fix: fix envoy tests

frontend/bun.lock

@@ -37,7 +37,7 @@
       "devDependencies": {
         "@eslint/js": "^10.0.1",
         "@tanstack/eslint-plugin-query": "^5.91.4",
-        "@types/node": "^25.5.0",
+        "@types/node": "^25.4.0",
         "@types/react": "^19.2.14",
         "@types/react-dom": "^19.2.3",
         "@vitejs/plugin-react": "^5.1.4",
@@ -417,7 +417,7 @@
 
     "@types/ms": ["@types/ms@2.1.0", "", {}, "sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA=="],
 
-    "@types/node": ["@types/node@25.5.0", "", { "dependencies": { "undici-types": "~7.18.0" } }, "sha512-jp2P3tQMSxWugkCUKLRPVUpGaL5MVFwF8RDuSRztfwgN1wmqJeMSbKlnEtQqU8UrhTmzEmZdu2I6v2dpp7XIxw=="],
+    "@types/node": ["@types/node@25.4.0", "", { "dependencies": { "undici-types": "~7.18.0" } }, "sha512-9wLpoeWuBlcbBpOY3XmzSTG3oscB6xjBEEtn+pYXTfhyXhIxC5FsBer2KTopBlvKEiW9l13po9fq+SJY/5lkhw=="],
 
     "@types/react": ["@types/react@19.2.14", "", { "dependencies": { "csstype": "^3.2.2" } }, "sha512-ilcTH/UniCkMdtexkoCN0bI7pMcJDvmQFPvuPvmEaYA/NSfFTAgdUSLAoVjaRJm7+6PvcM+q1zYOwS4wTYMF9w=="],
 

frontend/package.json

@@ -43,7 +43,7 @@
   "devDependencies": {
     "@eslint/js": "^10.0.1",
     "@tanstack/eslint-plugin-query": "^5.91.4",
-    "@types/node": "^25.5.0",
+    "@types/node": "^25.4.0",
     "@types/react": "^19.2.14",
     "@types/react-dom": "^19.2.3",
     "@vitejs/plugin-react": "^5.1.4",

integration/.env

@@ -0,0 +1,16 @@
+# Nginx configuration
+NGINX_VERSION=1.29
+
+# Whoami configuration
+WHOAMI_VERSION=latest
+
+# Traefik configuration
+TRAEFIK_VERSION=v3.6
+TINYAUTH_HOST=tinyauth.127.0.0.1.sslip.io
+WHOAMI_HOST=whoami.127.0.0.1.sslip.io
+
+# Envoy configuration
+ENVOY_VERSION=v1.33-latest
+
+# Tinyauth configuration
+TINYAUTH_VERSION=dev

integration/config.yml

@@ -0,0 +1,15 @@
+appUrl: http://tinyauth.127.0.0.1.sslip.io
+
+auth:
+  users: test:$2a$10$eG88kFow83l5YRSlTSL2o.sZimjxFHrpiKdaSUZqpLBGX7Y2.4PZG
+
+log:
+  json: true
+  level: trace
+
+apps:
+  whoami:
+    config:
+      domain: whoami.127.0.0.1.sslip.io
+    path:
+      allow: /allow

integration/docker-compose.envoy.yml

@@ -0,0 +1,16 @@
+services:
+  envoy:
+    image: envoyproxy/envoy:${ENVOY_VERSION}
+    ports:
+      - 80:80
+    volumes:
+      - ./envoy.yml:/etc/envoy/envoy.yaml:ro
+
+  whoami:
+    image: traefik/whoami:${WHOAMI_VERSION}
+
+  tinyauth:
+    image: ghcr.io/steveiliop56/tinyauth:${TINYAUTH_VERSION}
+    command: --experimental.configfile=/data/config.yml
+    volumes:
+      - ./config.yml:/data/config.yml:ro

integration/docker-compose.nginx.yml

@@ -0,0 +1,16 @@
+services:
+  nginx:
+    image: nginx:${NGINX_VERSION}
+    ports:
+      - 80:80
+    volumes:
+      - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
+
+  whoami:
+    image: traefik/whoami:${WHOAMI_VERSION}
+
+  tinyauth:
+    image: ghcr.io/steveiliop56/tinyauth:${TINYAUTH_VERSION}
+    command: --experimental.configfile=/data/config.yml
+    volumes:
+      - ./config.yml:/data/config.yml:ro

