refactor: delete jwt verification code

author: mo khan <mo@mokhan.ca> 2025-05-28 12:34:58 -0600
committer: mo khan <mo@mokhan.ca> 2025-05-28 12:34:58 -0600
commit: 5b6ed074bfb9c99d24d17dd9ba720d69fadf91b1 (patch)
tree: 74474329b307000c45bfee2e6618985aded69dd9
parent: 591f293c8bcf464ed62701321d3f27de31ceb621 (diff)
14 files changed, 19 insertions, 213 deletions
diff --git a/app/init.go b/app/init.go
index 935c962..5057fe4 100644
--- a/app/init.go
+++ b/app/init.go
@@ -1,24 +1,20 @@
 package app
 
 import (
-	"context"
 	"net/http"
 	"os"
 
-	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/rs/zerolog"
 	"github.com/xlgmokha/x/pkg/env"
 	"github.com/xlgmokha/x/pkg/ioc"
 	"github.com/xlgmokha/x/pkg/log"
 	"github.com/xlgmokha/x/pkg/mapper"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/pkg/rpc"
-	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/cfg"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/controllers/dashboard"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/controllers/sparkles"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/db"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/domain"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/web"
-	"golang.org/x/oauth2"
 )
 
 func init() {
@@ -28,9 +24,6 @@ func init() {
 	ioc.RegisterSingleton[domain.Repository[*domain.Sparkle]](ioc.Default, func() domain.Repository[*domain.Sparkle] {
 		return db.NewRepository[*domain.Sparkle]()
 	})
-	ioc.RegisterSingleton[domain.Repository[*domain.User]](ioc.Default, func() domain.Repository[*domain.User] {
-		return db.NewRepository[*domain.User]()
-	})
 	ioc.RegisterSingleton[*http.ServeMux](ioc.Default, func() *http.ServeMux {
 		return http.NewServeMux()
 	})
@@ -47,21 +40,6 @@ func init() {
 			},
 		}
 	})
-	ioc.RegisterSingleton[*oidc.Provider](ioc.Default, func() *oidc.Provider {
-		ctx := context.WithValue(
-			context.Background(),
-			oauth2.HTTPClient,
-			ioc.MustResolve[*http.Client](ioc.Default),
-		)
-		return web.NewOIDCProvider(ctx, cfg.OIDCIssuer, func(err error) {
-			ioc.MustResolve[*zerolog.Logger](ioc.Default).Err(err).Send()
-		})
-	})
-	ioc.Register[*oidc.Config](ioc.Default, func() *oidc.Config {
-		return &oidc.Config{
-			ClientID: cfg.OAuthClientID,
-		}
-	})
 	ioc.Register[rpc.Ability](ioc.Default, func() rpc.Ability {
 		return rpc.NewAbilityProtobufClient(
 			env.Fetch("AUTHZD_HOST", ""),
diff --git a/app/middleware/from_cookie.go b/app/middleware/from_cookie.go
deleted file mode 100644
index 316d6e4..0000000
--- a/app/middleware/from_cookie.go
+++ /dev/null
@@ -1,15 +0,0 @@
-package middleware
-
-import "net/http"
-
-func FromCookie(name string) TokenParser {
-	return func(r *http.Request) RawToken {
-		cookies := r.CookiesNamed(name)
-
-		if len(cookies) != 1 {
-			return ""
-		}
-
-		return RawToken(cookies[0].Value)
-	}
-}
diff --git a/app/middleware/from_custom_header.go b/app/middleware/from_custom_header.go
deleted file mode 100644
index f385911..0000000
--- a/app/middleware/from_custom_header.go
+++ /dev/null
@@ -1,9 +0,0 @@
-package middleware
-
-import "net/http"
-
-func FromCustomHeader(name string) TokenParser {
-	return func(r *http.Request) RawToken {
-		return RawToken(r.Header.Get(name))
-	}
-}
diff --git a/app/middleware/init.go b/app/middleware/init.go
index 5bf84f6..23c524d 100644
--- a/app/middleware/init.go
+++ b/app/middleware/init.go
@@ -13,7 +13,7 @@ func init() {
 		subject := h.Get("x-jwt-claim-sub")
 		if x.IsPresent(subject) {
 			return &domain.User{
-				ID:         domain.ID(subject),
+				ID:         domain.ID(h.Get("x-jwt-claim-sub")),
 				Username:   h.Get("x-jwt-claim-username"),
 				ProfileURL: h.Get("x-jwt-claim-profile-url"),
 				Picture:    h.Get("x-jwt-claim-picture-url"),
diff --git a/app/middleware/raw_token.go b/app/middleware/raw_token.go
deleted file mode 100644
index f7aa264..0000000
--- a/app/middleware/raw_token.go
+++ /dev/null
@@ -1,7 +0,0 @@
-package middleware
-
-type RawToken string
-
-func (r RawToken) String() string {
-	return string(r)
-}
diff --git a/app/middleware/token_parser.go b/app/middleware/token_parser.go
deleted file mode 100644
index 1a92760..0000000
--- a/app/middleware/token_parser.go
+++ /dev/null
@@ -1,3 +0,0 @@
-package middleware
-
-type TokenParser RequestParser[RawToken]
diff --git a/app/middleware/user.go b/app/middleware/user.go
index 90bf6aa..2b2dd17 100644
--- a/app/middleware/user.go
+++ b/app/middleware/user.go
@@ -3,20 +3,27 @@ package middleware
 import (
 	"net/http"
 
