From b4eb7090bd7b4dcb5a058364034ed82249add4d3 Mon Sep 17 00:00:00 2001 From: Stavros Date: Wed, 29 Apr 2026 19:58:39 +0300 Subject: [PATCH] fix: fix imports and context in proxy controller --- internal/controller/proxy_controller.go | 86 ++++++++++++++----------- internal/model/config.go | 13 ---- 2 files changed, 47 insertions(+), 52 deletions(-) diff --git a/internal/controller/proxy_controller.go b/internal/controller/proxy_controller.go index 724c6f6..5f42e55 100644 --- a/internal/controller/proxy_controller.go +++ b/internal/controller/proxy_controller.go @@ -8,7 +8,7 @@ import ( "regexp" "strings" - "github.com/tinyauthapp/tinyauth/internal/config" + "github.com/tinyauthapp/tinyauth/internal/model" "github.com/tinyauthapp/tinyauth/internal/service" "github.com/tinyauthapp/tinyauth/internal/utils" "github.com/tinyauthapp/tinyauth/internal/utils/tlog" @@ -17,6 +17,17 @@ import ( "github.com/google/go-querystring/query" ) +type UnauthorizedQuery struct { + Username string `url:"username"` + Resource string `url:"resource"` + GroupErr bool `url:"groupErr"` + IP string `url:"ip"` +} + +type RedirectQuery struct { + RedirectURI string `url:"redirect_uri"` +} + type AuthModuleType int const ( @@ -104,7 +115,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) { clientIP := c.ClientIP() if controller.auth.IsBypassedIP(acls.IP, clientIP) { - controller.setHeaders(c, acls) + controller.setHeaders(c, *acls) c.JSON(200, gin.H{ "status": 200, "message": "Authenticated", @@ -122,7 +133,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) { if !authEnabled { tlog.App.Debug().Msg("Authentication disabled for resource, allowing access") - controller.setHeaders(c, acls) + controller.setHeaders(c, *acls) c.JSON(200, gin.H{ "status": 200, "message": "Authenticated", @@ -131,7 +142,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) { } if !controller.auth.CheckIP(acls.IP, clientIP) { - queries, err := query.Values(config.UnauthorizedQuery{ + queries, err := query.Values(UnauthorizedQuery{ Resource: strings.Split(proxyCtx.Host, ".")[0], IP: clientIP, }) @@ -157,28 +168,24 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) { return } - var userContext config.UserContext - - context, err := utils.GetContext(c) + userContext, err := new(model.UserContext).NewFromGin(c) if err != nil { - tlog.App.Debug().Msg("No user context found in request, treating as not logged in") - userContext = config.UserContext{ - IsLoggedIn: false, + tlog.App.Debug().Err(err).Msg("No user context found in request, treating as unauthenticated") + userContext = &model.UserContext{ + Authenticated: false, } - } else { - userContext = context } tlog.App.Trace().Interface("context", userContext).Msg("User context from request") - if userContext.IsLoggedIn { - userAllowed := controller.auth.IsUserAllowed(c, userContext, acls) + if userContext.Authenticated { + userAllowed := controller.auth.IsUserAllowed(c, *userContext, *acls) if !userAllowed { - tlog.App.Warn().Str("user", userContext.Username).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User not allowed to access resource") + tlog.App.Warn().Str("user", userContext.GetUsername()).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User not allowed to access resource") - queries, err := query.Values(config.UnauthorizedQuery{ + queries, err := query.Values(UnauthorizedQuery{ Resource: strings.Split(proxyCtx.Host, ".")