integration/docker-compose.traefik.yml

@@ -0,0 +1,28 @@
+services:
+  traefik:
+    image: traefik:${TRAEFIK_VERSION}
+    command: |
+      --api.insecure=true
+      --providers.docker
+      --entryPoints.web.address=:80
+    ports:
+      - 80:80
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+
+  whoami:
+    image: traefik/whoami:${WHOAMI_VERSION}
+    labels:
+      traefik.enable: true
+      traefik.http.routers.whoami.rule: Host(`${WHOAMI_HOST}`)
+      traefik.http.routers.whoami.middlewares: tinyauth
+
+  tinyauth:
+    image: ghcr.io/steveiliop56/tinyauth:${TINYAUTH_VERSION}
+    command: --experimental.configfile=/data/config.yml
+    volumes:
+      - ./config.yml:/data/config.yml:ro
+    labels:
+      traefik.enable: true
+      traefik.http.routers.tinyauth.rule: Host(`${TINYAUTH_HOST}`)
+      traefik.http.middlewares.tinyauth.forwardauth.address: http://tinyauth:3000/api/auth/traefik

integration/envoy.yml

@@ -0,0 +1,105 @@
+static_resources:
+  listeners:
+    - name: "listener_http"
+      address:
+        socket_address:
+          address: "0.0.0.0"
+          port_value: 80
+      filter_chains:
+        - filters:
+            - name: "envoy.filters.network.http_connection_manager"
+              typed_config:
+                "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
+                stat_prefix: "ingress_http"
+                use_remote_address: true
+                skip_xff_append: false
+                route_config:
+                  name: "local_route"
+                  virtual_hosts:
+                    - name: "whoami_service"
+                      domains: ["whoami.127.0.0.1.sslip.io"]
+                      routes:
+                        - match:
+                            prefix: "/"
+                          route:
+                            cluster: "whoami"
+                    - name: "tinyauth_service"
+                      domains: ["tinyauth.127.0.0.1.sslip.io"]
+                      typed_per_filter_config:
+                        envoy.filters.http.ext_authz:
+                          "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute"
+                          disabled: true
+                      routes:
+                        - match:
+                            prefix: "/"
+                          route:
+                            cluster: "tinyauth"
+                http_filters:
+                  - name: "envoy.filters.http.ext_authz"
+                    typed_config:
+                      "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz"
+                      transport_api_version: "v3"
+                      http_service:
+                        path_prefix: "/api/auth/envoy?path="
+                        server_uri:
+                          uri: "tinyauth:3000"
+                          cluster: "tinyauth"
+                          timeout: "0.25s"
+                        authorization_request:
+                          allowed_headers:
+                            patterns:
+                              - exact: "authorization"
+                              - exact: "accept"
+                              - exact: "cookie"
+                          headers_to_add:
+                            - key: "x-forwarded-proto"
+                              value: "%REQ(:SCHEME)%"
+                            - key: "x-forwarded-host"
+                              value: "%REQ(:AUTHORITY)%"
+                            - key: "x-forwarded-uri"
+                              value: "%REQ(:PATH)%"
+                        authorization_response:
+                          allowed_upstream_headers:
+                            patterns:
+                              - prefix: "remote-"
+                          allowed_client_headers:
+                            patterns:
+                              - exact: "set-cookie"
+                              - exact: "location"
+                          allowed_client_headers_on_success:
+                            patterns:
+                              - exact: "set-cookie"
+                              - exact: "location"
+                      failure_mode_allow: false
+                  - name: "envoy.filters.http.router"
+                    typed_config:
+                      "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
+  clusters:
+    - name: "whoami"
+      connect_timeout: "0.25s"
+      type: "logical_dns"
+      dns_lookup_family: "v4_only"
+      lb_policy: "round_robin"
+      load_assignment:
+        cluster_name: "whoami"
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: "whoami"
+                      port_value: 80
+    - name: "tinyauth"
+      connect_timeout: "0.25s"
+      type: "logical_dns"
+      dns_lookup_family: "v4_only"
+      lb_policy: "round_robin"
+      load_assignment:
+        cluster_name: "tinyauth"
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: "tinyauth"
+                      port_value: 3000

integration/integrarion_tests.go

@@ -0,0 +1,62 @@
+package main
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+)
+
+func testUnauthorized(client *http.Client) error {
+	req, err := http.NewRequest("GET", WhoamiURL, nil)
+	if err != nil {
+		return err
+	}
+	resp, err := client.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return err
+	}
+	// nginx and envoy will throw us at the frontend
+	if resp.StatusCode != http.StatusUnauthorized && !strings.Contains(string(body), "<div id=\"root\"></div>") {
+		return fmt.Errorf("expected status code %d or to to contain '<div id=\"root\"></div>', got %d", http.StatusUnauthorized, resp.StatusCode)
+	}
+	return nil
+}
+
+func testLoggedIn(client *http.Client) error {
+	req, err := http.NewRequest("GET", WhoamiURL, nil)
+	if err != nil {
+		return err
+	}
+	req.SetBasicAuth(DefaultUsername, DefaultPassword)
+	resp, err := client.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("expected status code %d, got %d", http.StatusOK, resp.StatusCode)
+	}
+	return nil
+}
+
+func testACLAllowed(client *http.Client) error {
+	req, err := http.NewRequest("GET", WhoamiURL+"/allow", nil)
+	if err != nil {
+		return err
+	}
+	resp, err := client.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("expected status code %d, got %d", http.StatusOK, resp.StatusCode)
+	}
+	return nil
+}

