Support OAuth SubPath Ingress

Signed-off-by: Frank Jogeleit <[email protected]>

backend/pkg/auth/middleware.go

@@ -21,56 +21,58 @@ func Provider(provider string) gin.HandlerFunc {
 	}
 }
 
-func Valid(ctx *gin.Context) {
-	providerName, err := gothic.GetProviderName(ctx.Request)
-	if err != nil {
-		zap.L().Error("failed to get provider name", zap.Error(err))
-		ctx.AbortWithError(http.StatusPreconditionFailed, errors.New("provider name not avaialable in request"))
-		return
-	}
+func Valid(basePath string) gin.HandlerFunc {
+	return func(ctx *gin.Context) {
+		providerName, err := gothic.GetProviderName(ctx.Request)
+		if err != nil {
+			zap.L().Error("failed to get provider name", zap.Error(err))
+			ctx.AbortWithError(http.StatusPreconditionFailed, errors.New("provider name not avaialable in request"))
+			return
+		}
 
-	provider, err := goth.GetProvider(providerName)
-	if err != nil {
-		zap.L().Error("failed to get requested provider", zap.Error(err))
-		ctx.AbortWithError(http.StatusPreconditionFailed, errors.New("provider not available"))
-		return
-	}
+		provider, err := goth.GetProvider(providerName)
+		if err != nil {
+			zap.L().Error("failed to get requested provider", zap.Error(err))
+			ctx.AbortWithError(http.StatusPreconditionFailed, errors.New("provider not available"))
+			return
+		}
 
-	profile := ProfileFrom(ctx)
-	if profile == nil {
-		zap.L().Error("profile not found", zap.Error(err))
+		profile := ProfileFrom(ctx)
+		if profile == nil {
+			zap.L().Error("profile not found", zap.Error(err))
 
-		logout(ctx)
-		ctx.Redirect(http.StatusTemporaryRedirect, "/login")
-		return
-	}
+			logout(ctx)
+			ctx.Redirect(http.StatusTemporaryRedirect, basePath+"login")
+			return
+		}
 
-	session := sessions.Default(ctx)
+		session := sessions.Default(ctx)
 
-	sess := ProviderSession(providerName, profile)
-	if sess == nil {
-		zap.L().Error("could not create session from profile", zap.Error(err))
+		sess := ProviderSession(providerName, profile)
+		if sess == nil {
+			zap.L().Error("could not create session from profile", zap.Error(err))
 
-		logout(ctx)
-		ctx.Redirect(http.StatusTemporaryRedirect, "/login")
-		return
-	}
+			logout(ctx)
+			ctx.Redirect(http.StatusTemporaryRedirect, basePath+"login")
+			return
+		}
 
-	user, err := provider.FetchUser(sess)
-	if err != nil {
-		zap.L().Error("failed to validate session", zap.Error(err))
+		user, err := provider.FetchUser(sess)
+		if err != nil {
+			zap.L().Error("failed to validate session", zap.Error(err))
 
-		logout(ctx)
-		ctx.Redirect(http.StatusTemporaryRedirect, "/login")
-		return
-	}
+			logout(ctx)
+			ctx.Redirect(http.StatusTemporaryRedirect, basePath+"login")
+			return
+		}
 
-	session.Set("profile", NewProfile(user))
-	if err := session.Save(); err != nil {
-		zap.L().Error("failed to save profile session", zap.Error(err))
-	}
+		session.Set("profile", NewProfile(user))
+		if err := session.Save(); err != nil {
+			zap.L().Error("failed to save profile session", zap.Error(err))
+		}
 
-	ctx.Next()
+		ctx.Next()
+	}
 }
 
 func Auth(basePath string) gin.HandlerFunc {

backend/pkg/config/config.go

@@ -229,3 +229,11 @@ type Config struct {
 func (c *Config) AuthEnabled() bool {
 	return c.OAuth.Enabled || c.OpenIDConnect.Enabled
 }
+
+func (c *Config) AuthBasePath() string {
+	if c.OAuth.Enabled {
+		return c.OAuth.BasePath()
+	}
+
+	return c.OpenIDConnect.BasePath()
+}

backend/pkg/config/resolver.go

@@ -368,7 +368,7 @@ func (r *Resolver) Server(ctx context.Context) (*server.Server, error) {
 	if !r.config.UI.Disabled {
 		var uiMiddleware []gin.HandlerFunc
 		if r.config.AuthEnabled() {
-			uiMiddleware = append(uiMiddleware, auth.Valid)
+			uiMiddleware = append(uiMiddleware, auth.Valid(r.config.AuthBasePath()))
 		}
 
 		zap.L().Info("register UI", zap.String("path", r.config.UI.Path))

frontend/modules/core/components/UserMenu.vue

@@ -16,7 +16,7 @@
 const logout = () => {
   document.cookie.split(";").forEach((c) => { document.cookie = c.replace(/^ +/, "").replace(/=.*/, "=;expires=" + new Date().toUTCString() + ";path=/"); });
   // @ts-ignore
-  window.location = '/logout'
+  window.location = `${window.location.pathname || '/'}logout`
 }
 
 const { data: profile } = useAPI(api => api.profile())