use access token params from config

2026-03-26 12:36:49 +00:00 · 2026-03-17 16:59:32 -07:00
parent d81af67db3
commit f220c75a52
2 changed files with 17 additions and 17 deletions
--- a/main.go
+++ b/main.go
@@ -17,7 +17,9 @@ type Config struct {
 	APIBaseUrl                  string   `json:"apiBaseUrl,omitempty"`
 	UserSessionCookieName       string   `json:"userSessionCookieName,omitempty"`
 	ResourceSessionRequestParam string   `json:"resourceSessionRequestParam,omitempty"`
-	AccessTokenQueryParam       string   `json:"accessTokenQueryParam,omitempty"` // Deprecated: use ResourceSessionRequestParam
+	AccessTokenQueryParam       string   `json:"accessTokenQueryParam,omitempty"`
+	AccessTokenIDHeader         string   `json:"accessTokenIdHeader,omitempty"`
+	AccessTokenHeader           string   `json:"accessTokenHeader,omitempty"`
 	DisableForwardAuth          bool     `json:"disableForwardAuth,omitempty"`
 	TrustIP                     []string `json:"trustip,omitempty"`
 	DisableDefaultCFIPs         bool     `json:"disableDefaultCFIPs,omitempty"`
@@ -39,6 +41,8 @@ type Badger struct {
 	userSessionCookieName       string
 	resourceSessionRequestParam string
 	accessTokenQueryParam       string
+	accessTokenIDHeader         string
+	accessTokenHeader           string
 	disableForwardAuth          bool
 	trustIP                     []*net.IPNet
 	customIPHeader              string
@@ -98,6 +102,8 @@ func New(ctx context.Context, next http.Handler, config *Config, name string) (h
 		userSessionCookieName:       config.UserSessionCookieName,
 		resourceSessionRequestParam: config.ResourceSessionRequestParam,
 		accessTokenQueryParam:       config.AccessTokenQueryParam,
+		accessTokenIDHeader:         config.AccessTokenIDHeader,
+		accessTokenHeader:           config.AccessTokenHeader,
 		disableForwardAuth:          config.DisableForwardAuth,
 		customIPHeader:              config.CustomIPHeader,
 	}
@@ -317,8 +323,7 @@ func (p *Badger) ServeHTTP(rw http.ResponseWriter, req *http.Request) {

 		p.stripSessionCookies(req)
 		p.stripSessionParam(req)
-		req.Header.Del("P-Access-Token-Id")
-		req.Header.Del("P-Access-Token")
+		p.stripAccessTokenHeaders(req)

 		fmt.Println("Badger: Valid session")
 		p.next.ServeHTTP(rw, req)
@@ -439,6 +444,15 @@ func (p *Badger) stripSessionParam(req *http.Request) {
 	}
 }

+func (p *Badger) stripAccessTokenHeaders(req *http.Request) {
+	if p.accessTokenIDHeader != "" {
+		req.Header.Del(p.accessTokenIDHeader)
+	}
+	if p.accessTokenHeader != "" {
+		req.Header.Del(p.accessTokenHeader)
+	}
+}
+
 // stripSessionCookies removes session cookies from the request before forwarding to the backend.
 // It processes raw Cookie header pairs so non-target cookies are preserved as-is.
 func (p *Badger) stripSessionCookies(req *http.Request) {