core/go-api
8
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
21 commits 1 branch 6 tags 654 KiB
Commit graph

4 commits

Author SHA1 Message Date
Snider
d279343491 feat(authentik): add RequireAuth and RequireGroup middleware 
Add two route-level middleware helpers for enforcing authentication and
group membership. RequireAuth returns 401 when no user is in context.
RequireGroup returns 401 for unauthenticated requests and 403 when the
user lacks the specified group. Both use UK English error codes
("unauthorised", "forbidden") consistent with existing bearer auth.

Co-Authored-By: Virgil <virgil@lethean.io>
 2026-02-20 16:43:55 +00:00
Snider
5cba2f2cd4 feat(authentik): add OIDC JWT validation middleware 
Add JWT validation as a second authentication block in the Authentik
middleware. Direct API clients can now send Authorization: Bearer <jwt>
tokens validated via OIDC discovery (coreos/go-oidc). Forward-auth
headers take priority; JWT is only attempted when no user was extracted
from headers. Validation is permissive — failures continue without a
user context. OIDC providers are cached per issuer to avoid repeated
discovery.

Co-Authored-By: Virgil <virgil@lethean.io>
 2026-02-20 16:42:23 +00:00
Snider
d760e77e49 feat(authentik): add header extraction middleware and WithAuthentik option 
Add permissive forward-auth middleware that extracts user identity from
X-authentik-* headers when TrustedProxy is enabled. Headers are ignored
when TrustedProxy is false to prevent spoofing from untrusted sources.

- GetUser(c) helper retrieves AuthentikUser from Gin context
- authentikMiddleware splits groups/entitlements on pipe delimiter
- /health and /swagger bypass header extraction
- WithAuthentik option wires middleware into the Engine

Co-Authored-By: Virgil <virgil@lethean.io>
 2026-02-20 16:38:13 +00:00
Snider
6cd3b7e7e0 feat(authentik): add AuthentikUser and AuthentikConfig types 
Introduce core types for the Authentik forward-auth integration:
- AuthentikConfig with Issuer, ClientID, TrustedProxy, PublicPaths
- AuthentikUser with Username, Email, Name, UID, Groups, Entitlements, JWT
- HasGroup helper for group membership checks

Co-Authored-By: Virgil <virgil@lethean.io>
 2026-02-20 16:36:38 +00:00