Fix: Multi-Cookie Session Authentication Failure

[gazzadownunder]

Issue: Multi-Cookie Session Authentication Failure #5347

Root Cause

File: pkg/proxy/proxy.go:54

When OAuth sessions exceed 4KB, oauth2-proxy automatically splits the session across multiple cookies:

Cookie names: obot_access_token_0, obot_access_token_1, obot_access_token_2, etc.
The base cookie obot_access_token does NOT exist in multi-cookie mode
The AuthenticateRequest() function only checks for the base cookie name:

func (pm *Manager) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) {
    // Check for the access token cookie.
    if _, err := req.Cookie(ObotAccessTokenCookie); errors.Is(err, http.ErrNoCookie) {
        return nil, false, nil  // ← Returns "not authenticated"
    }
    // ... rest of authentication logic
}

When the base cookie doesn't exist:

1. req.Cookie() returns http.ErrNoCookie
2. Function returns nil, false, nil (not authenticated)
3. Middleware redirects to login page
4. User already has valid session but cannot be authenticated

Solution

Check for both the base cookie and the first multi-cookie:

func (pm *Manager) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) {
    // Check for the access token cookie.
    // When sessions exceed 4KB, oauth2-proxy splits them into multiple cookies (_0, _1, _2, etc.)
    // so we check for either the base cookie or the _0 cookie.
    _, err := req.Cookie(ObotAccessTokenCookie)
    if errors.Is(err, http.ErrNoCookie) {
        // Try the _0 cookie for multi-cookie sessions
        if _, err := req.Cookie(ObotAccessTokenCookieZero); errors.Is(err, http.ErrNoCookie) {
            return nil, false, nil
        }
    }
    // ... rest of authentication logic
}

[cjellick]

@njhale @g-linville review this when you have a chance. I know it's older, but it might not be a bad thing to get in.