cleanup

proxy/internal/auth/constants.go

@@ -1,9 +0,0 @@
-package auth
-
-const (
-	// DefaultSessionCookieName is the default cookie name for session storage
-	DefaultSessionCookieName = "auth_session"
-
-	// ErrorInternalServer is the default internal server error message
-	ErrorInternalServer = "Internal Server Error"
-)

proxy/internal/auth/methods/basic_auth.go

@@ -18,7 +18,6 @@ func (c *BasicAuthConfig) Validate(r *http.Request) bool {
 		return false
 	}
 
-	// Use constant-time comparison to prevent timing attacks
 	usernameMatch := subtle.ConstantTimeCompare([]byte(username), []byte(c.Username)) == 1
 	passwordMatch := subtle.ConstantTimeCompare([]byte(password), []byte(c.Password)) == 1
 

proxy/internal/auth/methods/bearer_auth.go

@@ -4,7 +4,5 @@ package methods
 // The actual OIDC/JWT configuration comes from the global proxy Config.OIDCConfig
 // This just enables Bearer auth for a specific route
 type BearerConfig struct {
-	// Enable bearer token authentication for this route
-	// Uses the global OIDC configuration from proxy Config
 	Enabled bool
 }

proxy/internal/auth/methods/pin_auth.go

@@ -13,7 +13,7 @@ const (
 // PINConfig holds PIN authentication settings
 type PINConfig struct {
 	PIN    string
-	Header string // Header name (default: "X-PIN")
+	Header string
 }
 
 // Validate checks PIN from the request header
@@ -28,6 +28,5 @@ func (c *PINConfig) Validate(r *http.Request) bool {
 		return false
 	}
 
-	// Use constant-time comparison to prevent timing attacks
 	return subtle.ConstantTimeCompare([]byte(providedPIN), []byte(c.PIN)) == 1
 }

proxy/internal/auth/middleware.go

@@ -28,26 +28,22 @@ type authResult struct {
 
 // ServeHTTP implements the http.Handler interface
 func (m *Middleware) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	// If no auth configured, allow request
 	if m.config.IsEmpty() {
 		m.allowWithoutAuth(w, r)
 		return
 	}
 
-	// Try to authenticate the request
 	result := m.authenticate(w, r)
 	if result == nil {
 		// Authentication triggered a redirect (e.g., OIDC flow)
 		return
 	}
 
-	// Reject if authentication failed
 	if !result.authenticated {
 		m.rejectRequest(w, r)
 		return
 	}
 
-	// Authentication successful - continue to next handler
 	m.continueWithAuth(w, r, result)
 }
 
@@ -65,17 +61,14 @@ func (m *Middleware) allowWithoutAuth(w http.ResponseWriter, r *http.Request) {
 // authenticate attempts to authenticate the request using configured methods
 // Returns nil if a redirect occurred (e.g., OIDC flow initiated)
 func (m *Middleware) authenticate(w http.ResponseWriter, r *http.Request) *authResult {
-	// Try Basic Auth
 	if result := m.tryBasicAuth(r); result.authenticated {
 		return result
 	}
 
-	// Try PIN Auth
 	if result := m.tryPINAuth(r); result.authenticated {
 		return result
 	}
 
-	// Try Bearer/OIDC Auth
 	return m.tryBearerAuth(w, r)
 }
 
@@ -94,7 +87,6 @@ func (m *Middleware) tryBasicAuth(r *http.Request) *authResult {
 		method:        "basic",
 	}
 
-	// Extract username from Basic Auth
 	if username, _, ok := r.BasicAuth(); ok {
 		result.userID = username
 	}
@@ -128,24 +120,20 @@ func (m *Middleware) tryBearerAuth(w http.ResponseWriter, r *http.Request) *auth
 
 	cookieName := m.oidcHandler.SessionCookieName()
 
-	// Handle auth token in query parameter (from OIDC callback)
 	if m.handleAuthTokenParameter(w, r, cookieName) {
-		return nil // Redirect occurred
+		return nil
 	}
 
