fix: fix imports and context in proxy controller

internal/controller/proxy_controller.go

@@ -8,7 +8,7 @@ import (
 	"regexp"
 	"strings"
 
-	"github.com/tinyauthapp/tinyauth/internal/config"
+	"github.com/tinyauthapp/tinyauth/internal/model"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"github.com/tinyauthapp/tinyauth/internal/utils"
 	"github.com/tinyauthapp/tinyauth/internal/utils/tlog"
@@ -17,6 +17,17 @@ import (
 	"github.com/google/go-querystring/query"
 )
 
+type UnauthorizedQuery struct {
+	Username string `url:"username"`
+	Resource string `url:"resource"`
+	GroupErr bool   `url:"groupErr"`
+	IP       string `url:"ip"`
+}
+
+type RedirectQuery struct {
+	RedirectURI string `url:"redirect_uri"`
+}
+
 type AuthModuleType int
 
 const (
@@ -104,7 +115,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	clientIP := c.ClientIP()
 
 	if controller.auth.IsBypassedIP(acls.IP, clientIP) {
-		controller.setHeaders(c, acls)
+		controller.setHeaders(c, *acls)
 		c.JSON(200, gin.H{
 			"status":  200,
 			"message": "Authenticated",
@@ -122,7 +133,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 
 	if !authEnabled {
 		tlog.App.Debug().Msg("Authentication disabled for resource, allowing access")
-		controller.setHeaders(c, acls)
+		controller.setHeaders(c, *acls)
 		c.JSON(200, gin.H{
 			"status":  200,
 			"message": "Authenticated",
@@ -131,7 +142,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	}
 
 	if !controller.auth.CheckIP(acls.IP, clientIP) {
-		queries, err := query.Values(config.UnauthorizedQuery{
+		queries, err := query.Values(UnauthorizedQuery{
 			Resource: strings.Split(proxyCtx.Host, ".")[0],
 			IP:       clientIP,
 		})
@@ -157,28 +168,24 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
 
-	var userContext config.UserContext
+	userContext, err := new(model.UserContext).NewFromGin(c)
-
-	context, err := utils.GetContext(c)
 
 	if err != nil {
-		tlog.App.Debug().Msg("No user context found in request, treating as not logged in")
+		tlog.App.Debug().Err(err).Msg("No user context found in request, treating as unauthenticated")
-		userContext = config.UserContext{
+		userContext = &model.UserContext{
-			IsLoggedIn: false,
+			Authenticated: false,
 		}
-	} else {
-		userContext = context
 	}
 
 	tlog.App.Trace().Interface("context", userContext).Msg("User context from request")
 
-	if userContext.IsLoggedIn {
+	if userContext.Authenticated {
-		userAllowed := controller.auth.IsUserAllowed(c, userContext, acls)
+		userAllowed := controller.auth.IsUserAllowed(c, *userContext, *acls)
 
 		if !userAllowed {
-			tlog.App.Warn().Str("user", userContext.Username).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User not allowed to access resource")
+			tlog.App.Warn().Str("user", userContext.GetUsername()).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User not allowed to access resource")
 
-			queries, err := query.Values(config.UnauthorizedQuery{
+			queries, err := query.Values(UnauthorizedQuery{
 				Resource: strings.Split(proxyCtx.Host, ".")[0],
 			})
 
@@ -188,10 +195,10 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 				return
 			}
 
-			if userContext.OAuth {
+			if userContext.IsOAuth() {
-				queries.Set("username", userContext.Email)
+				queries.Set("username", userContext.GetEmail())
 			} else {
-				queries.Set("username", userContext.Username)
+				queries.Set("username", userContext.GetUsername())
 			}
 
 			redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode())
@@ -209,19 +216,19 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 			return
 		}
 
-		if userContext.OAuth || userContext.Provider == "ldap" {
+		if userContext.IsOAuth() || userContext.IsLDAP() {
 			var groupOK bool
 
