Merge pull request #7 from pyrho/feat/auth-headers

feat: add auth headers to request
2026-02-12 16:06:44 +00:00 · 2025-06-04 12:35:46 -04:00 · 2025-06-04 18:30:25 +02:00 · 2025-04-06 11:24:47 -04:00 · 2025-03-03 22:34:59 -05:00 · 2025-01-27 22:38:01 -05:00
4 changed files with 138 additions and 37 deletions
--- a/.go-version
+++ b/.go-version
@@ -0,0 +1 @@
 1.23.2
--- a/.traefik.yml
+++ b/.traefik.yml
@@ -6,7 +6,6 @@ import: github.com/fosrl/badger
 summary: Middleware auth bouncer for Pangolin
 testData:
-    apiBaseUrl: http://localhost:3001/api/v1
+    apiBaseUrl: "http://localhost:3001/api/v1"
-    userSessionCookieName: p_session
+    userSessionCookieName: "p_session_token"
-    resourceSessionCookieName: p_resource_session
+    resourceSessionRequestParam: "p_session_request"
    accessTokenQueryParam: p_token
--- a/README.md
+++ b/README.md
@@ -16,9 +16,8 @@ Badger requires the following configuration parameters to be specified in your [
 ```yaml
 apiBaseUrl: "http://localhost:3001/api/v1"
-userSessionCookieName: "p_session"
+userSessionCookieName: "p_session_token"
-resourceSessionCookieName: "p_resource_session"
+resourceSessionRequestParam: "p_session_request"
 accessTokenQueryParam: "p_token"
 ```
 ## License
--- a/main.go
+++ b/main.go
@@ -10,10 +10,17 @@ import (
 )
 type Config struct {
-	APIBaseUrl                string `json:"apiBaseUrl"`
+	APIBaseUrl                  string `json:"apiBaseUrl"`
-	UserSessionCookieName     string `json:"userSessionCookieName"`
+	UserSessionCookieName       string `json:"userSessionCookieName"`
-	ResourceSessionCookieName string `json:"resourceSessionCookieName"`
+	ResourceSessionRequestParam string `json:"resourceSessionRequestParam"`
-	AccessTokenQueryParam     string `json:"accessTokenQueryParam"`
+}
 type Badger struct {
 	next                        http.Handler
 	name                        string
 	apiBaseUrl                  string
 	userSessionCookieName       string
 	resourceSessionRequestParam string
 }
 type VerifyBody struct {
@@ -23,24 +30,35 @@ type VerifyBody struct {
 	RequestHost        *string           `json:"host"`
 	RequestPath        *string           `json:"path"`
 	RequestMethod      *string           `json:"method"`
 	AccessToken        *string           `json:"accessToken,omitempty"`
 	TLS                bool              `json:"tls"`
 	RequestIP          *string           `json:"requestIp,omitempty"`
 	Headers            map[string]string `json:"headers,omitempty"`
 	Query              map[string]string `json:"query,omitempty"`
 }
 type VerifyResponse struct {
 	Data struct {
-		Valid       bool    `json:"valid"`
+		Valid           bool              `json:"valid"`
-		RedirectURL *string `json:"redirectUrl"`
+		RedirectURL     *string           `json:"redirectUrl"`
 		Username        *string           `json:"username,omitempty"`
 		Email           *string           `json:"email,omitempty"`
 		Name            *string           `json:"name,omitempty"`
 		ResponseHeaders map[string]string `json:"responseHeaders,omitempty"`
 	} `json:"data"`
 }
-type Badger struct {
+type ExchangeSessionBody struct {
-	next                      http.Handler
+	RequestToken *string `json:"requestToken"`
-	name                      string
+	RequestHost  *string `json:"host"`
-	apiBaseUrl                string
+	RequestIP    *string `json:"requestIp,omitempty"`
-	userSessionCookieName     string
+}
-	resourceSessionCookieName string
+
-	accessTokenQueryParam     string
+type ExchangeSessionResponse struct {
 	Data struct {
 		Valid           bool              `json:"valid"`
 		Cookie          *string           `json:"cookie"`
 		ResponseHeaders map[string]string `json:"responseHeaders,omitempty"`
 	} `json:"data"`
 }
 func CreateConfig() *Config {
@@ -49,23 +67,67 @@ func CreateConfig() *Config {
 func New(ctx context.Context, next http.Handler, config *Config, name string) (http.Handler, error) {
 	return &Badger{
-		next:                      next,
+		next:                        next,
-		name:                      name,
+		name:                        name,
-		apiBaseUrl:                config.APIBaseUrl,
+		apiBaseUrl:                  config.APIBaseUrl,
-		userSessionCookieName:     config.UserSessionCookieName,
+		userSessionCookieName:       config.UserSessionCookieName,
-		resourceSessionCookieName: config.ResourceSessionCookieName,
+		resourceSessionRequestParam: config.ResourceSessionRequestParam,
 		accessTokenQueryParam:     config.AccessTokenQueryParam,
 	}, nil
 }
 func (p *Badger) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	cookies := p.extractCookies(req)
 	var accessToken *string
 	queryValues := req.URL.Query()
-	if token := queryValues.Get(p.accessTokenQueryParam); token != "" {
+
-		accessToken = &token
+	if sessionRequestValue := queryValues.Get(p.resourceSessionRequestParam); sessionRequestValue != "" {
-		queryValues.Del(p.accessTokenQueryParam) 
+		body := ExchangeSessionBody{
 			RequestToken: &sessionRequestValue,
 			RequestHost:  &req.Host,