-	// Try session cookie
 	if result := m.trySessionCookie(r, cookieName); result.authenticated {
 		return result
 	}
 
-	// Try Authorization header
 	if result := m.tryAuthorizationHeader(r); result.authenticated {
 		return result
 	}
 
-	// No valid auth - redirect to OIDC provider
 	m.oidcHandler.RedirectToProvider(w, r, m.routeID)
-	return nil // Redirect occurred
+	return nil
 }
 
 // handleAuthTokenParameter processes the _auth_token query parameter from OIDC callback
@@ -161,7 +149,6 @@ func (m *Middleware) handleAuthTokenParameter(w http.ResponseWriter, r *http.Req
 		"host":     r.Host,
 	}).Info("Found auth token in query parameter, setting cookie and redirecting")
 
-	// Validate the token before setting cookie
 	if !m.oidcHandler.ValidateJWT(authToken) {
 		log.WithFields(log.Fields{
 			"route_id": m.routeID,
@@ -169,7 +156,6 @@ func (m *Middleware) handleAuthTokenParameter(w http.ResponseWriter, r *http.Req
 		return false
 	}
 
-	// Set session cookie
 	cookie := &http.Cookie{
 		Name:     cookieName,
 		Value:    authToken,
@@ -288,7 +274,7 @@ func (m *Middleware) continueWithAuth(w http.ResponseWriter, r *http.Request, re
 		"path":        r.URL.Path,
 	}).Debug("Authentication successful")
 
-	// Store auth info in headers for logging
+	// TODO: Find other means of auth logging than headers
 	r.Header.Set("X-Auth-Method", result.method)
 	r.Header.Set("X-Auth-User-ID", result.userID)
 
@@ -299,7 +285,7 @@ func (m *Middleware) continueWithAuth(w http.ResponseWriter, r *http.Request, re
 // Wrap wraps an HTTP handler with authentication middleware
 func Wrap(next http.Handler, authConfig *Config, routeID string, rejectResponse func(w http.ResponseWriter, r *http.Request), oidcHandler *oidc.Handler) http.Handler {
 	if authConfig == nil {
-		authConfig = &Config{} // Empty config = no auth
+		authConfig = &Config{}
 	}
 
 	return &Middleware{

proxy/internal/auth/oidc/config.go

@@ -2,19 +2,16 @@ package oidc
 
 // Config holds the global OIDC/OAuth configuration
 type Config struct {
-	// OIDC Provider settings
-	ProviderURL  string   `env:"NB_OIDC_PROVIDER_URL" json:"provider_url"`   // Identity provider URL (e.g., "https://accounts.google.com")
-	ClientID     string   `env:"NB_OIDC_CLIENT_ID" json:"client_id"`         // OAuth client ID
-	ClientSecret string   `env:"NB_OIDC_CLIENT_SECRET" json:"client_secret"` // OAuth client secret (empty for public clients)
-	RedirectURL  string   `env:"NB_OIDC_REDIRECT_URL" json:"redirect_url"`   // Redirect URL after auth (e.g., "http://localhost:54321/auth/callback")
-	Scopes       []string `env:"NB_OIDC_SCOPES" json:"scopes"`               // Requested scopes (default: ["openid", "profile", "email"])
+	ProviderURL  string   `env:"NB_OIDC_PROVIDER_URL" json:"provider_url"`
+	ClientID     string   `env:"NB_OIDC_CLIENT_ID" json:"client_id"`
+	ClientSecret string   `env:"NB_OIDC_CLIENT_SECRET" json:"client_secret"`
+	RedirectURL  string   `env:"NB_OIDC_REDIRECT_URL" json:"redirect_url"`
+	Scopes       []string `env:"NB_OIDC_SCOPES" json:"scopes"`
 
