From 62ffd2fd118d04f69f315d3e014aee081d723047 Mon Sep 17 00:00:00 2001 From: Stavros Date: Wed, 29 Apr 2026 20:11:43 +0300 Subject: [PATCH] feat: finalize context functionality --- internal/bootstrap/router_bootstrap.go | 6 ++++-- internal/controller/proxy_controller.go | 12 +++++++---- internal/middleware/context_middleware.go | 1 + internal/service/auth_service.go | 26 ++++++++++++++++++----- 4 files changed, 34 insertions(+), 11 deletions(-) diff --git a/internal/bootstrap/router_bootstrap.go b/internal/bootstrap/router_bootstrap.go index 0a9eda1..53cb850 100644 --- a/internal/bootstrap/router_bootstrap.go +++ b/internal/bootstrap/router_bootstrap.go @@ -30,7 +30,8 @@ func (app *BootstrapApp) setupRouter() (*gin.Engine, error) { } contextMiddleware := middleware.NewContextMiddleware(middleware.ContextMiddlewareConfig{ - CookieDomain: app.context.cookieDomain, + CookieDomain: app.context.cookieDomain, + SessionCookieName: app.context.sessionCookieName, }, app.services.authService, app.services.oauthBrokerService) err := contextMiddleware.Init() @@ -98,7 +99,8 @@ func (app *BootstrapApp) setupRouter() (*gin.Engine, error) { proxyController.SetupRoutes() userController := controller.NewUserController(controller.UserControllerConfig{ - CookieDomain: app.context.cookieDomain, + CookieDomain: app.context.cookieDomain, + SessionCookieName: app.context.sessionCookieName, }, apiRouter, app.services.authService) userController.SetupRoutes() diff --git a/internal/controller/proxy_controller.go b/internal/controller/proxy_controller.go index 3c8a490..2ed6354 100644 --- a/internal/controller/proxy_controller.go +++ b/internal/controller/proxy_controller.go @@ -99,11 +99,15 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) { return } + if acls == nil { + acls = &model.App{} + } + tlog.App.Trace().Interface("acls", acls).Msg("ACLs for resource") clientIP := c.ClientIP() - if controller.auth.IsBypassedIP(acls.IP, clientIP) { + if controller.auth.IsBypassedIP(&acls.IP, clientIP) { controller.setHeaders(c, *acls) c.JSON(200, gin.H{ "status": 200, @@ -112,7 +116,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) { return } - authEnabled, err := controller.auth.IsAuthEnabled(proxyCtx.Path, acls.Path) + authEnabled, err := controller.auth.IsAuthEnabled(proxyCtx.Path, &acls.Path) if err != nil { tlog.App.Error().Err(err).Msg("Failed to check if auth is enabled for resource") @@ -130,7 +134,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) { return } - if !controller.auth.CheckIP(acls.IP, clientIP) { + if !controller.auth.CheckIP(&acls.IP, clientIP) { queries, err := query.Values(UnauthorizedQuery{ Resource: strings.Split(proxyCtx.Host, ".")[0], IP: clientIP, @@ -169,7 +173,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) { tlog.App.Trace().Interface("context", userContext).Msg("User context from request") if userContext.Authenticated { - userAllowed := controller.auth.IsUserAllowed(c, *userContext, *acls) + userAllowed := controller.auth.IsUserAllowed(c, *userContext, acls) if !userAllowed { tlog.App.Warn().Str("user", userContext.GetUsername()).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User not allowed to access resource") diff --git a/internal/middleware/context_middleware.go b/internal/middleware/context_middleware.go index 5dd98f9..ad162a9 100644 --- a/internal/middleware/context_middleware.go +++ b/internal/middleware/context_middleware.go @@ -80,6 +80,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc { http.SetCookie(c.Writer, cookie) } + tlog.App.Trace().Msgf("Authenticated user from session cookie: %s", userContext.GetUsername()) c.Set("context", userContext) c.Next() return diff --git a/internal/service/auth_service.go b/internal/service/auth_service.go index 86743e4..be01ccd 100644 --- a/internal/service/auth_service.go +++ b/internal/service/auth_service.go @@ -346,7 +346,7 @@ func (auth *AuthService) RefreshSession(ctx context.Context, uuid string) (*http } if session.Expiry-currentTime > refreshThreshold { - return nil, fmt.Errorf("session not eligible for refresh yet") + return nil, nil } newExpiry := session.Expiry + refreshThreshold @@ -443,7 +443,11 @@ func (auth *AuthService) LDAPAuthConfigured() bool { return auth.ldap.IsConfigured() } -func (auth *AuthService) IsUserAllowed(c *gin.Context, context model.UserContext, acls model.App) bool { +func (auth *AuthService) IsUserAllowed(c *gin.Context, context model.UserContext, acls *model.App) bool { + if acls == nil { + return true + } + if context.Provider == model.ProviderOAuth { tlog.App.Debug().Msg("Checking OAuth whitelist") return utils.CheckFilter(acls.OAuth.Whitelist, context.OAuth.Email) @@ -507,7 +511,11 @@ func (auth *AuthService) IsInLDAPGroup(c *gin.Context, context model.UserContext return false } -func (auth *AuthService) IsAuthEnabled(uri string, path model.AppPath) (bool, error) { +func (auth *AuthService) IsAuthEnabled(uri string, path *model.AppPath) (bool, error) { + if path == nil { + return true, nil + } + // Check for block list if path.Block != "" { regex, err := regexp.Compile(path.Block) @@ -552,7 +560,11 @@ func (auth *AuthService) GetBasicAuth(req *http.Request) (*model.LocalUser, erro }, nil } -func (auth *AuthService) CheckIP(acls model.AppIP, ip string) bool { +func (auth *AuthService) CheckIP(acls *model.AppIP, ip string) bool { + if acls == nil { + acls = &model.AppIP{} + } + // Merge the global and app IP filter blockedIps := append(auth.config.IP.Block, acls.Block...) allowedIPs := append(auth.config.IP.Allow, acls.Allow...) @@ -590,7 +602,11 @@ func (auth *AuthService) CheckIP(acls model.AppIP, ip string) bool { return true } -func (auth *AuthService) IsBypassedIP(acls model.AppIP, ip string) bool { +func (auth *AuthService) IsBypassedIP(acls *model.AppIP, ip string) bool { + if acls == nil { + return false + } + for _, bypassed := range acls.Bypass { res, err := utils.FilterIP(bypassed, ip) if err != nil {