integration/integration.go

@@ -0,0 +1,166 @@
+package main
+
+import (
+	"bufio"
+	"context"
+	"errors"
+	"flag"
+	"fmt"
+	"log/slog"
+	"net/http"
+	"os"
+	"os/exec"
+	"time"
+)
+
+var ProxiesToTest = []string{"traefik", "nginx", "envoy"}
+
+const (
+	EnvFile    = ".env"
+	ConfigFile = "config.yml"
+)
+
+const (
+	TinyauthURL = "http://tinyauth.127.0.0.1.sslip.io"
+	WhoamiURL   = "http://whoami.127.0.0.1.sslip.io"
+)
+
+const (
+	DefaultUsername = "test"
+	DefaultPassword = "password"
+)
+
+func main() {
+	logFlag := flag.Bool("log", false, "enable stack logging")
+	flag.Parse()
+
+	for _, proxy := range ProxiesToTest {
+		slog.Info("begin", "proxy", proxy)
+		compose := fmt.Sprintf("docker-compose.%s.yml", proxy)
+		if _, err := os.Stat(compose); err != nil {
+			slog.Error("fail", "proxy", proxy, "error", err)
+			os.Exit(1)
+		}
+		if err := createInstanceAndRunTests(compose, *logFlag, proxy); err != nil {
+			slog.Error("fail", "proxy", proxy, "error", err)
+			os.Exit(1)
+		}
+		slog.Info("end", "proxy", proxy)
+	}
+}
+
+func runTests(client *http.Client, name string) error {
+	if err := testUnauthorized(client); err != nil {
+		slog.Error("fail unauthorized test", "name", name)
+		return err
+	}
+
+	slog.Info("unauthorized test passed", "name", name)
+
+	if err := testLoggedIn(client); err != nil {
+		slog.Error("fail logged in test", "name", name)
+		return err
+	}
+
+	slog.Info("logged in test passed", "name", name)
+
+	if err := testACLAllowed(client); err != nil {
+		slog.Error("fail acl test", "name", name)
+		return err
+	}
+
+	slog.Info("acl test passed", "name", name)
+
+	return nil
+}
+
+func createInstanceAndRunTests(compose string, log bool, name string) error {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	cmdArgs := []string{"compose", "-f", compose, "--env-file", EnvFile, "up", "--build", "--force-recreate", "--remove-orphans"}
+	cmd := exec.CommandContext(ctx, "docker", cmdArgs...)
+
+	if log {
+		setupCmdLogging(cmd)
+	}
+
+	if err := cmd.Start(); err != nil {
+		return err
+	}
+
+	defer func() {
+		cmd.Process.Signal(os.Interrupt)
+		cmd.Wait()
+	}()
+
+	slog.Info("instance created", "name", name)
+
+	if err := waitForHealthy(); err != nil {
+		return err
+	}
+
+	slog.Info("instance healthy", "name", name)
+
+	client := &http.Client{}
+
+	if err := runTests(client, name); err != nil {
+		return err
+	}
+
+	slog.Info("tests passed", "name", name)
+
+	cmd.Process.Signal(os.Interrupt)
+
+	if err := cmd.Wait(); cmd.ProcessState.ExitCode() != 130 && err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func setupCmdLogging(cmd *exec.Cmd) {
+	stdout, _ := cmd.StdoutPipe()
+	stderr, _ := cmd.StderrPipe()
+
+	go func() {
+		scanner := bufio.NewScanner(stdout)
+		for scanner.Scan() {
+			slog.Info("docker out", "stdout", scanner.Text())
+		}
+	}()
+
+	go func() {
+		scanner := bufio.NewScanner(stderr)
+		for scanner.Scan() {
+			slog.Error("docker out", "stderr", scanner.Text())
+		}
+	}()
+}
+
+func waitForHealthy() error {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
+	defer cancel()
+
+	ticker := time.NewTicker(10 * time.Second)
+	client := http.Client{}
+
+	for {
+		select {
+		case <-ctx.Done():
+			return errors.New("tinyauth not healthy after 5 minutes")
+		case <-ticker.C:
+			req, err := http.NewRequestWithContext(ctx, "GET", TinyauthURL+"/api/healthz", nil)
+			if err != nil {
+				return err
+			}
+			res, err := client.Do(req)
+			if err != nil {
+				continue
+			}
+			if res.StatusCode == http.StatusOK {
+				return nil
+			}
+		}
+	}
+}