-	"github.com/xlgmokha/x/pkg/x"
+	"github.com/xlgmokha/x/pkg/log"
+	"github.com/xlgmokha/x/pkg/mapper"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/cfg"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/domain"
 )
 
 func User() func(http.Handler) http.Handler {
-	parser := UserParser()
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			user := parser(r)
-			if x.IsPresent(user) {
-				next.ServeHTTP(w, r.WithContext(cfg.CurrentUser.With(r.Context(), user)))
-			} else {
-				next.ServeHTTP(w, r)
-			}
+			log.WithFields(r.Context(), log.Fields{
+				"payload":  r.Header.Get("x-jwt-payload"),
+				"photo":    r.Header.Get("x-jwt-claim-picture-url"),
+				"profile":  r.Header.Get("x-jwt-claim-profile-url"),
+				"sub":      r.Header.Get("x-jwt-claim-sub"),
+				"username": r.Header.Get("x-jwt-claim-username"),
+			})
+
+			next.ServeHTTP(w, r.WithContext(cfg.CurrentUser.With(
+				r.Context(),
+				mapper.MapFrom[http.Header, *domain.User](r.Header),
+			)))
 		})
 	}
 }
diff --git a/app/middleware/user_parser.go b/app/middleware/user_parser.go
deleted file mode 100644
index dfa0cce..0000000
--- a/app/middleware/user_parser.go
+++ /dev/null
@@ -1,16 +0,0 @@
-package middleware
-
-import (
-	"net/http"
-
-	"github.com/xlgmokha/x/pkg/log"
-	"github.com/xlgmokha/x/pkg/mapper"
-	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/domain"
-)
-
-func UserParser() RequestParser[*domain.User] {
-	return func(r *http.Request) *domain.User {
-		log.WithFields(r.Context(), log.Fields{"header": r.Header})
-		return mapper.MapFrom[http.Header, *domain.User](r.Header)
-	}
-}
diff --git a/app/middleware/user_parser_test.go b/app/middleware/user_parser_test.go
deleted file mode 100644
index 2127a10..0000000
--- a/app/middleware/user_parser_test.go
+++ /dev/null
@@ -1,36 +0,0 @@
-package middleware
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"github.com/xlgmokha/x/pkg/test"
-	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/domain"
-)
-
-func TestUserParser(t *testing.T) {
-	parser := UserParser()
-
-	t.Run("when x-jwt-claim-* headers are not provided", func(t *testing.T) {
-		t.Run("forwards the request without a current user attached to the request", func(t *testing.T) {
-			assert.Nil(t, parser(test.Request("GET", "/")))
-		})
-	})
-
-	t.Run("when x-jwt-claim-* headers are provided", func(t *testing.T) {
-		r := test.Request("GET", "/",
-			test.WithRequestHeader("x-jwt-claim-sub", "1"),
-			test.WithRequestHeader("x-jwt-claim-username", "root"),
-			test.WithRequestHeader("x-jwt-claim-profile-url", "https://gitlab.com/tanuki"),
-			test.WithRequestHeader("x-jwt-claim-picture-url", "https://example.com/profile.png"),
-		)
-
-		result := parser(r)
-		require.NotNil(t, result)
-		assert.Equal(t, domain.ID("1"), result.ID)
-		assert.Equal(t, "root", result.Username)
-		assert.Equal(t, "https://gitlab.com/tanuki", result.ProfileURL)
-		assert.Equal(t, "https://example.com/profile.png", result.Picture)
-	})
-}
diff --git a/app/middleware/user_test.go b/app/middleware/user_test.go
index c5fa7ed..66ca121 100644
--- a/app/middleware/user_test.go
+++ b/app/middleware/user_test.go
@@ -29,6 +29,8 @@ func TestUser(t *testing.T) {
 
 	t.Run("when x-jwt-claim-* headers are provided", func(t *testing.T) {
 		server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			require.True(t, IsLoggedIn(r))
+
 			user := cfg.CurrentUser.From(r.Context())
 			require.NotNil(t, user)
 
