feat: finalize context functionality

steveiliop56 · steveiliop56 · commit 62ffd2fd118d · 2026-04-29T20:11:43.000+03:00
diff --git a/internal/bootstrap/router_bootstrap.go b/internal/bootstrap/router_bootstrap.go
@@ -30,7 +30,8 @@ func (app *BootstrapApp) setupRouter() (*gin.Engine, error) {
 	}
 
 	contextMiddleware := middleware.NewContextMiddleware(middleware.ContextMiddlewareConfig{
-		CookieDomain: app.context.cookieDomain,
+		CookieDomain:      app.context.cookieDomain,
+		SessionCookieName: app.context.sessionCookieName,
 	}, app.services.authService, app.services.oauthBrokerService)
 
 	err := contextMiddleware.Init()
@@ -98,7 +99,8 @@ func (app *BootstrapApp) setupRouter() (*gin.Engine, error) {
 	proxyController.SetupRoutes()
 
 	userController := controller.NewUserController(controller.UserControllerConfig{
-		CookieDomain: app.context.cookieDomain,
+		CookieDomain:      app.context.cookieDomain,
+		SessionCookieName: app.context.sessionCookieName,
 	}, apiRouter, app.services.authService)
 
 	userController.SetupRoutes()
diff --git a/internal/controller/proxy_controller.go b/internal/controller/proxy_controller.go
@@ -99,11 +99,15 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
 
+	if acls == nil {
+		acls = &model.App{}
+	}
+
 	tlog.App.Trace().Interface("acls", acls).Msg("ACLs for resource")
 
 	clientIP := c.ClientIP()
 
-	if controller.auth.IsBypassedIP(acls.IP, clientIP) {
+	if controller.auth.IsBypassedIP(&acls.IP, clientIP) {
 		controller.setHeaders(c, *acls)
 		c.JSON(200, gin.H{
 			"status":  200,
@@ -112,7 +116,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
 
-	authEnabled, err := controller.auth.IsAuthEnabled(proxyCtx.Path, acls.Path)
+	authEnabled, err := controller.auth.IsAuthEnabled(proxyCtx.Path, &acls.Path)
 
 	if err != nil {
 		tlog.App.Error().Err(err).Msg("Failed to check if auth is enabled for resource")
@@ -130,7 +134,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		return
 	}
 
-	if !controller.auth.CheckIP(acls.IP, clientIP) {
+	if !controller.auth.CheckIP(&acls.IP, clientIP) {
 		queries, err := query.Values(UnauthorizedQuery{
 			Resource: strings.Split(proxyCtx.Host, ".")[0],
 			IP:       clientIP,
@@ -169,7 +173,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 	tlog.App.Trace().Interface("context", userContext).Msg("User context from request")
 
 	if userContext.Authenticated {
-		userAllowed := controller.auth.IsUserAllowed(c, *userContext, *acls)
+		userAllowed := controller.auth.IsUserAllowed(c, *userContext, acls)
 
 		if !userAllowed {
 			tlog.App.Warn().Str("user", userContext.GetUsername()).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User not allowed to access resource")
diff --git a/internal/middleware/context_middleware.go b/internal/middleware/context_middleware.go
@@ -80,6 +80,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 				http.SetCookie(c.Writer, cookie)
 			}
 
+			tlog.App.Trace().Msgf("Authenticated user from session cookie: %s", userContext.GetUsername())
 			c.Set("context", userContext)
 			c.Next()
 			return
diff --git a/internal/service/auth_service.go b/internal/service/auth_service.go
@@ -346,7 +346,7 @@ func (auth *AuthService) RefreshSession(ctx context.Context, uuid string) (*http
 	}
 
 	if session.Expiry-currentTime > refreshThreshold {
-		return nil, fmt.Errorf("session not eligible for refresh yet")
+		return nil, nil
 	}
 
 	newExpiry := session.Expiry + refreshThreshold
@@ -443,7 +443,11 @@ func (auth *AuthService) LDAPAuthConfigured() bool {
 	return auth.ldap.IsConfigured()
 }
 
-func (auth *AuthService) IsUserAllowed(c *gin.Context, context model.UserContext, acls model.App) bool {
+func (auth *AuthService) IsUserAllowed(c *gin.Context, context model.UserContext, acls *model.App) bool {
+	if acls == nil {
+		return true
+	}
+
 	if context.Provider == model.ProviderOAuth {
 		tlog.App.Debug().Msg("Checking OAuth whitelist")
 		return utils.CheckFilter(acls.OAuth.Whitelist, context.OAuth.Email)
@@ -507,7 +511,11 @@ func (auth *AuthService) IsInLDAPGroup(c *gin.Context, context model.UserContext
 	return false
 }
 
-func (auth *AuthService) IsAuthEnabled(uri string, path model.AppPath) (bool, error) {
+func (auth *AuthService) IsAuthEnabled(uri string, path *model.AppPath) (bool, error) {
+	if path == nil {
+		return true, nil
+	}
+
 	// Check for block list
 	if path.Block != "" {
 		regex, err := regexp.Compile(path.Block)
@@ -552,7 +560,11 @@ func (auth *AuthService) GetBasicAuth(req *http.Request) (*model.LocalUser, erro
 	}, nil
 }
 
-func (auth *AuthService) CheckIP(acls model.AppIP, ip string) bool {
+func (auth *AuthService) CheckIP(acls *model.AppIP, ip string) bool {
+	if acls == nil {
+		acls = &model.AppIP{}
+	}
+
 	// Merge the global and app IP filter
 	blockedIps := append(auth.config.IP.Block, acls.Block...)
 	allowedIPs := append(auth.config.IP.Allow, acls.Allow...)
@@ -590,7 +602,11 @@ func (auth *AuthService) CheckIP(acls model.AppIP, ip string) bool {
 	return true
 }
 
-func (auth *AuthService) IsBypassedIP(acls model.AppIP, ip string) bool {
+func (auth *AuthService) IsBypassedIP(acls *model.AppIP, ip string) bool {
+	if acls == nil {
+		return false
+	}
+
 	for _, bypassed := range acls.Bypass {
 		res, err := utils.FilterIP(bypassed, ip)
 		if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -80,6 +80,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {`
`80`	`80`	`http.SetCookie(c.Writer, cookie)`
`81`	`81`	`}`
`82`	`82`
	`83`	`+ tlog.App.Trace().Msgf("Authenticated user from session cookie: %s", userContext.GetUsername())`
`83`	`84`	`c.Set("context", userContext)`
`84`	`85`	`c.Next()`
`85`	`86`	`return`