integration/nginx.conf

@@ -0,0 +1,36 @@
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name tinyauth.127.0.0.1.sslip.io;
+
+    location / {
+        proxy_pass http://tinyauth:3000;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name whoami.127.0.0.1.sslip.io;
+
+    location / {
+        proxy_pass http://whoami;
+        auth_request /tinyauth;
+        error_page 401 = @tinyauth_login;
+    }
+
+    location /tinyauth {
+        internal;
+        proxy_pass http://tinyauth:3000/api/auth/nginx;
+        proxy_set_header x-original-url $scheme://$http_host$request_uri;
+        proxy_set_header x-forwarded-proto $scheme;
+        proxy_set_header x-forwarded-host $host;
+        proxy_set_header x-forwarded-uri $request_uri;
+    }
+
+    location @tinyauth_login {
+      return 302 http://tinyauth.127.0.0.1.sslip.io/login?redirect_uri=$scheme://$http_host$request_uri;
+    }
+}

internal/controller/proxy_controller.go

@@ -17,16 +17,18 @@ import (
 	"github.com/google/go-querystring/query"
 )
 
-type AuthModuleType int
+type RequestType int
 
 const (
-	AuthRequest AuthModuleType = iota
+	AuthRequest RequestType = iota
 	ExtAuthz
 	ForwardAuth
 )
 
 var BrowserUserAgentRegex = regexp.MustCompile("Chrome|Gecko|AppleWebKit|Opera|Edge")
 
+var SupportedProxies = []string{"nginx", "traefik", "caddy", "envoy"}
+
 type Proxy struct {
 	Proxy string `uri:"proxy" binding:"required"`
 }
@@ -36,7 +38,7 @@ type ProxyContext struct {
 	Proto     string
 	Path      string
 	Method    string
-	Type      AuthModuleType
+	Type      RequestType
 	IsBrowser bool
 }
 
@@ -337,10 +339,12 @@ func (controller *ProxyController) getForwardAuthContext(c *gin.Context) (ProxyC
 		return ProxyContext{}, errors.New("x-forwarded-proto not found")
 	}
 
-	// Normally we should only allow GET for forward auth but since it's a fallback
-	// for envoy we should allow everything, not a big deal
 	method := c.Request.Method
 
+	if method != http.MethodGet {
+		return ProxyContext{}, errors.New("method not allowed")
+	}
+
 	return ProxyContext{
 		Host:   host,
 		Proto:  proto,
@@ -364,20 +368,14 @@ func (controller *ProxyController) getAuthRequestContext(c *gin.Context) (ProxyC
 	}
 
 	host := url.Host
-
-	if strings.TrimSpace(host) == "" {
-		return ProxyContext{}, errors.New("host not found")
-	}
-
 	proto := url.Scheme
-
-	if strings.TrimSpace(proto) == "" {
-		return ProxyContext{}, errors.New("proto not found")
-	}
-
 	path := url.Path
 	method := c.Request.Method
 
+	if method != http.MethodGet {
+		return ProxyContext{}, errors.New("method not allowed")
+	}
+
 	return ProxyContext{
 		Host:   host,
 		Proto:  proto,
@@ -388,22 +386,19 @@ func (controller *ProxyController) getAuthRequestContext(c *gin.Context) (ProxyC
 }
 
 func (controller *ProxyController) getExtAuthzContext(c *gin.Context) (ProxyContext, error) {
-	// We hope for the someone to set the x-forwarded-proto header
 	proto, ok := controller.getHeader(c, "x-forwarded-proto")
 
 	if !ok {
 		return ProxyContext{}, errors.New("x-forwarded-proto not found")
 	}
 
-	// It sets the host to the original host, not the forwarded host
-	host := c.Request.Host
+	host, ok := controller.getHeader(c, "host")
 
-	if strings.TrimSpace(host) == "" {
+	if !ok {
 		return ProxyContext{}, errors.New("host not found")
 	}
 
-	// We get the path from the query string
-	path := c.Query("path")
+	// Seems like we can't get the path?
 
