152 lines
5.0 KiB
Go
152 lines
5.0 KiB
Go
/*
|
|
Copyright © 2025 Wiki Cafe <mail@wiki.cafe>
|
|
|
|
This program is free software: you can redistribute it and/or modify
|
|
it under the terms of the GNU Affero General Public License as published by
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU Affero General Public License for more details.
|
|
|
|
You should have received a copy of the GNU Affero General Public License
|
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
package cmd
|
|
|
|
import (
|
|
"log"
|
|
"net/http"
|
|
"net/url"
|
|
|
|
"context"
|
|
|
|
"git.coopcloud.tech/wiki-cafe/member-console/internal/middleware"
|
|
"github.com/coreos/go-oidc/v3/oidc"
|
|
"github.com/gorilla/sessions"
|
|
"github.com/spf13/cobra"
|
|
"github.com/spf13/viper"
|
|
"golang.org/x/oauth2"
|
|
)
|
|
|
|
var startCmd = &cobra.Command{
|
|
Use: "start",
|
|
Short: "Start serving the member-console web application",
|
|
Long: `The start command starts an HTTP server that serves the member-console web
|
|
application from the components directory in the current directory.
|
|
|
|
The server listens on port 8080 by default, unless a different port is specified using the --port flag.`,
|
|
Args: cobra.NoArgs,
|
|
Run: func(cmd *cobra.Command, args []string) {
|
|
// Retrieve the port value from Viper
|
|
port := viper.GetString("port")
|
|
|
|
// Create a new HTTP request router
|
|
httpRequestRouter := http.NewServeMux()
|
|
|
|
// Add to Run function
|
|
store := sessions.NewCookieStore(
|
|
[]byte(viper.GetString("session-secret")),
|
|
)
|
|
store.Options = &sessions.Options{
|
|
HttpOnly: true,
|
|
Secure: viper.GetString("env") == "production",
|
|
SameSite: http.SameSiteLaxMode,
|
|
MaxAge: 86400 * 7, // 1 week
|
|
}
|
|
|
|
// OIDC Provider
|
|
provider, err := oidc.NewProvider(context.Background(), viper.GetString("issuer-url"))
|
|
if err != nil {
|
|
log.Fatal("Failed to initialize OIDC provider:", err)
|
|
}
|
|
|
|
// OAuth2 Config
|
|
oauthConfig := &oauth2.Config{
|
|
ClientID: viper.GetString("client-id"),
|
|
ClientSecret: viper.GetString("client-secret"),
|
|
RedirectURL: viper.GetString("redirect-url"),
|
|
Endpoint: provider.Endpoint(),
|
|
Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
|
|
}
|
|
|
|
authConfig := &middleware.AuthConfig{
|
|
Store: store,
|
|
OAuthConfig: oauthConfig,
|
|
Verifier: provider.Verifier(&oidc.Config{ClientID: oauthConfig.ClientID}),
|
|
}
|
|
|
|
// Register handlers
|
|
httpRequestRouter.HandleFunc("/login", middleware.LoginHandler(authConfig))
|
|
httpRequestRouter.HandleFunc("/callback", middleware.CallbackHandler(authConfig))
|
|
// Update the logout handler to include Keycloak integration
|
|
httpRequestRouter.HandleFunc("/logout", func(w http.ResponseWriter, r *http.Request) {
|
|
// 1. Get session and immediately expire it
|
|
session, _ := authConfig.Store.Get(r, "auth-session")
|
|
session.Values["authenticated"] = false
|
|
session.Options.MaxAge = -1 // Immediate deletion
|
|
session.Save(r, w)
|
|
|
|
// 2. Keycloak logout parameters
|
|
keycloakLogoutURL, err := url.Parse(viper.GetString("issuer-url") + "/protocol/openid-connect/logout")
|
|
if err != nil {
|
|
log.Printf("Error parsing logout URL: %v", err)
|
|
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
// 3. Build logout URL with post_logout_redirect_uri and id_token_hint
|
|
q := keycloakLogoutURL.Query()
|
|
q.Set("post_logout_redirect_uri", viper.GetString("redirect-url"))
|
|
q.Set("client_id", viper.GetString("client-id"))
|
|
|
|
// Retrieve ID token from session if available
|
|
if idToken, ok := session.Values["id_token"].(string); ok {
|
|
q.Set("id_token_hint", idToken)
|
|
}
|
|
|
|
keycloakLogoutURL.RawQuery = q.Encode()
|
|
|
|
// 4. Redirect to Keycloak for global session termination
|
|
http.Redirect(w, r, keycloakLogoutURL.String(), http.StatusFound)
|
|
})
|
|
|
|
// Update middleware stack
|
|
stack := middleware.CreateStack(
|
|
middleware.Logging,
|
|
middleware.AuthMiddleware(authConfig),
|
|
)
|
|
|
|
server := http.Server{
|
|
Addr: ":" + port,
|
|
Handler: stack(httpRequestRouter),
|
|
}
|
|
|
|
// Serve the components directory
|
|
httpRequestRouter.Handle("/", http.FileServer(http.Dir("./components")))
|
|
log.Println("Starting server on port", port)
|
|
log.Fatal(server.ListenAndServe())
|
|
},
|
|
}
|
|
|
|
func init() {
|
|
// Register the port flag with Cobra
|
|
startCmd.Flags().StringP("port", "p", "", "Port to listen on")
|
|
startCmd.Flags().String("client-id", "", "OIDC Client ID")
|
|
startCmd.Flags().String("client-secret", "", "OIDC Client Secret")
|
|
startCmd.Flags().String("issuer-url", "", "Keycloak Issuer URL")
|
|
startCmd.Flags().String("redirect-url", "", "OAuth Redirect URL")
|
|
startCmd.Flags().String("session-secret", "", "Session encryption secret")
|
|
|
|
// Bind the flags to Viper
|
|
viper.BindPFlags(startCmd.Flags())
|
|
|
|
// Set a default value for the port if no flag or env variable is provided
|
|
viper.SetDefault("port", "8080")
|
|
|
|
// Add the command to the root command
|
|
rootCmd.AddCommand(startCmd)
|
|
}
|