fosrl/badger
1
0
Fork 0
mirror of https://github.com/fosrl/badger.git synced 2025-05-13 05:40:39 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor auth to use exchange token system

Browse source
This commit is contained in:
Milo Schwartz 2025-01-26 17:23:06 -05:00
parent d5fd63a6cd
commit 002997b2a0
No known key found for this signature in database
3 changed files with 90 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
.traefik.yml
View file

@ -6,7 +6,7 @@ import: github.com/fosrl/badger
summary: Middleware auth bouncer for Pangolin summary: Middleware auth bouncer for Pangolin
testData: testData:
apiBaseUrl: http://localhost:3001/api/v1 apiBaseUrl: "http://localhost:3001/api/v1"
userSessionCookieName: p_session userSessionCookieName: "p_session_token"
resourceSessionCookieName: p_resource_session accessTokenQueryParam: "p_token"
accessTokenQueryParam: p_token resourceSessionRequestParam: "p_session_request"

4
README.md
View file

@ -16,9 +16,9 @@ Badger requires the following configuration parameters to be specified in your [
```yaml ```yaml
apiBaseUrl: "http://localhost:3001/api/v1" apiBaseUrl: "http://localhost:3001/api/v1"
userSessionCookieName: "p_session" userSessionCookieName: "p_session_token"
resourceSessionCookieName: "p_resource_session"
accessTokenQueryParam: "p_token" accessTokenQueryParam: "p_token"
resourceSessionRequestParam: "p_session_request"
``` ```
## License ## License