 	// For envoy we need to support every method
 	method := c.Request.Method
@@ -411,49 +406,11 @@ func (controller *ProxyController) getExtAuthzContext(c *gin.Context) (ProxyCont
 	return ProxyContext{
 		Host:   host,
 		Proto:  proto,
-		Path:   path,
 		Method: method,
 		Type:   ExtAuthz,
 	}, nil
 }
 
-func (controller *ProxyController) determineAuthModules(proxy string) []AuthModuleType {
-	switch proxy {
-	case "traefik", "caddy":
-		return []AuthModuleType{ForwardAuth}
-	case "envoy":
-		return []AuthModuleType{ExtAuthz, ForwardAuth}
-	case "nginx":
-		return []AuthModuleType{AuthRequest, ForwardAuth}
-	default:
-		return []AuthModuleType{}
-	}
-}
-
-func (controller *ProxyController) getContextFromAuthModule(c *gin.Context, module AuthModuleType) (ProxyContext, error) {
-	switch module {
-	case ForwardAuth:
-		ctx, err := controller.getForwardAuthContext(c)
-		if err != nil {
-			return ProxyContext{}, err
-		}
-		return ctx, nil
-	case ExtAuthz:
-		ctx, err := controller.getExtAuthzContext(c)
-		if err != nil {
-			return ProxyContext{}, err
-		}
-		return ctx, nil
-	case AuthRequest:
-		ctx, err := controller.getAuthRequestContext(c)
-		if err != nil {
-			return ProxyContext{}, err
-		}
-		return ctx, nil
-	}
-	return ProxyContext{}, fmt.Errorf("unsupported auth module: %v", module)
-}
-
 func (controller *ProxyController) getProxyContext(c *gin.Context) (ProxyContext, error) {
 	var req Proxy
 
@@ -462,28 +419,44 @@ func (controller *ProxyController) getProxyContext(c *gin.Context) (ProxyContext
 		return ProxyContext{}, err
 	}
 
-	tlog.App.Debug().Msgf("Proxy: %v", req.Proxy)
-
-	authModules := controller.determineAuthModules(req.Proxy)
-
-	if len(authModules) == 0 {
-		return ProxyContext{}, fmt.Errorf("no auth modules supported for proxy: %v", req.Proxy)
-	}
-
 	var ctx ProxyContext
 
-	for _, module := range authModules {
-		tlog.App.Debug().Msgf("Trying auth module: %v", module)
-		ctx, err = controller.getContextFromAuthModule(c, module)
+	switch req.Proxy {
+	// For nginx we need to handle both forward_auth and auth_request extraction since it can be
+	// used either with something line nginx proxy manager with advanced config or with
+	// the kubernetes ingress controller
+	case "nginx":
+		tlog.App.Debug().Str("proxy", req.Proxy).Msg("Attempting forward_auth compatible extraction")
+		forwardAuthCtx, err := controller.getForwardAuthContext(c)
 		if err == nil {
-			tlog.App.Debug().Msgf("Auth module %v succeeded", module)
-			break
+			tlog.App.Debug().Str("proxy", req.Proxy).Msg("Extractions success using forward_auth")
+			ctx = forwardAuthCtx
+		} else {
+			tlog.App.Debug().Str("proxy", req.Proxy).Msg("Extractions failed using forward_auth trying with auth_request")
+			authRequestCtx, err := controller.getAuthRequestContext(c)
+			if err != nil {
+				tlog.App.Warn().Str("proxy", req.Proxy).Msg("Failed to determine required module for header extraction")
+				return ProxyContext{}, err
+			}
+			ctx = authRequestCtx
 		}
-		tlog.App.Debug().Err(err).Msgf("Auth module %v failed", module)
-	}
-
-	if err != nil {
-		return ProxyContext{}, err
+	case "envoy":
+		tlog.App.Debug().Str("proxy", req.Proxy).Msg("Attempting ext_authz compatible extraction")
+		extAuthzCtx, err := controller.getExtAuthzContext(c)
+		if err != nil {
+			tlog.App.Warn().Str("proxy", req.Proxy).Msg("Failed to determine required module for header extraction")
+			return ProxyContext{}, err
+		}
+		ctx = extAuthzCtx
+	// By default we fallback to the forward_auth module which supports most proxies like traefik or caddy
+	default:
+		tlog.App.Debug().Str("proxy", req.Proxy).Msg("Attempting forward_auth compatible extraction")
+		forwardAuthCtx, err := controller.getForwardAuthContext(c)
+		if err != nil {
+			tlog.App.Warn().Str("proxy", req.Proxy).Msg("Failed to determine required module for header extraction")
+			return ProxyContext{}, err
+		}
+		ctx = forwardAuthCtx
 	}
 
 	// We don't care if the header is empty, we will just assume it's not a browser
@@ -491,9 +464,9 @@ func (controller *ProxyController) getProxyContext(c *gin.Context) (ProxyContext
 	isBrowser := BrowserUserAgentRegex.MatchString(userAgent)
 
 	if isBrowser {
-		tlog.App.Debug().Msg("Request identified as coming from a browser")
+		tlog.App.Debug().Msg("Request identified as (most likely) coming from a browser")
 	} else {
-		tlog.App.Debug().Msg("Request identified as coming from a non-browser client")
+		tlog.App.Debug().Msg("Request identified as (most likely) coming from a non-browser client")
 	}
 
 	ctx.IsBrowser = isBrowser

internal/controller/proxy_controller_test.go

@@ -1,7 +1,6 @@
 package controller_test
 
 import (
-	"net/http"
 	"net/http/httptest"
 	"testing"
 
