fix: OIDC endpoint auth parsing and auth.* template variables (#17)

- parseEndpointAuth(): add oidc block parsing (was silently ignored)
- parseAuthConfig(): store parsed config in global_auth_config member
  instead of discarding into a local variable
- loadConfig(): propagate global OIDC config to endpoints with
  type:oidc that have no local oidc block
- ConfigManager: add getGlobalOIDCConfig() accessor
- createTemplateContext(): extract __auth_* reserved params and expose
  as auth.username, auth.roles, auth.email, auth.type in Mustache context
- AuthMiddleware::context: add email and auth_type fields
- handleDynamicRequest(): inject auth context as __auth_* params
- RequestHandler: thread authParams through handleRequest/Get/Write

All 425 unit tests pass.

Author: jrosskopf

src/api_server.cpp

@@ -184,7 +184,25 @@ void APIServer::handleDynamicRequest(const crow::request& req, crow::response& r
         return;
     }
 
-    requestHandler.handleRequest(req, res, *endpoint, pathParams);    
+    // Build auth params from middleware context for template variable injection
+    auto& auth_ctx = app.get_context<AuthMiddleware>(req);
+    std::map<std::string, std::string> auth_params;
+    if (auth_ctx.authenticated) {
+        auth_params["__auth_username"] = auth_ctx.username;
+        auth_params["__auth_email"]    = auth_ctx.email;
+        auth_params["__auth_type"]     = auth_ctx.auth_type;
+        auth_params["__auth_authenticated"] = "true";
+        std::string roles;
+        for (const auto& r : auth_ctx.roles) {
+            if (!roles.empty()) {
+                roles += ",";
+            }
+            roles += r;
+        }
+        auth_params["__auth_roles"] = roles;
+    }
+
+    requestHandler.handleRequest(req, res, *endpoint, pathParams, auth_params);
 }
 
 crow::response APIServer::getConfig() {

src/auth_middleware.cpp

@@ -162,10 +162,13 @@ void AuthMiddleware::before_handle(crow::request& req, crow::response& res, cont
     }
 
     if (endpoint->auth.type == "basic") {
+        ctx.auth_type = "basic";
         ctx.authenticated = authenticateBasic(auth_header, *endpoint, ctx);
     } else if (endpoint->auth.type == "bearer") {
+        ctx.auth_type = "bearer";
         ctx.authenticated = authenticateBearer(auth_header, *endpoint, ctx);
     } else if (endpoint->auth.type == "oidc") {
+        ctx.auth_type = "oidc";
         ctx.authenticated = authenticateOIDC(auth_header, *endpoint, ctx);
     }
 
@@ -410,6 +413,7 @@ bool AuthMiddleware::authenticateOIDC(const std::string& auth_header, const Endp
 
     // Set authentication context
     ctx.username = claims->username;
+    ctx.email = claims->email;
     ctx.roles = claims->roles;
     ctx.authenticated = true;
 

src/config_manager.cpp

@@ -78,6 +78,17 @@ void ConfigManager::loadConfig() {
 
         std::filesystem::path template_path = getTemplateConfig().path;
         loadEndpointConfigsRecursively(template_path);
+
+        // Propagate global OIDC config to endpoints that have type:oidc but no local oidc block
+        if (global_auth_config.oidc) {
+            for (auto& ep : endpoints) {
+                if (ep.auth.type == "oidc" && !ep.auth.oidc) {
+                    ep.auth.oidc = global_auth_config.oidc;
+                    CROW_LOG_DEBUG << "Propagated global OIDC config to endpoint: " << ep.urlPath;
+                }
+            }
+        }
+
         CROW_LOG_INFO << "Configuration loaded successfully";
     } catch (const YAML::Exception& e) {
         std::ostringstream error_msg;
@@ -580,8 +591,14 @@ void ConfigManager::parseEndpointAuth(const YAML::Node& endpoint_config, Endpoin
             CROW_LOG_DEBUG << "\t\t\tSecret Key: *****[" << aws_config.secret_key.length() << "]";
         }
 