diff --git a/bin/envoy.sh b/bin/envoy.sh
index 692167c..219228f 100755
--- a/bin/envoy.sh
+++ b/bin/envoy.sh
@@ -33,4 +33,4 @@ fi
 envoy \
   --config-yaml "$yaml" \
   --log-level warn \
-  --component-log-level admin:warn,connection:warn,ext_authz:info,grpc:info,health_checker:warn,http:warn,http2:warn,jwt:warn,oauth2:warn,router:warn,secret:warn,upstream:warn
+  --component-log-level admin:warn,connection:warn,ext_authz:info,grpc:info,health_checker:warn,http:warn,http2:warn,jwt:trace,oauth2:warn,router:warn,secret:warn,upstream:warn
diff --git a/pkg/web/cookie.go b/pkg/web/cookie.go
deleted file mode 100644
index 11cc807..0000000
--- a/pkg/web/cookie.go
+++ /dev/null
@@ -1,35 +0,0 @@
-package web
-
-import (
-	"net/http"
-
-	"github.com/xlgmokha/x/pkg/cookie"
-	"github.com/xlgmokha/x/pkg/x"
-)
-
-func NewCookie(name, value string, options ...x.Option[*http.Cookie]) *http.Cookie {
-	return x.New[*http.Cookie](x.Prepend[x.Option[*http.Cookie]](
-		options,
-		cookie.WithName(name),
-		cookie.WithValue(value),
-		cookie.WithPath("/"),
-		cookie.WithHttpOnly(true),
-		cookie.WithSecure(true),
-	)...)
-}
-
-func ExpireCookie(w http.ResponseWriter, name string) error {
-	return WriteCookie(w, cookie.Reset(name,
-		cookie.WithPath("/"),
-		cookie.WithHttpOnly(true),
-		cookie.WithSecure(true),
-	))
-}
-
-func WriteCookie(w http.ResponseWriter, c *http.Cookie) error {
-	if err := c.Valid(); err != nil {
-		return err
-	}
-	cookie.Write(w, c)
-	return nil
-}
diff --git a/pkg/web/cookie_test.go b/pkg/web/cookie_test.go
deleted file mode 100644
index 1a3bfb0..0000000
--- a/pkg/web/cookie_test.go
+++ /dev/null
@@ -1,33 +0,0 @@
-package web
-
-import (
-	"net/http"
-	"net/http/httptest"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestNewCookie(t *testing.T) {
-	cookie := NewCookie("name", "value")
-	assert.True(t, cookie.HttpOnly)
-	assert.True(t, cookie.Secure)
-}
-
-func TestExpireCookie(t *testing.T) {
-	w := httptest.NewRecorder()
-
-	ExpireCookie(w, "example")
-
-	result, err := http.ParseSetCookie(w.Header().Get("Set-Cookie"))
-	require.NoError(t, err)
-
-	assert.Empty(t, result.Value)
-	assert.Equal(t, -1, result.MaxAge)
-	assert.Equal(t, time.Unix(0, 0).Unix(), result.Expires.Unix())
-	assert.True(t, result.HttpOnly)
-	assert.True(t, result.Secure)
-	assert.Zero(t, result.SameSite)
-}
diff --git a/pkg/web/oidc.go b/pkg/web/oidc.go
deleted file mode 100644
index 707a1b5..0000000
--- a/pkg/web/oidc.go
+++ /dev/null
@@ -1,27 +0,0 @@
-package web
-
-import (
-	"context"
-
-	"github.com/coreos/go-oidc/v3/oidc"
-)
-
-func NewOIDCProvider(ctx context.Context, issuer string, report func(error)) *oidc.Provider {
-	provider, err := oidc.NewProvider(ctx, issuer)
-	if err == nil {
-		return provider
-	}
-
-	report(err)
-
-	config := &oidc.ProviderConfig{
-		IssuerURL:     issuer,
-		AuthURL:       issuer + "/oauth/authorize",
-		TokenURL:      issuer + "/oauth/token",
-		DeviceAuthURL: "",
-		UserInfoURL:   issuer + "/oauth/userinfo",
-		JWKSURL:       issuer + "/oauth/disovery/keys",
-		Algorithms:    []string{"RS256"},
-	}
-	return config.NewProvider(ctx)
-}
author	mo khan <mo@mokhan.ca>	2025-05-28 12:34:58 -0600
committer	mo khan <mo@mokhan.ca>	2025-05-28 12:34:58 -0600
commit	5b6ed074bfb9c99d24d17dd9ba720d69fadf91b1 (patch)
tree	74474329b307000c45bfee2e6618985aded69dd9
parent	591f293c8bcf464ed62701321d3f27de31ceb621 (diff)