 			RequestIP:    &req.RemoteAddr,
 		}
 		jsonData, err := json.Marshal(body)
 		if err != nil {
 			http.Error(rw, "Internal Server Error", http.StatusInternalServerError)
 			return
 		}
 		verifyURL := fmt.Sprintf("%s/badger/exchange-session", p.apiBaseUrl)
 		resp, err := http.Post(verifyURL, "application/json", bytes.NewBuffer(jsonData))
 		if err != nil {
 			http.Error(rw, "Internal Server Error", http.StatusInternalServerError)
 			return
 		}
 		defer resp.Body.Close()
 		var result ExchangeSessionResponse
 		err = json.NewDecoder(resp.Body).Decode(&result)
 		if err != nil {
 			http.Error(rw, "Internal Server Error", http.StatusInternalServerError)
 			return
 		}
 		if result.Data.Cookie != nil && *result.Data.Cookie != "" {
 			rw.Header().Add("Set-Cookie", *result.Data.Cookie)
 			queryValues.Del(p.resourceSessionRequestParam)
 			cleanedQuery := queryValues.Encode()
 			originalRequestURL := fmt.Sprintf("%s://%s%s", p.getScheme(req), req.Host, req.URL.Path)
 			if cleanedQuery != "" {
 				originalRequestURL = fmt.Sprintf("%s?%s", originalRequestURL, cleanedQuery)
 			}
 			if result.Data.ResponseHeaders != nil {
 				for key, value := range result.Data.ResponseHeaders {
 					rw.Header().Add(key, value)
 				}
 			}
 			fmt.Println("Got exchange token, redirecting to", originalRequestURL)
 			http.Redirect(rw, req, originalRequestURL, http.StatusFound)
 			return
 		}
 	}
 	cleanedQuery := queryValues.Encode()
@@ -76,6 +138,20 @@ func (p *Badger) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	verifyURL := fmt.Sprintf("%s/badger/verify-session", p.apiBaseUrl)
 	headers := make(map[string]string)
 	for name, values := range req.Header {
 		if len(values) > 0 {
 			headers[name] = values[0] // Send only the first value for simplicity
 		}
 	}
 	queryParams := make(map[string]string)
 	for key, values := range queryValues {
 		if len(values) > 0 {
 			queryParams[key] = values[0]
 		}
 	}
 	cookieData := VerifyBody{
 		Sessions:           cookies,
 		OriginalRequestURL: originalRequestURL,
@@ -83,8 +159,10 @@ func (p *Badger) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 		RequestHost:        &req.Host,
 		RequestPath:        &req.URL.Path,
 		RequestMethod:      &req.Method,
 		AccessToken:        accessToken,
 		TLS:                req.TLS != nil,
 		RequestIP:          &req.RemoteAddr,
 		Headers:            headers,
 		Query:              queryParams,
 	}
 	jsonData, err := json.Marshal(cookieData)
@@ -100,7 +178,6 @@ func (p *Badger) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	}
 	defer resp.Body.Close()
 	// pass through cookies
 	for _, setCookie := range resp.Header["Set-Cookie"] {
 		rw.Header().Add("Set-Cookie", setCookie)
 	}
@@ -117,24 +194,49 @@ func (p *Badger) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 		return
 	}
 	if result.Data.ResponseHeaders != nil {
 		for key, value := range result.Data.ResponseHeaders {
 			rw.Header().Add(key, value)
 		}
 	}
 	if result.Data.RedirectURL != nil && *result.Data.RedirectURL != "" {
 		fmt.Println("Badger: Redirecting to", *result.Data.RedirectURL)
 		http.Redirect(rw, req, *result.Data.RedirectURL, http.StatusFound)
 		return
 	}
-	if !result.Data.Valid {
+	if result.Data.Valid {
-		http.Error(rw, "Unauthorized", http.StatusUnauthorized)
+
 		if result.Data.Username != nil {
 			req.Header.Add("Remote-User", *result.Data.Username)
 		}
 		if result.Data.Email != nil {
 			req.Header.Add("Remote-Email", *result.Data.Email)
 		}
 		if result.Data.Name != nil {
 			req.Header.Add("Remote-Name", *result.Data.Name)
 		}
 		fmt.Println("Badger: Valid session")
 		p.next.ServeHTTP(rw, req)
 		return
 	}
-	p.next.ServeHTTP(rw, req)
+	http.Error(rw, "Unauthorized", http.StatusUnauthorized)
 }
 func (p *Badger) extractCookies(req *http.Request) map[string]string {
 	cookies := make(map[string]string)
 	isSecureRequest := req.TLS != nil
 	for _, cookie := range req.Cookies() {
-		if strings.HasPrefix(cookie.Name, p.userSessionCookieName) || strings.HasPrefix(cookie.Name, p.resourceSessionCookieName) {
+		if strings.HasPrefix(cookie.Name, p.userSessionCookieName) {
 			if cookie.Secure && !isSecureRequest {
 				continue
 			}
 			cookies[cookie.Name] = cookie.Value
 		}
 	}
Author	SHA1	Message	Date
Milo Schwartz	d553b6ca77	Merge pull request #7 from pyrho/feat/auth-headers feat: add auth headers to request	2025-06-04 12:35:46 -04:00
Damien Rajon	0baba997d7	feat: add auth headers to request These changes are needed for the related changes in pangolin to work. See https://github.com/fosrl/pangolin/pull/807#event-17985130896	2025-06-04 18:30:25 +02:00
miloschwartz	e951e42b4d	remove explicit access token check and pass query params and headers in verify session	2025-04-06 11:24:47 -04:00
miloschwartz	3a180988be	add .go-version	2025-03-03 22:34:59 -05:00
Milo Schwartz	9cae64dac9	pass client ip to pangolin	2025-01-27 22:38:01 -05:00
Milo Schwartz	002997b2a0	refactor auth to use exchange token system	2025-01-26 17:23:06 -05:00