107
main.go
View file

@ -10,10 +10,19 @@ import (
) )
type Config struct { type Config struct {
APIBaseUrl string `json:"apiBaseUrl"` APIBaseUrl string `json:"apiBaseUrl"`
UserSessionCookieName string `json:"userSessionCookieName"` UserSessionCookieName string `json:"userSessionCookieName"`
ResourceSessionCookieName string `json:"resourceSessionCookieName"` AccessTokenQueryParam string `json:"accessTokenQueryParam"`
AccessTokenQueryParam string `json:"accessTokenQueryParam"` ResourceSessionRequestParam string `json:"resourceSessionRequestParam"`
}
type Badger struct {
next http.Handler
name string
apiBaseUrl string
userSessionCookieName string
accessTokenQueryParam string
resourceSessionRequestParam string
} }
type VerifyBody struct { type VerifyBody struct {
@ -34,13 +43,16 @@ type VerifyResponse struct {
} `json:"data"` } `json:"data"`
} }
type Badger struct { type ExchangeSessionBody struct {
next http.Handler RequestToken *string `json:"requestToken"`
name string RequestHost *string `json:"host"`
apiBaseUrl string }
userSessionCookieName string
resourceSessionCookieName string type ExchangeSessionResponse struct {
accessTokenQueryParam string Data struct {
Valid bool `json:"valid"`
Cookie *string `json:"cookie"`
} `json:"data"`
} }
func CreateConfig() *Config { func CreateConfig() *Config {
@ -49,12 +61,12 @@ func CreateConfig() *Config {
func New(ctx context.Context, next http.Handler, config *Config, name string) (http.Handler, error) { func New(ctx context.Context, next http.Handler, config *Config, name string) (http.Handler, error) {
return &Badger{ return &Badger{
next: next, next: next,
name: name, name: name,
apiBaseUrl: config.APIBaseUrl, apiBaseUrl: config.APIBaseUrl,
userSessionCookieName: config.UserSessionCookieName, userSessionCookieName: config.UserSessionCookieName,
resourceSessionCookieName: config.ResourceSessionCookieName, accessTokenQueryParam: config.AccessTokenQueryParam,
accessTokenQueryParam: config.AccessTokenQueryParam, resourceSessionRequestParam: config.ResourceSessionRequestParam,
}, nil }, nil
} }
@ -63,9 +75,53 @@ func (p *Badger) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
var accessToken *string var accessToken *string
queryValues := req.URL.Query() queryValues := req.URL.Query()
if sessionRequestValue := queryValues.Get(p.resourceSessionRequestParam); sessionRequestValue != "" {
body := ExchangeSessionBody{
RequestToken: &sessionRequestValue,
RequestHost: &req.Host,
}
jsonData, err := json.Marshal(body)
if err != nil {
http.Error(rw, "Internal Server Error", http.StatusInternalServerError)
return
}
verifyURL := fmt.Sprintf("%s/badger/exchange-session", p.apiBaseUrl)
resp, err := http.Post(verifyURL, "application/json", bytes.NewBuffer(jsonData))
if err != nil {
http.Error(rw, "Internal Server Error", http.StatusInternalServerError)
return
}
defer resp.Body.Close()
var result ExchangeSessionResponse
err = json.NewDecoder(resp.Body).Decode(&result)
if err != nil {
http.Error(rw, "Internal Server Error", http.StatusInternalServerError)
return
}
if result.Data.Cookie != nil && *result.Data.Cookie != "" {
rw.Header().Add("Set-Cookie", *result.Data.Cookie)
queryValues.Del(p.resourceSessionRequestParam)
cleanedQuery := queryValues.Encode()
originalRequestURL := fmt.Sprintf("%s://%s%s", p.getScheme(req), req.Host, req.URL.Path)
if cleanedQuery != "" {
originalRequestURL = fmt.Sprintf("%s?%s", originalRequestURL, cleanedQuery)
}
fmt.Println("Got exchange token, redirecting to", originalRequestURL)
http.Redirect(rw, req, originalRequestURL, http.StatusFound)
return
}
}
if token := queryValues.Get(p.accessTokenQueryParam); token != "" { if token := queryValues.Get(p.accessTokenQueryParam); token != "" {
accessToken = &token accessToken = &token
queryValues.Del(p.accessTokenQueryParam) queryValues.Del(p.accessTokenQueryParam)
} }
cleanedQuery := queryValues.Encode() cleanedQuery := queryValues.Encode()
@ -100,7 +156,6 @@ func (p *Badger) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
} }
defer resp.Body.Close() defer resp.Body.Close()
// pass through cookies
for _, setCookie := range resp.Header["Set-Cookie"] { for _, setCookie := range resp.Header["Set-Cookie"] {
rw.Header().Add("Set-Cookie", setCookie) rw.Header().Add("Set-Cookie", setCookie)
} }
@ -118,23 +173,29 @@ func (p *Badger) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
} }
if result.Data.RedirectURL != nil && *result.Data.RedirectURL != "" { if result.Data.RedirectURL != nil && *result.Data.RedirectURL != "" {
fmt.Println("Badger: Redirecting to", *result.Data.RedirectURL)
http.Redirect(rw, req, *result.Data.RedirectURL, http.StatusFound) http.Redirect(rw, req, *result.Data.RedirectURL, http.StatusFound)
return return
} }
if !result.Data.Valid { if result.Data.Valid {
http.Error(rw, "Unauthorized", http.StatusUnauthorized) fmt.Println("Badger: Valid session")
p.next.ServeHTTP(rw, req)
return return
} }
p.next.ServeHTTP(rw, req) http.Error(rw, "Unauthorized", http.StatusUnauthorized)
} }
func (p *Badger) extractCookies(req *http.Request) map[string]string { func (p *Badger) extractCookies(req *http.Request) map[string]string {
cookies := make(map[string]string) cookies := make(map[string]string)
isSecureRequest := req.TLS != nil
for _, cookie := range req.Cookies() { for _, cookie := range req.Cookies() {
if strings.HasPrefix(cookie.Name, p.userSessionCookieName) || strings.HasPrefix(cookie.Name, p.resourceSessionCookieName) { if strings.HasPrefix(cookie.Name, p.userSessionCookieName) {
if cookie.Secure && !isSecureRequest {
continue
}
cookies[cookie.Name] = cookie.Value cookies[cookie.Name] = cookie.Value
} }
} }