feat: implement allowlist to skip authentication

cmd/main.go

@@ -43,8 +43,6 @@ func main() {
 	logger.Info("Starting: Authentication Service")
 
 	oidcClient := clients.NewOAuth2OIDCClient(logger, oidcClientConfiguration)
-	// Start OIDC Provider setup.
-	oidcClient.StartSetup()
 
 	// Initializes a storage to save temporary sessions configured with TTL.
 	sessionStorage := storages.NewSessionStorage()
@@ -64,7 +62,9 @@ func main() {
 
 	httpServer := server.NewServer(logger, serverConfiguration)
 	restController.Boot(httpServer)
-	httpServer.Run(context.Background())
+
+	// Run HTTP Server and start setup the OIDC Provider.
+	httpServer.Run(context.Background(), oidcClient.StartSetup)
 
 	// HealthCheck
 	httpServer.AddHealthz()

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/golang-jwt/jwt/v4 v4.2.0
 	github.com/kelseyhightower/envconfig v1.4.0
 	github.com/stretchr/testify v1.7.0
-	github.com/ydataai/go-core v0.2.1
+	github.com/ydataai/go-core v0.4.0
 	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8
 )
 

go.sum

@@ -471,8 +471,8 @@ github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVM
 github.com/ugorji/go/codec v1.1.7 h1:2SvQaVZ1ouYrrKKwoSk2pzd4A9evlKJb9oTL+OaLUSs=
 github.com/ugorji/go/codec v1.1.7/go.mod h1:Ax+UKWsSmolVDwsd+7N3ZtXu+yMGCf907BLYF3GoBXY=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
-github.com/ydataai/go-core v0.2.1 h1:ZQoL04MyUa+3Qsrzzfqbg2g2NpmIeiBjCElgr3bceu8=
-github.com/ydataai/go-core v0.2.1/go.mod h1:tdL95U51Wzr0GJvYsVXk4oNXz7P0NiVxc574NnhcLq4=
+github.com/ydataai/go-core v0.4.0 h1:ZkI09itxvi+q5ctboTAvQWALS7lWjdedM29a+k4Vu0c=
+github.com/ydataai/go-core v0.4.0/go.mod h1:zrMbN0hjPUPjs3O+z3yKwNtvsl9ioPhhn8aSBfcJ0Jw=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=

internal/configurations/rest_controller_configuration.go

@@ -14,6 +14,7 @@ type RESTControllerConfiguration struct {
 	HTTPRequestTimeout time.Duration `envconfig:"HTTP_REQUEST_TIMEOUT" default:"30s"`
 	UserIDHeader       string        `envconfig:"USER_ID_HEADER" default:"userid"`
 	CookieMaxAge       int           `envconfig:"COOKIE_MAX_AGE" default:"86400"`
+	SkipURLs           []string      `envconfig:"SKIP_URLS" default:"/dex" split_words:"true"`
 }
 
 // LoadFromEnvVars reads all env vars.

internal/controllers/rest_controller.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"net/http"
+	"strings"
 	"time"
 
 	"github.com/gin-gonic/gin"
@@ -42,9 +43,14 @@ func NewRESTController(
 
 // Boot initializes creating some routes.
 func (rc RESTController) Boot(s *server.Server) {
+	s.Router.Use(rc.skipURLsMiddleware())
+
 	s.Router.GET(rc.configuration.AuthServiceURL, gin.WrapF(rc.CheckForAuthentication))
 	s.Router.GET(rc.configuration.OIDCCallbackURL, gin.WrapF(rc.OIDCProviderCallback))
-	s.Router.GET(rc.configuration.LogoutURL, gin.WrapF(rc.Logout))
+	s.Router.POST(rc.configuration.LogoutURL, gin.WrapF(rc.Logout))
+
+	s.Router.Any("/:forward", gin.WrapF(rc.CheckForAuthentication))
+	s.Router.Any("/:forward/*any", gin.WrapF(rc.CheckForAuthentication))
 }
 
 // CheckForAuthentication is responsible for knowing if the user already has a valid credential or not.
@@ -186,3 +192,17 @@ func (rc RESTController) forbiddenResponse(w http.ResponseWriter, err error) {
 	}
 	json.NewEncoder(w).Encode(jsonBody)
 }
+
+// skipURLsMiddleware is a middleware that skips all requests configured in SKIP_URL.
+func (rc RESTController) skipURLsMiddleware() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		for _, skipURL := range rc.configuration.SkipURLs {
+			if strings.HasPrefix(c.Request.URL.Path, skipURL) {
+				rc.logger.Infof("URL %s was skipped. Accepted without authorization.", c.Request.URL.Path)
+				c.Abort()
+				return
+			}
+		}
+		c.Next()
+	}
+}