+        // Parse OIDC configuration if present
+        if (auth_node["oidc"]) {
+            CROW_LOG_DEBUG << "\t\tParsing OIDC configuration for endpoint";
+            endpoint.auth.oidc = parseOIDCConfigNode(auth_node["oidc"]);
+        }
+
         // Parse inline users if present
-        else if (auth_node["users"]) {
+        if (auth_node["users"]) {
             CROW_LOG_DEBUG << "\t\tParsing inline users configuration";
             for (const auto& user : auth_node["users"]) {
                 AuthUser auth_user;
@@ -806,33 +823,37 @@ void ConfigManager::parseAuthConfig() {
         auto auth_node = config["auth"];
         auth_enabled = auth_node["enabled"].as<bool>();
         CROW_LOG_DEBUG << "Auth enabled: " << auth_enabled;
-        if (auth_enabled) {
-            AuthConfig auth_config;
-            auth_config.type = auth_node["type"].as<std::string>();
-            auth_config.jwt_secret = auth_node["jwt-secret"].as<std::string>();
-            auth_config.jwt_issuer = auth_node["jwt-issuer"].as<std::string>();
-            CROW_LOG_DEBUG << "Auth type: " << auth_config.type;
-            CROW_LOG_DEBUG << "JWT issuer: " << auth_config.jwt_issuer;
-
-            if (auth_node["users"]) {
-                for (const auto& user : auth_node["users"]) {
-                    AuthUser auth_user;
-                    auth_user.username = user["username"].as<std::string>();
-                    auth_user.password = user["password"].as<std::string>();
-                    if (user["roles"]) {
-                        auth_user.roles = user["roles"].as<std::vector<std::string>>();
-                    }
-                    auth_config.users.push_back(auth_user);
-                    CROW_LOG_DEBUG << "Added user: " << auth_user.username << " with " << auth_user.roles.size() << " roles";
+
+        if (auth_node["type"]) {
+            global_auth_config.type = auth_node["type"].as<std::string>();
+            CROW_LOG_DEBUG << "Auth type: " << global_auth_config.type;
+        }
+        if (auth_node["jwt-secret"]) {
+            global_auth_config.jwt_secret = auth_node["jwt-secret"].as<std::string>();
+        }
+        if (auth_node["jwt-issuer"]) {
+            global_auth_config.jwt_issuer = auth_node["jwt-issuer"].as<std::string>();
+            CROW_LOG_DEBUG << "JWT issuer: " << global_auth_config.jwt_issuer;
+        }
+
+        if (auth_node["users"]) {
+            for (const auto& user : auth_node["users"]) {
+                AuthUser auth_user;
+                auth_user.username = user["username"].as<std::string>();
+                auth_user.password = user["password"].as<std::string>();
+                if (user["roles"]) {
+                    auth_user.roles = user["roles"].as<std::vector<std::string>>();
                 }
+                global_auth_config.users.push_back(auth_user);
+                CROW_LOG_DEBUG << "Added user: " << auth_user.username << " with " << auth_user.roles.size() << " roles";
             }
+        }
 
-            // Parse OIDC configuration if present
-            if (auth_node["oidc"]) {
-                CROW_LOG_INFO << "Parsing OIDC configuration";
-                auth_config.oidc = parseOIDCConfigNode(auth_node["oidc"]);
-                CROW_LOG_INFO << "OIDC configuration parsed successfully";
-            }
+        // Parse OIDC configuration if present — store in global_auth_config
+        if (auth_node["oidc"]) {
+            CROW_LOG_INFO << "Parsing global OIDC configuration";
+            global_auth_config.oidc = parseOIDCConfigNode(auth_node["oidc"]);
+            CROW_LOG_INFO << "Global OIDC configuration parsed: issuer=" << global_auth_config.oidc->issuer_url;
         }
     }
 }
@@ -1111,6 +1132,7 @@ const RateLimitConfig& ConfigManager::getRateLimitConfig() const { return rate_l
 bool ConfigManager::isHttpsEnforced() const { return https_config.enabled; }
 const HttpsConfig& ConfigManager::getHttpsConfig() const { return https_config; }
 bool ConfigManager::isAuthEnabled() const { return auth_enabled; }
+std::optional<OIDCConfig> ConfigManager::getGlobalOIDCConfig() const { return global_auth_config.oidc; }
 const std::vector<EndpointConfig>& ConfigManager::getEndpoints() const { return endpoints; }
 std::string ConfigManager::getBasePath() const { return base_path.string(); }
 

