MM-52655 Allow plugin requests to include Authorization headers from external systems (#24391)

* remove the authorization header if the request is from an authenticated MM user * fix lint Co-authored-by: Michael Kochell <6913320+mickmister@users.noreply.github.com> --------- Co-authored-by: Michael Kochell <6913320+mickmister@users.noreply.github.com> Co-authored-by: Mattermost Build <build@mattermost.com>
2025-02-25 18:55:24 -06:00 · 2023-11-22 07:49:48 +09:00 · 2023-11-22 07:49:48 +09:00 · e1f72576fb
commit e1f72576fb
parent 5e94af1302
1 changed files with 2 additions and 1 deletions
--- a/server/channels/app/plugin_requests.go
+++ b/server/channels/app/plugin_requests.go
@ -208,6 +208,8 @@ func (ch *Channels) servePluginRequest(w http.ResponseWriter, r *http.Request, h
 		if (session != nil && session.Id != "") && err == nil && csrfCheckPassed {
 			r.Header.Set("Mattermost-User-Id", session.UserId)
 			context.SessionId = session.Id
+
+			r.Header.Del(model.HeaderAuth)
 		}
 	}

@ -218,7 +220,6 @@ func (ch *Channels) servePluginRequest(w http.ResponseWriter, r *http.Request, h
 			r.AddCookie(c)
 		}
 	}
-	r.Header.Del(model.HeaderAuth)
 	r.Header.Del("Referer")

 	params := mux.Vars(r)