Merge pull request #7 from pyrho/feat/auth-headers

feat: add auth headers to request
2026-02-08 05:56:46 +00:00 · 2025-06-04 12:35:46 -04:00 · 2025-06-04 18:30:25 +02:00 · 2025-04-06 11:24:47 -04:00 · 2025-03-03 22:34:59 -05:00 · 2025-01-27 22:38:01 -05:00
4 changed files with 138 additions and 37 deletions
--- a/.go-version
+++ b/.go-version
@@ -0,0 +1 @@
+1.23.2
--- a/.traefik.yml
+++ b/.traefik.yml
@@ -6,7 +6,6 @@ import: github.com/fosrl/badger
 summary: Middleware auth bouncer for Pangolin

 testData:
-    apiBaseUrl: http://localhost:3001/api/v1
-    userSessionCookieName: p_session
-    resourceSessionCookieName: p_resource_session
-    accessTokenQueryParam: p_token
+    apiBaseUrl: "http://localhost:3001/api/v1"
+    userSessionCookieName: "p_session_token"
+    resourceSessionRequestParam: "p_session_request"
--- a/README.md
+++ b/README.md
@@ -16,9 +16,8 @@ Badger requires the following configuration parameters to be specified in your [

 ```yaml
 apiBaseUrl: "http://localhost:3001/api/v1"
-userSessionCookieName: "p_session"
-resourceSessionCookieName: "p_resource_session"
-accessTokenQueryParam: "p_token"
+userSessionCookieName: "p_session_token"
+resourceSessionRequestParam: "p_session_request"
 ```

 ## License
--- a/main.go
+++ b/main.go
@@ -10,10 +10,17 @@ import (
 )

 type Config struct {
-	APIBaseUrl                string `json:"apiBaseUrl"`
-	UserSessionCookieName     string `json:"userSessionCookieName"`
-	ResourceSessionCookieName string `json:"resourceSessionCookieName"`
-	AccessTokenQueryParam     string `json:"accessTokenQueryParam"`
+	APIBaseUrl                  string `json:"apiBaseUrl"`
+	UserSessionCookieName       string `json:"userSessionCookieName"`
+	ResourceSessionRequestParam string `json:"resourceSessionRequestParam"`
+}
+
+type Badger struct {
+	next                        http.Handler
+	name                        string
+	apiBaseUrl                  string
+	userSessionCookieName       string
+	resourceSessionRequestParam string
 }

 type VerifyBody struct {
@@ -23,24 +30,35 @@ type VerifyBody struct {
 	RequestHost        *string           `json:"host"`
 	RequestPath        *string           `json:"path"`
 	RequestMethod      *string           `json:"method"`
-	AccessToken        *string           `json:"accessToken,omitempty"`
 	TLS                bool              `json:"tls"`
+	RequestIP          *string           `json:"requestIp,omitempty"`
+	Headers            map[string]string `json:"headers,omitempty"`
+	Query              map[string]string `json:"query,omitempty"`
 }

 type VerifyResponse struct {
 	Data struct {
-		Valid       bool    `json:"valid"`
-		RedirectURL *string `json:"redirectUrl"`
+		Valid           bool              `json:"valid"`
+		RedirectURL     *string           `json:"redirectUrl"`
+		Username        *string           `json:"username,omitempty"`
+		Email           *string           `json:"email,omitempty"`
+		Name            *string           `json:"name,omitempty"`
+		ResponseHeaders map[string]string `json:"responseHeaders,omitempty"`
 	} `json:"data"`
 }