@@ -10,26 +9,21 @@ import (
 	"github.com/steveiliop56/tinyauth/internal/controller"
 	"github.com/steveiliop56/tinyauth/internal/repository"
 	"github.com/steveiliop56/tinyauth/internal/service"
+	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 
 	"github.com/gin-gonic/gin"
 	"gotest.tools/v3/assert"
 )
 
-var loggedInCtx = config.UserContext{
-	Username:   "test",
-	Name:       "Test",
-	Email:      "test@example.com",
-	IsLoggedIn: true,
-	Provider:   "local",
-}
+func setupProxyController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.Engine, *httptest.ResponseRecorder, *service.AuthService) {
+	tlog.NewSimpleLogger().Init()
 
-func setupProxyController(t *testing.T, middlewares []gin.HandlerFunc) (*gin.Engine, *httptest.ResponseRecorder) {
 	// Setup
 	gin.SetMode(gin.TestMode)
 	router := gin.Default()
 
-	if len(middlewares) > 0 {
-		for _, m := range middlewares {
+	if middlewares != nil {
+		for _, m := range *middlewares {
 			router.Use(m)
 		}
 	}
@@ -54,13 +48,7 @@ func setupProxyController(t *testing.T, middlewares []gin.HandlerFunc) (*gin.Eng
 	assert.NilError(t, dockerService.Init())
 
 	// Access controls
-	accessControlsService := service.NewAccessControlsService(dockerService, map[string]config.App{
-		"whoami": {
-			Path: config.AppPath{
-				Allow: "/allow",
-			},
-		},
-	})
+	accessControlsService := service.NewAccessControlsService(dockerService, map[string]config.App{})
 
 	assert.NilError(t, accessControlsService.Init())
 
@@ -89,214 +77,107 @@ func setupProxyController(t *testing.T, middlewares []gin.HandlerFunc) (*gin.Eng
 
 	// Controller
 	ctrl := controller.NewProxyController(controller.ProxyControllerConfig{
-		AppURL: "http://tinyauth.example.com",
+		AppURL: "http://localhost:8080",
 	}, group, accessControlsService, authService)
 	ctrl.SetupRoutes()
 
-	return router, recorder
+	return router, recorder, authService
 }
 
 // TODO: Needs tests for context middleware
 
 func TestProxyHandler(t *testing.T) {
-	// Test logged out user traefik/caddy (forward_auth)
-	router, recorder := setupProxyController(t, nil)
-
-	req, err := http.NewRequest("GET", "/api/auth/traefik", nil)
-	assert.NilError(t, err)
-
-	req.Header.Set("x-forwarded-host", "whoami.example.com")
-	req.Header.Set("x-forwarded-proto", "http")
-	req.Header.Set("x-forwarded-uri", "/")
+	// Setup
+	router, recorder, _ := setupProxyController(t, nil)
 
+	// Test invalid proxy
+	req := httptest.NewRequest("GET", "/api/auth/invalidproxy", nil)
 	router.ServeHTTP(recorder, req)
-	assert.Equal(t, recorder.Code, http.StatusUnauthorized)
 
-	// Test logged out user nginx (auth_request)
-	router, recorder = setupProxyController(t, nil)
-
-	req, err = http.NewRequest("GET", "/api/auth/nginx", nil)
-	assert.NilError(t, err)
-
-	req.Header.Set("x-original-url", "http://whoami.example.com/")
+	assert.Equal(t, 400, recorder.Code)
 
+	// Test invalid method for non-envoy proxy
+	recorder = httptest.NewRecorder()
+	req = httptest.NewRequest("POST", "/api/auth/traefik", nil)
 	router.ServeHTTP(recorder, req)
-	assert.Equal(t, recorder.Code, http.StatusUnauthorized)
 
-	// Test logged out user envoy (ext_authz)
-	router, recorder = setupProxyController(t, nil)
-
-	req, err = http.NewRequest("GET", "/api/auth/envoy?path=/", nil)
-	assert.NilError(t, err)
-
-	req.Host = "whoami.example.com"
-	req.Header.Set("x-forwarded-proto", "http")
+	assert.Equal(t, 405, recorder.Code)
+	assert.Equal(t, "GET", recorder.Header().Get("Allow"))
 
