Query params in URL bypasses BLACKLIST setting

[li6in9muyou]

To reproduce

1. set PROXY_BLACKLIST to /blacklist
2. send a GET request to /blacklist without any authorization header
3. now send another GET request with query params /blacklist?foo=bar without any authorization header

Expected behavior

Both request get 401.

Actual behavior

The second request does not get 401.

Possible cause

I believe the cause is in this function

jwt-auth-proxy/src/routes.go

Lines 154 to 228 in 6d8bff8

	func VerifyJwtMiddleware(next http.Handler) http.Handler {
	var isWhitelistMatch = func(url string, whitelistedURL string) bool {
	whitelistedURL = strings.TrimSpace(whitelistedURL)
	if strings.HasSuffix(whitelistedURL, "/") {
	whitelistedURL = whitelistedURL[:len(whitelistedURL)-1]
	}
	if whitelistedURL != "" && (url == whitelistedURL || strings.HasPrefix(url, whitelistedURL+"/")) {
	return true
	}
	return false
	}
	var IsWhitelisted = func(r *http.Request) bool {
	url := r.URL.RequestURI()
	// Check for whitelisted public API paths
	for _, whitelistedURL := range unauthorizedRoutes {
	if isWhitelistMatch(url, whitelistedURL) {
	return true
	}
	}
	// All other public API paths require a valid auth token
	if strings.HasPrefix(url, GetConfig().PublicAPIPath) {
	return false
	}
	// Whitelist Mode: Check is URL is whitelisted, else assume auth token is required
	if len(GetConfig().ProxyWhitelist) > 0 {
	for _, whitelistedURL := range GetConfig().ProxyWhitelist {
	if isWhitelistMatch(url, whitelistedURL) {
	return true
	}
	}
	return false
	}
	// Blacklist Mode: Check is URL is blacklisted, else assume auth token is NOT required
	for _, blacklistedURL := range GetConfig().ProxyBlacklist {
	if isWhitelistMatch(url, blacklistedURL) {
	return false
	}
	}
	return true
	}
	var HandleWhitelistReq = func(w http.ResponseWriter, r *http.Request) {
	claims, authHeader, err := ExtractClaimsFromRequest(r)
	if err != nil {
	next.ServeHTTP(w, r)
	return
	}
	ctx := context.WithValue(r.Context(), contextKeyUserID, claims.UserID)
	ctx = context.WithValue(ctx, contextKeyAuthHeader, authHeader)
	next.ServeHTTP(w, r.WithContext(ctx))
	}
	var HandleNonWhitelistReq = func(w http.ResponseWriter, r *http.Request) {
	claims, authHeader, err := ExtractClaimsFromRequest(r)
	if err != nil {
	log.Println(err)
	SendUnauthorized(w)
	return
	}
	ctx := context.WithValue(r.Context(), contextKeyUserID, claims.UserID)
	ctx = context.WithValue(ctx, contextKeyAuthHeader, authHeader)
	next.ServeHTTP(w, r.WithContext(ctx))
	}
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
	if r.Method == "OPTIONS" {
	HandleWhitelistReq(w, r)
	} else if IsWhitelisted(r) {
	HandleWhitelistReq(w, r)
	} else {
	HandleNonWhitelistReq(w, r)
	}
	})
	}