Skip to content

feat: harden proxy OAuth authentication with enhanced security and usability #628

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 5, 2025
Merged

feat: harden proxy OAuth authentication with enhanced security and usability #628

merged 1 commit into from
Jun 5, 2025
+243 −49

Conversation

JAORMX
Copy link
Collaborator

@JAORMX JAORMX commented Jun 4, 2025

Overview

This PR enhances the proxy OAuth authentication system with security hardening, improved code quality, and better user experience based on post-merge feedback for commit aeceaa7.

Security Hardening

  • Secure credential handling: Added --remote-auth-client-secret-file flag for file-based credential storage
  • Environment variable support: Added TOOLHIVE_REMOTE_OAUTH_CLIENT_SECRET environment variable
  • Credential precedence: Implemented secure resolution order (flag → file → env var)
  • Path validation: Added filepath.Clean() validation for secure file handling
  • Enhanced logging: Protected sensitive information while maintaining debuggability

Code Quality Enhancements

  • Configurable timeouts: Replaced hardcoded timeouts with named constants
  • Better error handling: Comprehensive error propagation and wrapping
  • Separation of concerns: Refactored authentication logic into focused functions
  • Documentation: Added comprehensive function documentation and inline comments
  • Context optimization: Improved context handling for better resource management

Robustness Improvements

  • WWW-Authenticate parsing: Complete rewrite for better compatibility
  • Multi-scheme support: Added support for Bearer, Basic, and Digest authentication
  • Parameter extraction: Enhanced handling of quotes and whitespace
  • Production-ready defaults: Added configurable timeouts with sensible defaults
  • HTTP client config: Improved timeout and transport settings

Documentation & UX

  • Comprehensive docs: Added detailed command documentation with examples
  • Authentication modes: Documented all credential source options
  • Usage examples: Provided clear examples for different scenarios
  • Security features: Detailed explanations of security best practices

Backward Compatibility

✅ All changes maintain full backward compatibility with existing configurations.

Testing

  • ✅ All linting issues resolved (0 golangci-lint issues)
  • ✅ Code follows security best practices
  • ✅ Comprehensive error handling and validation

Examples

Basic transparent proxy

thv proxy my-server --target-uri http://localhost:8080

Proxy with OAuth authentication using file-based secret

thv proxy my-server --target-uri https://api.example.com \
  --remote-auth --remote-auth-issuer https://auth.example.com \
  --remote-auth-client-id my-client-id \
  --remote-auth-client-secret-file /path/to/secret

Using environment variable for secret

export TOOLHIVE_REMOTE_OAUTH_CLIENT_SECRET="your-secret"
thv proxy my-server --target-uri https://api.example.com \
  --remote-auth --remote-auth-issuer https://auth.example.com \
  --remote-auth-client-id my-client-id

Changes Summary

  • Files changed: 1
  • Insertions: +184
  • Deletions: -30
  • Net addition: +154 lines

This enhancement significantly improves the security posture, reliability, and maintainability of the authentication system while providing a better user experience.

@JAORMX JAORMX requested review from eleftherias and ChrisJBurns June 4, 2025 15:53
@JAORMX JAORMX force-pushed the fix/proxy-oauth-security-improvements branch from 92e7af3 to d207556 Compare June 4, 2025 15:55
@JAORMX
feat: harden proxy OAuth authentication with enhanced security and us…
088f397 
…ability

This commit enhances the proxy OAuth authentication system with security
hardening, improved code quality, and better user experience based on
post-merge feedback for commit aeceaa7.

Security Hardening:
- Add --remote-auth-client-secret-file flag for secure file-based credential storage
- Add TOOLHIVE_REMOTE_OAUTH_CLIENT_SECRET environment variable support
- Implement secure credential resolution with clear precedence order
- Add filepath.Clean() validation for secure file handling
- Enhance logging to protect sensitive information while maintaining debuggability

Code Quality Enhancements:
- Replace hardcoded timeouts with configurable named constants
- Improve error handling with comprehensive error propagation and wrapping
- Refactor authentication logic into well-separated, focused functions
- Add comprehensive function documentation and inline comments
- Optimize context handling for better resource management

Robustness Improvements:
- Completely rewrite WWW-Authenticate header parsing for better compatibility
- Add support for multiple authentication schemes (Bearer, Basic, Digest)
- Enhance parameter extraction with proper quote and whitespace handling
- Add configurable timeouts with production-ready defaults
- Improve HTTP client configuration with appropriate timeout settings

Documentation & UX:
- Add comprehensive command documentation with practical examples
- Document all authentication modes and credential source options
- Provide clear usage examples for different deployment scenarios
- Add detailed explanations of security features and best practices

All changes maintain full backward compatibility while significantly enhancing
the security posture, reliability, and maintainability of the authentication system.

Signed-off-by: Juan Antonio Osorio <[email protected]>
@JAORMX JAORMX force-pushed the fix/proxy-oauth-security-improvements branch from d207556 to 088f397 Compare June 5, 2025 10:04
@JAORMX JAORMX merged commit b284eeb into main Jun 5, 2025
12 checks passed
@JAORMX JAORMX deleted the fix/proxy-oauth-security-improvements branch June 5, 2025 10:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eleftherias eleftherias eleftherias approved these changes

@ChrisJBurns ChrisJBurns Awaiting requested review from ChrisJBurns

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@JAORMX @eleftherias