+	// Test logged out user (traefik/caddy)
+	recorder = httptest.NewRecorder()
+	req = httptest.NewRequest("GET", "/api/auth/traefik", nil)
+	req.Header.Set("X-Forwarded-Proto", "https")
+	req.Header.Set("X-Forwarded-Host", "example.com")
+	req.Header.Set("X-Forwarded-Uri", "/somepath")
+	req.Header.Set("Accept", "text/html")
 	router.ServeHTTP(recorder, req)
-	assert.Equal(t, recorder.Code, http.StatusUnauthorized)
 
-	// Test logged in user traefik/caddy (forward_auth)
-	router, recorder = setupProxyController(t, []gin.HandlerFunc{
+	assert.Equal(t, 307, recorder.Code)
+	assert.Equal(t, "http://localhost:8080/login?redirect_uri=https%3A%2F%2Fexample.com%2Fsomepath", recorder.Header().Get("Location"))
+
+	// Test logged out user (envoy - POST method)
+	recorder = httptest.NewRecorder()
+	req = httptest.NewRequest("POST", "/api/auth/envoy", nil)
+	req.Header.Set("X-Forwarded-Proto", "https")
+	req.Header.Set("X-Forwarded-Host", "example.com")
+	req.Header.Set("X-Forwarded-Uri", "/somepath")
+	req.Header.Set("Accept", "text/html")
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 307, recorder.Code)
+	assert.Equal(t, "http://localhost:8080/login?redirect_uri=https%3A%2F%2Fexample.com%2Fsomepath", recorder.Header().Get("Location"))
+
+	// Test logged out user (envoy - DELETE method)
+	recorder = httptest.NewRecorder()
+	req = httptest.NewRequest("DELETE", "/api/auth/envoy", nil)
+	req.Header.Set("X-Forwarded-Proto", "https")
+	req.Header.Set("X-Forwarded-Host", "example.com")
+	req.Header.Set("X-Forwarded-Uri", "/somepath")
+	req.Header.Set("Accept", "text/html")
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 307, recorder.Code)
+	assert.Equal(t, "http://localhost:8080/login?redirect_uri=https%3A%2F%2Fexample.com%2Fsomepath", recorder.Header().Get("Location"))
+
+	// Test logged out user (nginx)
+	recorder = httptest.NewRecorder()
+	req = httptest.NewRequest("GET", "/api/auth/nginx", nil)
+	req.Header.Set("X-Forwarded-Proto", "https")
+	req.Header.Set("X-Forwarded-Host", "example.com")
+	// we won't set X-Forwarded-Uri to test that the controller can work without it
+	router.ServeHTTP(recorder, req)
+
+	assert.Equal(t, 401, recorder.Code)
+
+	// Test logged in user
+	router, recorder, _ = setupProxyController(t, &[]gin.HandlerFunc{
 		func(c *gin.Context) {
-			c.Set("context", &loggedInCtx)
+			c.Set("context", &config.UserContext{
+				Username:    "testuser",
+				Name:        "testuser",
+				Email:       "testuser@example.com",
+				IsLoggedIn:  true,
+				OAuth:       false,
+				Provider:    "local",
+				TotpPending: false,
+				OAuthGroups: "",
+				TotpEnabled: false,
+			})
 			c.Next()
 		},
 	})
 
-	req, err = http.NewRequest("GET", "/api/auth/traefik", nil)
-	assert.NilError(t, err)
-
-	req.Header.Set("x-forwarded-host", "whoami.example.com")
-	req.Header.Set("x-forwarded-proto", "http")
-	req.Header.Set("x-forwarded-uri", "/")
+	req = httptest.NewRequest("GET", "/api/auth/traefik", nil)
+	req.Header.Set("X-Forwarded-Proto", "https")
+	req.Header.Set("X-Forwarded-Host", "example.com")
+	req.Header.Set("X-Original-Uri", "/somepath") // Test with original URI for kubernetes ingress
+	req.Header.Set("Accept", "text/html")
 
 	router.ServeHTTP(recorder, req)
-	assert.Equal(t, recorder.Code, http.StatusOK)
+	assert.Equal(t, 200, recorder.Code)
 