src/include/auth_middleware.hpp

@@ -41,6 +41,8 @@ class AuthMiddleware {
     struct context {
         bool authenticated = false;
         std::string username;
+        std::string email;       // populated for OIDC auth, empty otherwise
+        std::string auth_type;   // "basic", "bearer", or "oidc"
         std::vector<std::string> roles;
     };
 

src/include/config_manager.hpp

@@ -497,6 +497,7 @@ class ConfigManager {
     const HttpsConfig& getHttpsConfig() const;
     bool isHttpsEnforced() const;
     bool isAuthEnabled() const;
+    std::optional<OIDCConfig> getGlobalOIDCConfig() const;
     const EndpointConfig* getEndpointForPath(const std::string& path) const;
     const EndpointConfig* getEndpointForPathAndMethod(const std::string& path, const std::string& httpMethod) const;
     const std::vector<EndpointConfig>& getEndpoints() const;
@@ -564,6 +565,7 @@ class ConfigManager {
     std::unordered_map<std::string, ConnectionConfig> connections;
     RateLimitConfig rate_limit_config;
     bool auth_enabled;
+    AuthConfig global_auth_config;
     std::vector<EndpointConfig> endpoints;
     std::filesystem::path base_path;
     DuckDBConfig duckdb_config;

src/include/request_handler.hpp

@@ -14,14 +14,14 @@ namespace flapi {
 class RequestHandler {
 public:
     RequestHandler(std::shared_ptr<DatabaseManager> db_manager, std::shared_ptr<ConfigManager> config_manager);
-    void handleRequest(const crow::request& req, crow::response& res, const EndpointConfig& endpoint, const std::map<std::string, std::string>& pathParams);
+    void handleRequest(const crow::request& req, crow::response& res, const EndpointConfig& endpoint, const std::map<std::string, std::string>& pathParams, const std::map<std::string, std::string>& authParams = {});
 
 private:
     std::map<std::string, std::string> defaultParams;
 
     void handleDeleteRequest(const crow::request& req, crow::response& res, const EndpointConfig& endpoint, const std::map<std::string, std::string>& pathParams);
-    void handleGetRequest(const crow::request& req, crow::response& res, const EndpointConfig& endpoint, const std::map<std::string, std::string>& pathParams);
-    void handleWriteRequest(const crow::request& req, crow::response& res, const EndpointConfig& endpoint, const std::map<std::string, std::string>& pathParams);
+    void handleGetRequest(const crow::request& req, crow::response& res, const EndpointConfig& endpoint, const std::map<std::string, std::string>& pathParams, const std::map<std::string, std::string>& authParams);
+    void handleWriteRequest(const crow::request& req, crow::response& res, const EndpointConfig& endpoint, const std::map<std::string, std::string>& pathParams, const std::map<std::string, std::string>& authParams);
     void handleCacheAfterWrite(const EndpointConfig& endpoint, const WriteResult& writeResult);
 
     bool isCacheDetailsRequest(const crow::request& req, const EndpointConfig& endpoint, const std::map<std::string, std::string>& pathParams);

src/request_handler.cpp

@@ -19,7 +19,7 @@ RequestHandler::RequestHandler(std::shared_ptr<DatabaseManager> db_manager, std:
     defaultParams["limit"] = "100";
 }
 