-			if userContext.OAuth {
+			if userContext.IsOAuth() {
-				groupOK = controller.auth.IsInOAuthGroup(c, userContext, acls.OAuth.Groups)
+				groupOK = controller.auth.IsInOAuthGroup(c, *userContext, acls.OAuth.Groups)
 			} else {
-				groupOK = controller.auth.IsInLdapGroup(c, userContext, acls.LDAP.Groups)
+				groupOK = controller.auth.IsInLDAPGroup(c, *userContext, acls.LDAP.Groups)
 			}
 
 			if !groupOK {
-				tlog.App.Warn().Str("user", userContext.Username).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User groups do not match resource requirements")
+				tlog.App.Warn().Str("user", userContext.GetUsername()).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User groups do not match resource requirements")
 
-				queries, err := query.Values(config.UnauthorizedQuery{
+				queries, err := query.Values(UnauthorizedQuery{
 					Resource: strings.Split(proxyCtx.Host, ".")[0],
 					GroupErr: true,
 				})
@@ -232,10 +239,10 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 					return
 				}
 
-				if userContext.OAuth {
+				if userContext.IsOAuth() {
-					queries.Set("username", userContext.Email)
+					queries.Set("username", userContext.GetEmail())
 				} else {
-					queries.Set("username", userContext.Username)
+					queries.Set("username", userContext.GetUsername())
 				}
 
 				redirectURL := fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode())
@@ -254,19 +261,20 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 			}
 		}
 
-		c.Header("Remote-User", utils.SanitizeHeader(userContext.Username))
+		c.Header("Remote-User", utils.SanitizeHeader(userContext.GetUsername()))
-		c.Header("Remote-Name", utils.SanitizeHeader(userContext.Name))
+		c.Header("Remote-Name", utils.SanitizeHeader(userContext.GetName()))
-		c.Header("Remote-Email", utils.SanitizeHeader(userContext.Email))
+		c.Header("Remote-Email", utils.SanitizeHeader(userContext.GetEmail()))
 
-		if userContext.Provider == "ldap" {
+		if userContext.IsLDAP() {
-			c.Header("Remote-Groups", utils.SanitizeHeader(userContext.LdapGroups))
+			c.Header("Remote-Groups", utils.SanitizeHeader(strings.Join(userContext.LDAP.Groups, ",")))
-		} else if userContext.Provider != "local" {
-			c.Header("Remote-Groups", utils.SanitizeHeader(userContext.OAuthGroups))
 		}
 
-		c.Header("Remote-Sub", utils.SanitizeHeader(userContext.OAuthSub))
+		if userContext.IsOAuth() {
+			c.Header("Remote-Groups", utils.SanitizeHeader(strings.Join(userContext.OAuth.Groups, ",")))
+			c.Header("Remote-Sub", utils.SanitizeHeader(userContext.OAuth.Sub))
+		}
 
-		controller.setHeaders(c, acls)
+		controller.setHeaders(c, *acls)
 
 		c.JSON(200, gin.H{
 			"status":  200,
@@ -275,7 +283,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
 
-	queries, err := query.Values(config.RedirectQuery{
+	queries, err := query.Values(RedirectQuery{
 		RedirectURI: fmt.Sprintf("%s://%s%s", proxyCtx.Proto, proxyCtx.Host, proxyCtx.Path),
 	})
 
@@ -299,7 +307,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	c.Redirect(http.StatusTemporaryRedirect, redirectURL)
 }
 
-func (controller *ProxyController) setHeaders(c *gin.Context, acls config.App) {
+func (controller *ProxyController) setHeaders(c *gin.Context, acls model.App) {
 	c.Header("Authorization", c.Request.Header.Get("Authorization"))
 
 	headers := utils.ParseHeaders(acls.Response.Headers)

internal/model/config.go

@@ -218,19 +218,6 @@ type OIDCClientConfig struct {
 	Name                string   `description:"Client name in UI." yaml:"name"`
 }
 
-// API responses and queries
-
-type UnauthorizedQuery struct {
-	Username string `url:"username"`
-	Resource string `url:"resource"`
-	GroupErr bool   `url:"groupErr"`
-	IP       string `url:"ip"`
-}
-
-type RedirectQuery struct {
-	RedirectURI string `url:"redirect_uri"`
-}
-
 // ACLs
 
 type Apps struct {