[0], }) @@ -188,10 +195,10 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) { return } - if userContext.OAuth { - queries.Set("username", userContext.Email) + if userContext.IsOAuth() { + queries.Set("username", userContext.GetEmail()) } else { - queries.Set("username", userContext.Username) + queries.Set("username", userContext.GetUsername()) } redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode()) @@ -209,19 +216,19 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) { return } - if userContext.OAuth || userContext.Provider == "ldap" { + if userContext.IsOAuth() || userContext.IsLDAP() { var groupOK bool - if userContext.OAuth { - groupOK = controller.auth.IsInOAuthGroup(c, userContext, acls.OAuth.Groups) + if userContext.IsOAuth() { + groupOK = controller.auth.IsInOAuthGroup(c, *userContext, acls.OAuth.Groups) } else { - groupOK = controller.auth.IsInLdapGroup(c, userContext, acls.LDAP.Groups) + groupOK = controller.auth.IsInLDAPGroup(c, *userContext, acls.LDAP.Groups) } if !groupOK { - tlog.App.Warn().Str("user", userContext.Username).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User groups do not match resource requirements") + tlog.App.Warn().Str("user", userContext.GetUsername()).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User groups do not match resource requirements") - queries, err := query.Values(config.UnauthorizedQuery{ + queries, err := query.Values(UnauthorizedQuery{ Resource: strings.Split(proxyCtx.Host, ".")[0], GroupErr: true, }) @@ -232,10 +239,10 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) { return } - if userContext.OAuth { - queries.Set("username", userContext.Email) + if userContext.IsOAuth() { + queries.Set("username", userContext.GetEmail()) } else { - queries.Set("username", userContext.Username) + queries.Set("username", userContext.GetUsername()) } redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode()) @@ -254,19 +261,20 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) { } } - c.Header("Remote-User", utils.SanitizeHeader(userContext.Username)) - c.Header("Remote-Name", utils.SanitizeHeader(userContext.Name)) - c.Header("Remote-Email", utils.SanitizeHeader(userContext.Email)) + c.Header("Remote-User", utils.SanitizeHeader(userContext.GetUsername())) + c.Header("Remote-Name", utils.SanitizeHeader(userContext.GetName())) + c.Header("Remote-Email", utils.SanitizeHeader(userContext.GetEmail())) - if userContext.Provider == "ldap" { - c.Header("Remote-Groups", utils.SanitizeHeader(userContext.LdapGroups)) - } else if userContext.Provider != "local" { - c.Header("Remote-Groups", utils.SanitizeHeader(userContext.OAuthGroups)) + if userContext.IsLDAP() { + c.Header("Remote-Groups", utils.SanitizeHeader(strings.Join(userContext.LDAP.Groups, ","))) } - c.Header("Remote-Sub", utils.SanitizeHeader(userContext.OAuthSub)) + if userContext.IsOAuth() { + c.Header("Remote-Groups", utils.SanitizeHeader(strings.Join(userContext.OAuth.Groups, ","))) + c.Header("Remote-Sub", utils.SanitizeHeader(userContext.OAuth.Sub)) + } - controller.setHeaders(c, acls) + controller.setHeaders(c, *acls) c.JSON(200, gin.H{ "status": 200, @@ -275,7 +283,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) { return } - queries, err := query.Values(config.RedirectQuery{ + queries, err := query.Values(RedirectQuery{ RedirectURI: fmt.Sprintf("%s://%s%s", proxyCtx.Proto, proxyCtx.Host, proxyCtx.Path), }) @@ -299,7 +307,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) { c.Redirect(http.StatusTemporaryRedirect, redirectURL) } -func (controller *ProxyController) setHeaders(c *gin.Context, acls config.App) { +func (controller *ProxyController) setHeaders(c *gin.Context, acls model.App) { c.Header("Authorization", c.Request.Header.Get("Authorization")) headers := utils.ParseHeaders(acls.Response.Headers) diff --git a/internal/model/config.go b/internal/model/config.go index 28b0881..d0bb9d1 100644 --- a/internal/model/config.go +++ b/internal/model/config.go @@ -218,19 +218,6 @@ type OIDCClientConfig struct { Name string `description:"Client name in UI." yaml:"name"` } -// API responses and queries - -type UnauthorizedQuery struct { - Username string `url:"username"` - Resource string `url:"resource"` - GroupErr bool `url:"groupErr"` - IP string `url:"ip"` -} - -type RedirectQuery struct { - RedirectURI string `url:"redirect_uri"` -} - // ACLs type Apps struct {