Implement OIDC authentication middleware and session management

2025-02-22 02:28:57 -06:00
parent 7d49e49de0
commit e7f1e6ae92
4 changed files with 198 additions and 54 deletions
--- a/cmd/start.go
+++ b/cmd/start.go
@ -20,9 +20,14 @@ import (
 	"log"
 	"net/http"

+	"context"
+
 	"git.coopcloud.tech/wiki-cafe/member-console/internal/middleware"
+	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/gorilla/sessions"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
+	"golang.org/x/oauth2"
 )

 var startCmd = &cobra.Command{
@ -40,9 +45,46 @@ var startCmd = &cobra.Command{
 		// Create a new HTTP request router
 		httpRequestRouter := http.NewServeMux()

-		// Create a middleware stack
+		// Add to Run function
+		store := sessions.NewCookieStore(
+			[]byte(viper.GetString("session-secret")),
+		)
+		store.Options = &sessions.Options{
+			HttpOnly: true,
+			Secure:   viper.GetString("env") == "production",
+			SameSite: http.SameSiteLaxMode,
+			MaxAge:   86400 * 7, // 1 week
+		}
+
+		// OIDC Provider
+		provider, err := oidc.NewProvider(context.Background(), viper.GetString("issuer-url"))
+		if err != nil {
+			log.Fatal("Failed to initialize OIDC provider:", err)
+		}
+
+		// OAuth2 Config
+		oauthConfig := &oauth2.Config{
+			ClientID:     viper.GetString("client-id"),
+			ClientSecret: viper.GetString("client-secret"),
+			RedirectURL:  viper.GetString("redirect-url"),
+			Endpoint:     provider.Endpoint(),
+			Scopes:       []string{oidc.ScopeOpenID, "profile", "email"},
+		}
+
+		authConfig := &middleware.AuthConfig{
+			Store:       store,
+			OAuthConfig: oauthConfig,
+			Verifier:    provider.Verifier(&oidc.Config{ClientID: oauthConfig.ClientID}),
+		}
+
+		// Register handlers
+		httpRequestRouter.HandleFunc("/login", middleware.LoginHandler(authConfig))
+		httpRequestRouter.HandleFunc("/callback", middleware.CallbackHandler(authConfig))
+
+		// Update middleware stack
 		stack := middleware.CreateStack(
 			middleware.Logging,
+			middleware.AuthMiddleware(authConfig),
 		)

 		server := http.Server{
@ -60,9 +102,14 @@ var startCmd = &cobra.Command{
 func init() {
 	// Register the port flag with Cobra
 	startCmd.Flags().StringP("port", "p", "", "Port to listen on")
+	startCmd.Flags().String("client-id", "", "OIDC Client ID")
+	startCmd.Flags().String("client-secret", "", "OIDC Client Secret")
+	startCmd.Flags().String("issuer-url", "", "Keycloak Issuer URL")
+	startCmd.Flags().String("redirect-url", "", "OAuth Redirect URL")
+	startCmd.Flags().String("session-secret", "", "Session encryption secret")

-	// Bind the flag to Viper
-	viper.BindPFlag("port", startCmd.Flags().Lookup("port"))
+	// Bind the flags to Viper
+	viper.BindPFlags(startCmd.Flags())

 	// Set a default value for the port if no flag or env variable is provided
 	viper.SetDefault("port", "8080")