1 files changed, 56 insertions, 0 deletions

diff --git a/pkg/web/middleware/id_token.go b/pkg/web/middleware/id_token.go
new file mode 100644
index 0000000..a32c77b
--- /dev/null
+++ b/pkg/web/middleware/id_token.go
@@ -0,0 +1,56 @@
+package middleware
+
+import (
+	"net/http"
+
+	"github.com/xlgmokha/x/pkg/log"
+	"github.com/xlgmokha/x/pkg/x"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/key"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc"
+)
+
+type TokenParser func(*http.Request) oidc.RawToken
+
+func IDTokenFromSessionCookie(r *http.Request) oidc.RawToken {
+	cookies := r.CookiesNamed("session")
+
+	if len(cookies) != 1 {
+		return ""
+	}
+
+	tokens, err := oidc.TokensFromBase64String(cookies[0].Value)
+	if err != nil {
+		log.WithFields(r.Context(), log.Fields{"error": err})
+		return ""
+	}
+
+	return tokens.IDToken
+}
+
+func IDToken(cfg *oidc.OpenID) func(http.Handler) http.Handler {
+	parsers := []TokenParser{IDTokenFromSessionCookie}
+
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			for _, parser := range parsers {
+				rawIDToken := parser(r)
+				if !x.IsZero(rawIDToken) {
+					verifier := cfg.Provider.VerifierContext(r.Context(), cfg.OIDCConfig)
+					idToken, err := verifier.Verify(r.Context(), rawIDToken.String())
+					if err != nil {
+						log.WithFields(r.Context(), log.Fields{"error": err})
+					} else {
+						log.WithFields(r.Context(), log.Fields{"id_token": idToken})
+						next.ServeHTTP(
+							w,
+							r.WithContext(key.IDToken.With(r.Context(), idToken)),
+						)
+						return
+					}
+				}
+			}
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}