-	// JWT Validation settings
-	JWTKeysLocation             string   `env:"NB_OIDC_JWT_KEYS_LOCATION" json:"jwt_keys_location"`                             // JWKS URL for fetching public keys
-	JWTIssuer                   string   `env:"NB_OIDC_JWT_ISSUER" json:"jwt_issuer"`                                           // Expected issuer claim
-	JWTAudience                 []string `env:"NB_OIDC_JWT_AUDIENCE" json:"jwt_audience"`                                       // Expected audience claims
-	JWTIdpSignkeyRefreshEnabled bool     `env:"NB_OIDC_JWT_IDP_SIGNKEY_REFRESH_ENABLED" json:"jwt_idp_signkey_refresh_enabled"` // Enable automatic refresh of signing keys
+	JWTKeysLocation             string   `env:"NB_OIDC_JWT_KEYS_LOCATION" json:"jwt_keys_location"`
+	JWTIssuer                   string   `env:"NB_OIDC_JWT_ISSUER" json:"jwt_issuer"`
+	JWTAudience                 []string `env:"NB_OIDC_JWT_AUDIENCE" json:"jwt_audience"`
+	JWTIdpSignkeyRefreshEnabled bool     `env:"NB_OIDC_JWT_IDP_SIGNKEY_REFRESH_ENABLED" json:"jwt_idp_signkey_refresh_enabled"`
 
-	// Session settings
-	SessionCookieName string `env:"NB_OIDC_SESSION_COOKIE_NAME" json:"session_cookie_name"` // Cookie name for storing session (default: "auth_session")
+	SessionCookieName string `env:"NB_OIDC_SESSION_COOKIE_NAME" json:"session_cookie_name"`
 }

proxy/internal/auth/oidc/handler.go

@@ -24,7 +24,6 @@ type Handler struct {
 
 // NewHandler creates a new OIDC handler
 func NewHandler(config *Config, stateStore *StateStore) *Handler {
-	// Initialize JWT validator
 	var jwtValidator *jwt.Validator
 	if config.JWTKeysLocation != "" {
 		jwtValidator = jwt.NewValidator(
@@ -67,7 +66,6 @@ func (h *Handler) RedirectToProvider(w http.ResponseWriter, r *http.Request, rou
 		scopes = []string{"openid", "profile", "email"}
 	}
 
-	// Build authorization URL
 	authURL, err := url.Parse(h.config.ProviderURL)
 	if err != nil {
 		log.WithError(err).Error("Invalid OIDC provider URL")
@@ -80,7 +78,6 @@ func (h *Handler) RedirectToProvider(w http.ResponseWriter, r *http.Request, rou
 		authURL.Path = strings.TrimSuffix(authURL.Path, "/") + "/authorize"
 	}
 
-	// Build query parameters
 	params := url.Values{}
 	params.Set("client_id", h.config.ClientID)
 	params.Set("redirect_uri", h.config.RedirectURL)
@@ -88,8 +85,6 @@ func (h *Handler) RedirectToProvider(w http.ResponseWriter, r *http.Request, rou
 	params.Set("scope", strings.Join(scopes, " "))
 	params.Set("state", state)
 
-	// Add audience parameter to get an access token for the API
-	// This ensures we get a proper JWT for the API audience, not just an ID token
 	if len(h.config.JWTAudience) > 0 && h.config.JWTAudience[0] != h.config.ClientID {
 		params.Set("audience", h.config.JWTAudience[0])
 	}
@@ -103,7 +98,6 @@ func (h *Handler) RedirectToProvider(w http.ResponseWriter, r *http.Request, rou
 		"state":        state,
 	}).Info("Redirecting to OIDC provider for authentication")
 
-	// Redirect user to identity provider login page
 	http.Redirect(w, r, authURL.String(), http.StatusFound)
 }
 

proxy/internal/auth/oidc/state_store.go

@@ -34,7 +34,6 @@ func (s *StateStore) Store(stateToken, originalURL, routeID string) {
 		RouteID:     routeID,
 	}
 
-	// Clean up expired states
 	s.cleanup()
 }