-type Badger struct {
-	next                      http.Handler
-	name                      string
-	apiBaseUrl                string
-	userSessionCookieName     string
-	resourceSessionCookieName string
-	accessTokenQueryParam     string
+type ExchangeSessionBody struct {
+	RequestToken *string `json:"requestToken"`
+	RequestHost  *string `json:"host"`
+	RequestIP    *string `json:"requestIp,omitempty"`
+}
+
+type ExchangeSessionResponse struct {
+	Data struct {
+		Valid           bool              `json:"valid"`
+		Cookie          *string           `json:"cookie"`
+		ResponseHeaders map[string]string `json:"responseHeaders,omitempty"`
+	} `json:"data"`
 }

 func CreateConfig() *Config {
@@ -49,23 +67,67 @@ func CreateConfig() *Config {

 func New(ctx context.Context, next http.Handler, config *Config, name string) (http.Handler, error) {
 	return &Badger{
-		next:                      next,
-		name:                      name,
-		apiBaseUrl:                config.APIBaseUrl,
-		userSessionCookieName:     config.UserSessionCookieName,
-		resourceSessionCookieName: config.ResourceSessionCookieName,
-		accessTokenQueryParam:     config.AccessTokenQueryParam,
+		next:                        next,
+		name:                        name,
+		apiBaseUrl:                  config.APIBaseUrl,
+		userSessionCookieName:       config.UserSessionCookieName,
+		resourceSessionRequestParam: config.ResourceSessionRequestParam,
 	}, nil
 }

 func (p *Badger) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	cookies := p.extractCookies(req)

-	var accessToken *string
 	queryValues := req.URL.Query()
-	if token := queryValues.Get(p.accessTokenQueryParam); token != "" {
-		accessToken = &token
-		queryValues.Del(p.accessTokenQueryParam) 
+
+	if sessionRequestValue := queryValues.Get(p.resourceSessionRequestParam); sessionRequestValue != "" {
+		body := ExchangeSessionBody{
+			RequestToken: &sessionRequestValue,
+			RequestHost:  &req.Host,
+			RequestIP:    &req.RemoteAddr,
+		}
+
+		jsonData, err := json.Marshal(body)
+		if err != nil {
+			http.Error(rw, "Internal Server Error", http.StatusInternalServerError)
+			return
+		}
+
+		verifyURL := fmt.Sprintf("%s/badger/exchange-session", p.apiBaseUrl)
+		resp, err := http.Post(verifyURL, "application/json", bytes.NewBuffer(jsonData))
+		if err != nil {
+			http.Error(rw, "Internal Server Error", http.StatusInternalServerError)
+			return
+		}
+		defer resp.Body.Close()
+
+		var result ExchangeSessionResponse
+		err = json.NewDecoder(resp.Body).Decode(&result)
+		if err != nil {
+			http.Error(rw, "Internal Server Error", http.StatusInternalServerError)
+			return
+		}
+
+		if result.Data.Cookie != nil && *result.Data.Cookie != "" {
+			rw.Header().Add("Set-Cookie", *result.Data.Cookie)
+
+			queryValues.Del(p.resourceSessionRequestParam)
+			cleanedQuery := queryValues.Encode()
+			originalRequestURL := fmt.Sprintf("%s://%s%s", p.getScheme(req), req.Host, req.URL.Path)
+			if cleanedQuery != "" {
+				originalRequestURL = fmt.Sprintf("%s?%s", originalRequestURL, cleanedQuery)
+			}
+
+			if result.Data.ResponseHeaders != nil {
+				for key, value := range result.Data.ResponseHeaders {
+					rw.Header().Add(key, value)
+				}
+			}
+
+			fmt.Println("Got exchange token, redirecting to", originalRequestURL)
+			http.Redirect(rw, req, originalRequestURL, http.StatusFound)
+			return
+		}
 	}

 	cleanedQuery := queryValues.Encode()
@@ -76,6 +138,20 @@ func (p *Badger) ServeHTTP(rw http.ResponseWriter, req *http.Request) {

 	verifyURL := fmt.Sprintf("%s/badger/verify-session", p.apiBaseUrl)

