config

2024-08-04 08:55:12 -04:00 · 2024-08-04 08:55:12 -04:00 · 8742029109
commit 8742029109
parent aff226940f
5 changed files with 32 additions and 14 deletions
--- a/config.yaml.sample
+++ b/config.yaml.sample
@ -1,6 +1,12 @@
 db:
  driver: pgx
  connect: 'postgres://postgres:password@localhost:5432/example'
-jwtsecret: 'super secret string'
+auth:
+  jwtsecret: 'super secret string'
+  # this is the JWT cookie domain
+  domain: example.com
+  # this allows the JWT cookie to be served over plain HTTP only for these Host: header values
+  allowInsecureFor:
+    "localhost:3050": true
 listen: ':3050'
 public: true
--- a/pkg/gordio/auth/auth.go
+++ b/pkg/gordio/auth/auth.go
@ -4,6 +4,7 @@ import (
 	"errors"
 	"net/http"

+	"dynatron.me/x/stillbox/pkg/gordio/config"
 	"github.com/go-chi/jwtauth/v5"
 )

@ -28,13 +29,14 @@ type Authenticator interface {
 type authenticator struct {
 	domain string
 	jwt    *jwtauth.JWTAuth
+	cfg    *config.Auth
 }

-// NewAuthenticator creates a new Authenticator with the provided JWT secret and cookie domain.
-func NewAuthenticator(jwtSecret string, domain string) Authenticator {
+// NewAuthenticator creates a new Authenticator with the provided config.
+func NewAuthenticator(cfg *config.Auth) Authenticator {
 	return &authenticator{
-		domain: domain,
-		jwt:    jwtauth.New("HS256", []byte(jwtSecret), nil),
+		domain: cfg.Domain,
+		jwt:    jwtauth.New("HS256", []byte(cfg.JWTSecret), nil),
 	}
 }

--- a/pkg/gordio/auth/jwt.go
+++ b/pkg/gordio/auth/jwt.go
@ -3,7 +3,6 @@ package auth
 import (
 	"context"
 	"net/http"
-	"strings"
 	"time"

 	"golang.org/x/crypto/bcrypt"
@ -94,6 +93,11 @@ func (a *authenticator) PublicRoutes(r chi.Router) {
 	r.Post("/login", a.routeAuth)
 }

+func (a *authenticator) allowInsecureCookie(r *http.Request) bool {
+	v, has := a.cfg.AllowInsecure[r.Host]
+	return has && v == true
+}
+
 func (a *authenticator) routeAuth(w http.ResponseWriter, r *http.Request) {
 	err := r.ParseForm()
 	if err != nil {
@ -115,7 +119,7 @@ func (a *authenticator) routeAuth(w http.ResponseWriter, r *http.Request) {
 		Name:     "jwt",
 		Value:    tok,
 		HttpOnly: true,
-		Secure:   !strings.HasPrefix(r.Host, "localhost:"),
+		Secure:   a.allowInsecureCookie(r),
 		Domain:   a.domain,
 	})

--- a/pkg/gordio/config/config.go
+++ b/pkg/gordio/config/config.go
@ -1,22 +1,28 @@
 package config

 import (
+	"os"
+
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 	"gopkg.in/yaml.v3"
-	"os"
 )

 type Config struct {
-	DB        DB     `yaml:"db"`
-	JWTSecret string `yaml:"jwtsecret"`
-	Listen    string `yaml:"listen"`
-	Public    bool   `yaml:"public"`
-	Domain    string `yaml:"domain"`
+	DB     DB     `yaml:"db"`
+	Auth   Auth   `yaml:"auth"`
+	Listen string `yaml:"listen"`
+	Public bool   `yaml:"public"`

 	configPath string
 }

+type Auth struct {
+	JWTSecret     string          `yaml:"jwtsecret"`
+	Domain        string          `yaml:"domain"`
+	AllowInsecure map[string]bool `yaml:"allowInsecureFor"`
+}
+
 type DB struct {
 	Connect string `yaml:"connect"`
 	Driver  string `yaml:"driver"`
--- a/pkg/gordio/server/server.go
+++ b/pkg/gordio/server/server.go
@ -30,7 +30,7 @@ func New(cfg *config.Config) (*Server, error) {
 	}

 	r := chi.NewRouter()
-	authenticator := auth.NewAuthenticator(cfg.JWTSecret, cfg.Domain)
+	authenticator := auth.NewAuthenticator(&cfg.Auth)
 	srv := &Server{
 		auth: authenticator,
 		conf: cfg,