Merge pull request #4 from fosrl/dev

send access token and pass cookies
2026-02-08 05:56:46 +00:00 · 2025-01-12 14:35:43 -05:00 · 2025-01-11 18:08:02 -05:00 · 2025-01-08 21:56:45 -05:00 · 2025-01-08 21:36:49 -05:00 · 2025-01-02 23:11:32 -05:00
4 changed files with 43 additions and 15 deletions
--- a/.traefik.yml
+++ b/.traefik.yml
@@ -7,5 +7,6 @@ summary: Middleware auth bouncer for Pangolin

 testData:
    apiBaseUrl: http://localhost:3001/api/v1
-    userSessionCookieName: session
-    resourceSessionCookieName: resource_session
+    userSessionCookieName: p_session
+    resourceSessionCookieName: p_resource_session
+    accessTokenQueryParam: p_token
--- a/README.md
+++ b/README.md
@@ -8,8 +8,6 @@ This plugin is **required** to be configured alongside [Pangolin](https://github

 Learn how to set up [Pangolin](https://github.com/fosrl/pangolin) and Badger in the [Pangolin Documentation](https://github.com/fosrl/pangolin).

---
-
 ## Configuration

 Badger requires the following configuration parameters to be specified in your [Traefik configuration file](https://doc.traefik.io/traefik/getting-started/configuration-overview/). These coincide with the separate [Pangolin](https://github.com/fosrl/pangolin) configuration file.
@@ -18,18 +16,11 @@ Badger requires the following configuration parameters to be specified in your [

 ```yaml
 apiBaseUrl: "http://localhost:3001/api/v1"
-userSessionCookieName: "session"
-resourceSessionCookieName: "resource_session"
+userSessionCookieName: "p_session"
+resourceSessionCookieName: "p_resource_session"
+accessTokenQueryParam: "p_token"
 ```

---
-
 ## License

 This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
-
---
-
-## Contact
-
-Please contact us at [support@fossorial.io](mailto:support@fossorial.io).
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,14 @@
+# Security Policy
+
+If you discover a security vulnerability, please follow the steps below to responsibly disclose it to us:
+
+1. **Do not create a public GitHub issue or discussion post.** This could put the security of other users at risk.
+2. Send a detailed report to [security@fossorial.io](mailto:security@fossorial.io) or send a **private** message to a maintainer on [Discord](https://discord.gg/HCJR8Xhme4). Include:
+
+- Description and location of the vulnerability.
+- Potential impact of the vulnerability.
+- Steps to reproduce the vulnerability.
+- Potential solutions to fix the vulnerability.
+- Your name/handle and a link for recognition (optional).
+
+We aim to address the issue as soon as possible.
--- a/main.go
+++ b/main.go
@@ -13,6 +13,7 @@ type Config struct {
 	APIBaseUrl                string `json:"apiBaseUrl"`
 	UserSessionCookieName     string `json:"userSessionCookieName"`
 	ResourceSessionCookieName string `json:"resourceSessionCookieName"`
+	AccessTokenQueryParam     string `json:"accessTokenQueryParam"`
 }

 type VerifyBody struct {
@@ -22,6 +23,7 @@ type VerifyBody struct {
 	RequestHost        *string           `json:"host"`
 	RequestPath        *string           `json:"path"`
 	RequestMethod      *string           `json:"method"`
+	AccessToken        *string           `json:"accessToken,omitempty"`
 	TLS                bool              `json:"tls"`
 }

@@ -38,6 +40,7 @@ type Badger struct {
 	apiBaseUrl                string
 	userSessionCookieName     string
 	resourceSessionCookieName string
+	accessTokenQueryParam     string
 }

 func CreateConfig() *Config {
@@ -51,14 +54,27 @@ func New(ctx context.Context, next http.Handler, config *Config, name string) (h
 		apiBaseUrl:                config.APIBaseUrl,
 		userSessionCookieName:     config.UserSessionCookieName,
 		resourceSessionCookieName: config.ResourceSessionCookieName,
+		accessTokenQueryParam:     config.AccessTokenQueryParam,
 	}, nil
 }

 func (p *Badger) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	cookies := p.extractCookies(req)

+	var accessToken *string
+	queryValues := req.URL.Query()
+	if token := queryValues.Get(p.accessTokenQueryParam); token != "" {
+		accessToken = &token
+		queryValues.Del(p.accessTokenQueryParam) 
+	}
+
+	cleanedQuery := queryValues.Encode()
+	originalRequestURL := fmt.Sprintf("%s://%s%s", p.getScheme(req), req.Host, req.URL.Path)
+	if cleanedQuery != "" {
+		originalRequestURL = fmt.Sprintf("%s?%s", originalRequestURL, cleanedQuery)
+	}
+
 	verifyURL := fmt.Sprintf("%s/badger/verify-session", p.apiBaseUrl)
-	originalRequestURL := fmt.Sprintf("%s://%s%s", p.getScheme(req), req.Host, req.URL.RequestURI())

 	cookieData := VerifyBody{
 		Sessions:           cookies,
@@ -67,6 +83,7 @@ func (p *Badger) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 		RequestHost:        &req.Host,
 		RequestPath:        &req.URL.Path,
 		RequestMethod:      &req.Method,
+		AccessToken:        accessToken,
 		TLS:                req.TLS != nil,
 	}

@@ -83,6 +100,11 @@ func (p *Badger) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	}
 	defer resp.Body.Close()

+	// pass through cookies
+	for _, setCookie := range resp.Header["Set-Cookie"] {
+		rw.Header().Add("Set-Cookie", setCookie)
+	}
+
 	if resp.StatusCode != http.StatusOK {
 		http.Error(rw, "Internal Server Error", http.StatusInternalServerError)
 		return
Author	SHA1	Message	Date
Milo Schwartz	d5fd63a6cd	Merge pull request #4 from fosrl/dev send access token and pass cookies	2025-01-12 14:35:43 -05:00
Milo Schwartz	ad468b3d15	send access token and pass cookies	2025-01-11 18:08:02 -05:00
Milo Schwartz	876a15a313	Merge pull request #3 from fosrl/dev add security policy	2025-01-08 21:56:45 -05:00
Milo Schwartz	45803609de	add security policy	2025-01-08 21:36:49 -05:00
Milo Schwartz	91e930fd68	Merge branch 'main' of https://github.com/fosrl/badger	2025-01-02 23:11:32 -05:00
Milo Schwartz	7715198476	update readme	2025-01-02 23:11:25 -05:00
Owen Schwartz	45d307f118	Rename session	2024-12-27 00:30:20 -05:00