-	// Test logged in user nginx (auth_request)
-	router, recorder = setupProxyController(t, []gin.HandlerFunc{
-		func(c *gin.Context) {
-			c.Set("context", &loggedInCtx)
-			c.Next()
-		},
-	})
-
-	req, err = http.NewRequest("GET", "/api/auth/nginx", nil)
-	assert.NilError(t, err)
-
-	req.Header.Set("x-original-url", "http://whoami.example.com/")
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, recorder.Code, http.StatusOK)
-
-	// Test logged in user envoy (ext_authz)
-	router, recorder = setupProxyController(t, []gin.HandlerFunc{
-		func(c *gin.Context) {
-			c.Set("context", &loggedInCtx)
-			c.Next()
-		},
-	})
-
-	req, err = http.NewRequest("GET", "/api/auth/envoy?path=/", nil)
-	assert.NilError(t, err)
-
-	req.Host = "whoami.example.com"
-	req.Header.Set("x-forwarded-proto", "http")
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, recorder.Code, http.StatusOK)
-
-	// Test ACL allow caddy/traefik (forward_auth)
-	router, recorder = setupProxyController(t, nil)
-
-	req, err = http.NewRequest("GET", "/api/auth/traefik", nil)
-	assert.NilError(t, err)
-
-	req.Header.Set("x-forwarded-host", "whoami.example.com")
-	req.Header.Set("x-forwarded-proto", "http")
-	req.Header.Set("x-forwarded-uri", "/allow")
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, recorder.Code, http.StatusOK)
-
-	// Test ACL allow nginx
-	router, recorder = setupProxyController(t, nil)
-
-	req, err = http.NewRequest("GET", "/api/auth/nginx", nil)
-	assert.NilError(t, err)
-
-	req.Header.Set("x-original-url", "http://whoami.example.com/allow")
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, recorder.Code, http.StatusOK)
-
-	// Test ACL allow envoy
-	router, recorder = setupProxyController(t, nil)
-
-	req, err = http.NewRequest("GET", "/api/auth/envoy?path=/allow", nil)
-	assert.NilError(t, err)
-
-	req.Host = "whoami.example.com"
-	req.Header.Set("x-forwarded-proto", "http")
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, recorder.Code, http.StatusOK)
-
-	// Test traefik/caddy (forward_auth) without required headers
-	router, recorder = setupProxyController(t, nil)
-
-	req, err = http.NewRequest("GET", "/api/auth/traefik", nil)
-	assert.NilError(t, err)
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, recorder.Code, http.StatusBadRequest)
-
-	// Test nginx (forward_auth) without required headers
-	router, recorder = setupProxyController(t, nil)
-
-	req, err = http.NewRequest("GET", "/api/auth/nginx", nil)
-	assert.NilError(t, err)
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, recorder.Code, http.StatusBadRequest)
-
-	// Test envoy (forward_auth) without required headers
-	router, recorder = setupProxyController(t, nil)
-
-	req, err = http.NewRequest("GET", "/api/auth/envoy", nil)
-	assert.NilError(t, err)
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, recorder.Code, http.StatusBadRequest)
-
-	// Test nginx (auth_request) with forward_auth fallback with ACLs
-	router, recorder = setupProxyController(t, nil)
-
-	req, err = http.NewRequest("GET", "/api/auth/nginx", nil)
-	assert.NilError(t, err)
-
-	req.Header.Set("x-forwarded-host", "whoami.example.com")
-	req.Header.Set("x-forwarded-proto", "http")
-	req.Header.Set("x-forwarded-uri", "/allow")
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, recorder.Code, http.StatusOK)
-
-	// Test envoy (ext_authz) with forward_auth fallback with ACLs
-	router, recorder = setupProxyController(t, nil)
-
-	req, err = http.NewRequest("GET", "/api/auth/envoy", nil)
-	assert.NilError(t, err)
-
-	req.Header.Set("x-forwarded-host", "whoami.example.com")
-	req.Header.Set("x-forwarded-proto", "http")
-	req.Header.Set("x-forwarded-uri", "/allow")
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, recorder.Code, http.StatusOK)
-
-	// Test envoy (ext_authz) with empty path
-	router, recorder = setupProxyController(t, nil)
-
-	req, err = http.NewRequest("GET", "/api/auth/envoy", nil)
-	assert.NilError(t, err)
-
-	req.Host = "whoami.example.com"
-	req.Header.Set("x-forwarded-proto", "http")
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, recorder.Code, http.StatusUnauthorized)
-
-	// Ensure forward_auth fallback works with path (should ignore)
-	router, recorder = setupProxyController(t, nil)
-
-	req, err = http.NewRequest("GET", "/api/auth/traefik?path=/allow", nil)
-	assert.NilError(t, err)
-
-	req.Header.Set("x-forwarded-proto", "http")
-	req.Header.Set("x-forwarded-host", "whoami.example.com")
-	req.Header.Set("x-forwarded-uri", "/allow")
-
-	router.ServeHTTP(recorder, req)
-	assert.Equal(t, recorder.Code, http.StatusOK)
+	assert.Equal(t, "testuser", recorder.Header().Get("Remote-User"))
+	assert.Equal(t, "testuser", recorder.Header().Get("Remote-Name"))
+	assert.Equal(t, "testuser@example.com", recorder.Header().Get("Remote-Email"))
 }