-void RequestHandler::handleRequest(const crow::request& req, crow::response& res, const EndpointConfig& endpoint, const std::map<std::string, std::string>& pathParams) {
+void RequestHandler::handleRequest(const crow::request& req, crow::response& res, const EndpointConfig& endpoint, const std::map<std::string, std::string>& pathParams, const std::map<std::string, std::string>& authParams) {
     // Skip if response already completed (e.g., by rate limit or auth middleware)
     if (res.is_completed()) {
         CROW_LOG_DEBUG << "Skipping request handler - response already completed";
@@ -30,12 +30,12 @@ void RequestHandler::handleRequest(const crow::request& req, crow::response& res
 
     switch (req.method) {
         case crow::HTTPMethod::Get:
-            handleGetRequest(req, res, endpoint, pathParams);
+            handleGetRequest(req, res, endpoint, pathParams, authParams);
             break;
         case crow::HTTPMethod::Post:
         case crow::HTTPMethod::Put:
         case crow::HTTPMethod::Patch:
-            handleWriteRequest(req, res, endpoint, pathParams);
+            handleWriteRequest(req, res, endpoint, pathParams, authParams);
             break;
         case crow::HTTPMethod::Delete:
             handleDeleteRequest(req, res, endpoint, pathParams);
@@ -48,11 +48,15 @@ void RequestHandler::handleRequest(const crow::request& req, crow::response& res
     }
 }
 
-void RequestHandler::handleWriteRequest(const crow::request& req, crow::response& res, const EndpointConfig& endpoint, const std::map<std::string, std::string>& pathParams) {
+void RequestHandler::handleWriteRequest(const crow::request& req, crow::response& res, const EndpointConfig& endpoint, const std::map<std::string, std::string>& pathParams, const std::map<std::string, std::string>& authParams) {
     try {
         // Extract parameters from body, path, query (body takes precedence)
         auto params = combineWriteParameters(req, pathParams, endpoint);
-        
+        // Inject auth context as reserved params for template rendering
+        for (const auto& [k, v] : authParams) {
+            params[k] = v;
+        }
+
         // Validate parameters
         auto validationErrors = validator->validateRequestParameters(endpoint.request_fields, params);
 
@@ -159,9 +163,13 @@ void RequestHandler::handleDeleteRequest(const crow::request& req, crow::respons
     }
 }
 
-void RequestHandler::handleGetRequest(const crow::request& req, crow::response& res, const EndpointConfig& endpoint, const std::map<std::string, std::string>& pathParams) {
+void RequestHandler::handleGetRequest(const crow::request& req, crow::response& res, const EndpointConfig& endpoint, const std::map<std::string, std::string>& pathParams, const std::map<std::string, std::string>& authParams) {
     try {
         auto params = combineParameters(req, defaultParams, pathParams, endpoint);
+        // Inject auth context as reserved params for template rendering
+        for (const auto& [k, v] : authParams) {
+            params[k] = v;
+        }
 
         // First validate the known parameters
         auto validationErrors = validator->validateRequestParameters(endpoint.request_fields, params);

src/sql_template_processor.cpp

@@ -150,6 +150,22 @@ crow::mustache::context SQLTemplateProcessor::createTemplateContext(const Endpoi
         params.erase("primaryKeys");
     }
 
+    // Extract auth params (reserved __auth_ prefix) and inject into ctx["auth"]
+    static const std::vector<std::pair<std::string, std::string>> auth_keys = {
+        {"__auth_username",      "username"},
+        {"__auth_roles",         "roles"},
+        {"__auth_email",         "email"},
+        {"__auth_type",          "type"},
+        {"__auth_authenticated", "authenticated"},
+    };
+    for (const auto& [param_key, ctx_key] : auth_keys) {
+        auto it = params.find(param_key);
+        if (it != params.end()) {
+            ctx["auth"][ctx_key] = it->second;
+            params.erase(it);
+        }
+    }
+
     // Add request parameters
     for (const auto& [key, value] : params) {
         ctx["params"][key] = value;