From 2367e86a21a72e635c032ec9037f8121af44a0b2 Mon Sep 17 00:00:00 2001
From: Geras Ghulyan <geras.ghulyan@vntana.com>
Date: Thu, 4 Nov 2021 20:25:45 +0400
Subject: [PATCH 1/2] Add support for authorization token, now it's possible to
 get token from request and put in the request header to get an image of
 authorization required

---
 imageproxy.go | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/imageproxy.go b/imageproxy.go
index 8a37a567f..f9de5cb59 100644
--- a/imageproxy.go
+++ b/imageproxy.go
@@ -149,6 +149,22 @@ func (p *Proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	h.ServeHTTP(w, r)
 }
 
+//get authorization header value when query param authHeaderKey exists
+func getAuthHeader(r *http.Request) string {
+	if len(r.URL.Query()) > 0 && len(r.URL.Query()["authHeaderKey"]) > 0 {
+		authHeaderKey := getAuthHeaderKey(r)
+		if len(r.Header.Get(authHeaderKey)) > 0 {
+			return r.Header.Get(authHeaderKey)
+		}
+	}
+	return ""
+}
+
+func getAuthHeaderKey(r *http.Request) string {
+	authHeaderKey := r.URL.Query().Get("authHeaderKey")
+	return authHeaderKey
+}
+
 // serveImage handles incoming requests for proxied images.
 func (p *Proxy) serveImage(w http.ResponseWriter, r *http.Request) {
 	req, err := NewRequest(r, p.DefaultBaseURL)
@@ -179,6 +195,10 @@ func (p *Proxy) serveImage(w http.ResponseWriter, r *http.Request) {
 		// pass along the referer header from the original request
 		copyHeader(actualReq.Header, r.Header, "referer")
 	}
+	authHeader := getAuthHeader(r)
+	if authHeader != "" {
+		actualReq.Header.Set(getAuthHeaderKey(r), authHeader)
+	}
 	if p.FollowRedirects {
 		// FollowRedirects is true (default), ensure that the redirected host is allowed
 		p.Client.CheckRedirect = func(newreq *http.Request, via []*http.Request) error {

From 406065bfd434e72615d83fd6be8f033a55c7159e Mon Sep 17 00:00:00 2001
From: Geras Ghulyan <geras.ghulyan@vntana.com>
Date: Fri, 5 Nov 2021 14:26:09 +0400
Subject: [PATCH 2/2] Update token mechanism to use token key from application
 argument like - imageproxy -passRequestHeader X-AUTH-TOKEN

---
 cmd/imageproxy/main.go |  2 ++
 imageproxy.go          | 25 ++++++-------------------
 2 files changed, 8 insertions(+), 19 deletions(-)

diff --git a/cmd/imageproxy/main.go b/cmd/imageproxy/main.go
index 2c9ce5d8c..08d42b4e0 100644
--- a/cmd/imageproxy/main.go
+++ b/cmd/imageproxy/main.go
@@ -39,6 +39,7 @@ var referrers = flag.String("referrers", "", "comma separated list of allowed re
 var includeReferer = flag.Bool("includeReferer", false, "include referer header in remote requests")
 var followRedirects = flag.Bool("followRedirects", true, "follow redirects")
 var baseURL = flag.String("baseURL", "", "default base URL for relative remote URLs")
+var passRequestHeader = flag.String("passRequestHeader", "", "default authentication header")
 var cache tieredCache
 var signatureKeys signatureKeyList
 var scaleUp = flag.Bool("scaleUp", false, "allow images to scale beyond their original dimensions")
@@ -79,6 +80,7 @@ func main() {
 		}
 	}
 
+	p.DefaultPassRequestHeader = *passRequestHeader
 	p.IncludeReferer = *includeReferer
 	p.FollowRedirects = *followRedirects
 	p.Timeout = *timeout
diff --git a/imageproxy.go b/imageproxy.go
index f9de5cb59..8b48fb609 100644
--- a/imageproxy.go
+++ b/imageproxy.go
@@ -53,6 +53,10 @@ type Proxy struct {
 	// is included in remote requests.
 	IncludeReferer bool
 
+	// IncludeReferer controls whether the original Referer request header
+	// is included in remote requests.
+	DefaultPassRequestHeader string
+
 	// FollowRedirects controls whether imageproxy will follow redirects or not.
 	FollowRedirects bool
 
@@ -149,22 +153,6 @@ func (p *Proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	h.ServeHTTP(w, r)
 }
 
-//get authorization header value when query param authHeaderKey exists
-func getAuthHeader(r *http.Request) string {
-	if len(r.URL.Query()) > 0 && len(r.URL.Query()["authHeaderKey"]) > 0 {
-		authHeaderKey := getAuthHeaderKey(r)
-		if len(r.Header.Get(authHeaderKey)) > 0 {
-			return r.Header.Get(authHeaderKey)
-		}
-	}
-	return ""
-}
-
-func getAuthHeaderKey(r *http.Request) string {
-	authHeaderKey := r.URL.Query().Get("authHeaderKey")
-	return authHeaderKey
-}
-
 // serveImage handles incoming requests for proxied images.
 func (p *Proxy) serveImage(w http.ResponseWriter, r *http.Request) {
 	req, err := NewRequest(r, p.DefaultBaseURL)
@@ -195,9 +183,8 @@ func (p *Proxy) serveImage(w http.ResponseWriter, r *http.Request) {
 		// pass along the referer header from the original request
 		copyHeader(actualReq.Header, r.Header, "referer")
 	}
-	authHeader := getAuthHeader(r)
-	if authHeader != "" {
-		actualReq.Header.Set(getAuthHeaderKey(r), authHeader)
+	if p.DefaultPassRequestHeader != "" {
+		actualReq.Header.Set(p.DefaultPassRequestHeader, r.Header.Get(p.DefaultPassRequestHeader))
 	}
 	if p.FollowRedirects {
 		// FollowRedirects is true (default), ensure that the redirected host is allowed