+	headers := make(map[string]string)
+	for name, values := range req.Header {
+		if len(values) > 0 {
+			headers[name] = values[0] // Send only the first value for simplicity
+		}
+	}
+
+	queryParams := make(map[string]string)
+	for key, values := range queryValues {
+		if len(values) > 0 {
+			queryParams[key] = values[0]
+		}
+	}
+
 	cookieData := VerifyBody{
 		Sessions:           cookies,
 		OriginalRequestURL: originalRequestURL,
@@ -83,8 +159,10 @@ func (p *Badger) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 		RequestHost:        &req.Host,
 		RequestPath:        &req.URL.Path,
 		RequestMethod:      &req.Method,
-		AccessToken:        accessToken,
 		TLS:                req.TLS != nil,
+		RequestIP:          &req.RemoteAddr,
+		Headers:            headers,
+		Query:              queryParams,
 	}

 	jsonData, err := json.Marshal(cookieData)
@@ -100,7 +178,6 @@ func (p *Badger) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	}
 	defer resp.Body.Close()

-	// pass through cookies
 	for _, setCookie := range resp.Header["Set-Cookie"] {
 		rw.Header().Add("Set-Cookie", setCookie)
 	}
@@ -117,24 +194,49 @@ func (p *Badger) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 		return
 	}

+	if result.Data.ResponseHeaders != nil {
+		for key, value := range result.Data.ResponseHeaders {
+			rw.Header().Add(key, value)
+		}
+	}
+
 	if result.Data.RedirectURL != nil && *result.Data.RedirectURL != "" {
+		fmt.Println("Badger: Redirecting to", *result.Data.RedirectURL)
 		http.Redirect(rw, req, *result.Data.RedirectURL, http.StatusFound)
 		return
 	}

-	if !result.Data.Valid {
-		http.Error(rw, "Unauthorized", http.StatusUnauthorized)
+	if result.Data.Valid {
+
+		if result.Data.Username != nil {
+			req.Header.Add("Remote-User", *result.Data.Username)
+		}
+
+		if result.Data.Email != nil {
+			req.Header.Add("Remote-Email", *result.Data.Email)
+		}
+
+		if result.Data.Name != nil {
+			req.Header.Add("Remote-Name", *result.Data.Name)
+		}
+
+		fmt.Println("Badger: Valid session")
+		p.next.ServeHTTP(rw, req)
 		return
 	}

-	p.next.ServeHTTP(rw, req)
+	http.Error(rw, "Unauthorized", http.StatusUnauthorized)
 }

 func (p *Badger) extractCookies(req *http.Request) map[string]string {
 	cookies := make(map[string]string)
+	isSecureRequest := req.TLS != nil

 	for _, cookie := range req.Cookies() {
-		if strings.HasPrefix(cookie.Name, p.userSessionCookieName) || strings.HasPrefix(cookie.Name, p.resourceSessionCookieName) {
+		if strings.HasPrefix(cookie.Name, p.userSessionCookieName) {
+			if cookie.Secure && !isSecureRequest {
+				continue
+			}
 			cookies[cookie.Name] = cookie.Value
 		}
 	}
Author	SHA1	Message	Date
Milo Schwartz	d553b6ca77	Merge pull request #7 from pyrho/feat/auth-headers feat: add auth headers to request	2025-06-04 12:35:46 -04:00
Damien Rajon	0baba997d7	feat: add auth headers to request These changes are needed for the related changes in pangolin to work. See https://github.com/fosrl/pangolin/pull/807#event-17985130896	2025-06-04 18:30:25 +02:00
miloschwartz	e951e42b4d	remove explicit access token check and pass query params and headers in verify session	2025-04-06 11:24:47 -04:00
miloschwartz	3a180988be	add .go-version	2025-03-03 22:34:59 -05:00
Milo Schwartz	9cae64dac9	pass client ip to pangolin	2025-01-27 22:38:01 -05:00
Milo Schwartz	002997b2a0	refactor auth to use exchange token system	2025-01-26 17:23:06 -05:00