send user data to badger when authenticated

[pyrho]

Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.

Description

tl;dr;
Add Remote-User, Remote-Name and Remote-Email headers to the upstream service request.

Why ?

Some applications accept headers to authenticate users, Pangolin has access to this information and can simply forward some basic user information.
See for example Paperless-ngx.

See also:

• user @radh21301's list of apps here
• this broader proposal to set custom headers per resources.

Changes to Pangolin

This PR introduces simple changes to the response sent to the badger middleware on the /verify-session route; namely the username, name and email (see BasicUserData).

Note that the new user info data is only sent when the user is authenticated via SSO. I guess it could be added to other means of authentication (PIN, email, ...), but would require additional DB calls, and is perhaps better overall planning of the feature.

Changes to Badger

For this to work, we also need to make small changes within badger. The following diff enables the functionality:

diff --git a/main.go b/main.go
index 2d37c34..6f87772 100644
--- a/main.go
+++ b/main.go
@@ -40,6 +40,9 @@ type VerifyResponse struct {
 	Data struct {
 		Valid           bool              `json:"valid"`
 		RedirectURL     *string           `json:"redirectUrl"`
+		Username        *string           `json:"username,omitempty"`
+		Email           *string           `json:"email,omitempty"`
+		Name            *string           `json:"name,omitempty"`
 		ResponseHeaders map[string]string `json:"responseHeaders,omitempty"`
 	} `json:"data"`
 }
@@ -204,6 +207,19 @@ func (p *Badger) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	}
 
 	if result.Data.Valid {
+
+		if result.Data.Username != nil {
+			req.Header.Add("Remote-User", *result.Data.Username)
+		}
+
+		if result.Data.Email != nil {
+			req.Header.Add("Remote-Email", *result.Data.Email)
+		}
+
+		if result.Data.Name != nil {
+			req.Header.Add("Remote-Name", *result.Data.Name)
+		}
+
 		fmt.Println("Badger: Valid session")
 		p.next.ServeHTTP(rw, req)
 		return

A testing middleware has been published to Traefik catalog and can be tested by replacing the Badger middleware with my patched version.

The patched middleware code is available in my hard fork or Badger.

This can be done by modifying the config/traefik/traefik_config.yml file

experimental:
  plugins:
    badger:
      #moduleName: github.com/fosrl/badger
      #version: v1.1.0
      moduleName: github.com/pyrho/badgerheaders
      version: v0.0.12

Limitations

As mentioned, this will only work when login in via Pangolin SSO (not PIN, nor resource password, nor email link).

Additionally, it seems like the server admin account only has an email. If you need the username and name, you will have to login with an Org user instead.

How to test?

Using Pangolin, proxy to a resource serving the echo docker image to https://echo.my.tld, secure it with SSO, open https://echo.my.tld, login in with Pangolin's SSO and see the headers.

I'm currently running this, and it serves my needs.

[miloschwartz]

Thank you will review soon

[miloschwartz]

Thank you @pyrho!

[pyrho]

Thank you @miloschwartz.
Please note that for this to work we also need to patch badger.

I just opened a fosrl/badger#7 to address that.