI")
+	if originalUrl != "" {
+		if pc.regexp.MatchString(originalUrl) {
+			return true, nil
+		}
+	}
+
 	if pc.regexp.MatchString(r.URL.Path) {
 		return true, nil
 	}
@@ -198,3 +198,96 @@ func TestHeaderExistsChecker(t *testing.T) {
 		})
 	}
 }
+
+func TestPathChecker_XOriginalURI(t *testing.T) {
+	tests := []struct {
+		name          string
+		regex         string
+		xOriginalURI  string
+		urlPath       string
+		headerKey     string
+		expectedMatch bool
+		expectError   bool
+	}{
+		{
+			name:          "X-Original-URI matches regex (with trailing space - current typo)",
+			regex:         "^/api/.*",
+			xOriginalURI:  "/api/users",
+			urlPath:       "/different/path",
+			headerKey:     "X-Original-URI",
+			expectedMatch: true,
+			expectError:   false,
+		},
+		{
+			name:          "X-Original-URI doesn't match, falls back to URL.Path",
+			regex:         "^/admin/.*",
+			xOriginalURI:  "/api/users",
+			urlPath:       "/admin/dashboard",
+			headerKey:     "X-Original-URI",
+			expectedMatch: true,
+			expectError:   false,
+		},
+		{
+			name:          "Neither X-Original-URI nor URL.Path match",
+			regex:         "^/admin/.*",
+			xOriginalURI:  "/api/users",
+			urlPath:       "/public/info",
+			headerKey:     "X-Original-URI ",
+			expectedMatch: false,
+			expectError:   false,
+		},
+		{
+			name:          "Empty X-Original-URI, URL.Path matches",
+			regex:         "^/static/.*",
+			xOriginalURI:  "",
+			urlPath:       "/static/css/style.css",
+			headerKey:     "X-Original-URI",
+			expectedMatch: true,
+			expectError:   false,
+		},
+		{
+			name:          "Complex regex matching X-Original-URI",
+			regex:         `^/api/v[0-9]+/(users|posts)/[0-9]+$`,
+			xOriginalURI:  "/api/v1/users/123",
+			urlPath:       "/different",
+			headerKey:     "X-Original-URI",
+			expectedMatch: true,
+			expectError:   false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Create the PathChecker
+			pc, err := NewPathChecker(tt.regex)
+			if err != nil {
+				if !tt.expectError {
+					t.Fatalf("NewPathChecker() unexpected error: %v", err)
+				}
+				return
+			}
+
+			if tt.expectError {
+				t.Fatal("NewPathChecker() expected error but got none")
+			}
+
+			req, err := http.NewRequest("GET", "http://example.com"+tt.urlPath, nil)
+			if err != nil {
+				t.Fatalf("Failed to create request: %v", err)
+			}
+
+			if tt.xOriginalURI != "" {
+				req.Header.Set(tt.headerKey, tt.xOriginalURI)
+			}
+
+			match, err := pc.Check(req)
+			if err != nil {
+				t.Fatalf("Check() unexpected error: %v", err)
+			}
+
+			if match != tt.expectedMatch {
+				t.Errorf("Check() = %v, want %v", match, tt.expectedMatch)
+			}
+		})
+	}
+}
Author	SHA1	Message	Date
Jason Cameron	29afb6f517	Update metadata check-spelling run (pull_request) for main Signed-off-by: check-spelling-bot <check-spelling-bot@users.noreply.github.com> on-behalf-of: @check-spelling <check-spelling-bot@check-spelling.dev>	2025-08-24 17:34:10 -04:00
Skyler Mäntysaari	d1d631a18a	lib/checker: Implement X-Original-URI support (#1015 )	2025-08-23 23:14:37 -04:00
Timo Tijhof	f3cd6c9ca4	docs: fix "stored" typo in CHANGELOG.md (#1008 ) Co-authored-by: Jason Cameron <git@jasoncameron.dev>	2025-08-24 03:12:08 +00:00
Brad Parbs	23772fd3cb	s/Wordpress/WordPress in docs (#1020 ) Signed-off-by: Brad Parbs <brad@bradparbs.com>	2025-08-24 02:52:09 +00:00