feat: add support for Envoy proxy (#538)

* feat: add support for 'envoy' proxy in proxyHandler validation * refactor: simplify proxy route setup by consolidating envoy handling * feat(proxy): add method validation for proxy authentication * fix(proxy): reorder method validation for proxy authentication * refactor: use a slice to check for supported proxies --------- Co-authored-by: pushpinderbal <me@s1ngh.ca> Co-authored-by: Pushpinder Singh <53684951+pushpinderbal@users.noreply.github.com> Co-authored-by: Pushpinder Singh <pushpinder.singh@arcticwolf.com>
2025-12-23 16:42:28 +00:00 · 2025-12-22 22:28:34 +02:00
parent 03ed18343e
commit ef25872fc3
2 changed files with 33 additions and 2 deletions
--- a/internal/controller/proxy_controller.go
+++ b/internal/controller/proxy_controller.go
@@ -3,6 +3,7 @@ package controller
 import (
 	"fmt"
 	"net/http"
+	"slices"
 	"strings"
 	"tinyauth/internal/config"
 	"tinyauth/internal/service"
@@ -13,6 +14,8 @@ import (
 	"github.com/rs/zerolog/log"
 )

+var SupportedProxies = []string{"nginx", "traefik", "caddy", "envoy"}
+
 type Proxy struct {
 	Proxy string `uri:"proxy" binding:"required"`
 }
@@ -39,7 +42,7 @@ func NewProxyController(config ProxyControllerConfig, router *gin.RouterGroup, a

 func (controller *ProxyController) SetupRoutes() {
 	proxyGroup := controller.router.Group("/auth")
-	proxyGroup.GET("/:proxy", controller.proxyHandler)
+	proxyGroup.Any("/:proxy", controller.proxyHandler)
 }

 func (controller *ProxyController) proxyHandler(c *gin.Context) {
@@ -55,7 +58,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}

-	if req.Proxy != "nginx" && req.Proxy != "traefik" && req.Proxy != "caddy" {
+	if !slices.Contains(SupportedProxies, req.Proxy) {
 		log.Warn().Str("proxy", req.Proxy).Msg("Invalid proxy")
 		c.JSON(400, gin.H{
 			"status":  400,
@@ -64,6 +67,15 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}

+	if req.Proxy != "envoy" && c.Request.Method != http.MethodGet {
+		log.Warn().Str("method", c.Request.Method).Msg("Invalid method for proxy")
+		c.JSON(405, gin.H{
+			"status":  405,
+			"message": "Method Not Allowed",
+		})
+		return
+	}
+
 	isBrowser := strings.Contains(c.Request.Header.Get("Accept"), "text/html")

 	if isBrowser {
--- a/internal/controller/proxy_controller_test.go
+++ b/internal/controller/proxy_controller_test.go
@@ -80,6 +80,13 @@ func TestProxyHandler(t *testing.T) {

 	assert.Equal(t, 400, recorder.Code)

+	// Test invalid method
+	recorder = httptest.NewRecorder()
+	req = httptest.NewRequest("POST", "/api/auth/traefik", nil)
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 405, recorder.Code)
+
 	// Test logged out user (traefik/caddy)
 	recorder = httptest.NewRecorder()
 	req = httptest.NewRequest("GET", "/api/auth/traefik", nil)
@@ -92,6 +99,18 @@ func TestProxyHandler(t *testing.T) {
 	assert.Equal(t, 307, recorder.Code)
 	assert.Equal(t, "http://localhost:8080/login?redirect_uri=https%3A%2F%2Fexample.com%2Fsomepath", recorder.Header().Get("Location"))

+	// Test logged out user (envoy)
+	recorder = httptest.NewRecorder()
+	req = httptest.NewRequest("POST", "/api/auth/envoy", nil)
+	req.Header.Set("X-Forwarded-Proto", "https")
+	req.Header.Set("X-Forwarded-Host", "example.com")
+	req.Header.Set("X-Forwarded-Uri", "/somepath")
+	req.Header.Set("Accept", "text/html")
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 307, recorder.Code)
+	assert.Equal(t, "http://localhost:8080/login?redirect_uri=https%3A%2F%2Fexample.com%2Fsomepath", recorder.Header().Get("Location"))
+
 	// Test logged out user (nginx)
 	recorder = httptest.NewRecorder()
 	req = httptest.NewRequest("GET", "/api/auth/nginx", nil)