#request-headers #gotham #proxy #authentication #web-services #web #reverse-proxy

gotham_middleware_headerauth

A basic middleware for using request header data from upstream reverse proxies as authentication sources in gotham Web services

1 unstable release

0.1.0 Oct 7, 2022

#8 in #gotham

Apache-2.0

14KB
133 lines

This is a simple convenience middleware for extracting authentication information when a Gotham framework web service (https://gotham.rs) is sitting behind a separate service (e.g., reverse proxy like Apache) where the separate service performs authentication and populates authentication information into request headers.


lib.rs:

This is a simple convenience middleware for extracting authentication information when a Gotham framework web service (https://gotham.rs) is sitting behind a separate service (e.g., reverse proxy like Apache) where the separate service performs authentication and populates authentication information into request headers.

In normal use, it reads the request headers and puts an AuthAssertion into the Gotham state data which can be accessed by request handlers or other middleware.

This middleware expects that client restrictions, authentication and firewalling is handled by the reverse proxy and network configuration. However, it includes convenience features for handling unusual or misconfiguration situations.

In order of processing:

  1. Optionally, if a development mode override is set the AuthAssertion supplied with that will be put into the Gotham request state data and no further checks or processing will take place. This to bypass the middleware transparently during software development.
  2. Optionally, if a white list of client IP addresses is supplied and the request did not come from one of those addresses, the request will fail.
  3. If the header for the user id is not present, the request will fail.
  4. If an optional name for a header containing a list of group memberships is given and the header is not present, the request will fail.
  5. Otherwise, the AuthAssertion is added to the Gotham request state data.

Additionally, if any header values read by this middleware contain non-UTF8 data, the request will fail.

Request failure behaviour is amounts to returning a Gotham HandlerError chaining a HeaderAuthMiddlewareError. You may elect to catch some specific errors and implement a 307 redirect in your application to direct your user to an authentication page.

Tip: if testing/developing, you can use browser add-ons like https://mybrowseraddon.com/modify-header-value.html inject headers and simulate output from the authentication reverse proxy.

To use this middleware in your code, instantiate a HeaderAuthMiddleware and then attach it to your pipeline, e.g., with new_pipeline().add().

Dependencies

~10–21MB
~280K SLoC