Skip to content

Commit

Permalink
feat: add plugins for checking cookie session
Browse files Browse the repository at this point in the history
  • Loading branch information
kespinola committed Feb 20, 2023
1 parent ea05eae commit cdebcfe
Show file tree
Hide file tree
Showing 6 changed files with 177 additions and 29 deletions.
2 changes: 1 addition & 1 deletion charts/hub-gateway/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: "0.4.0"
version: "0.5.0"

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
Expand Down
28 changes: 6 additions & 22 deletions charts/hub-gateway/plugins/kratos.lua
Original file line number Diff line number Diff line change
Expand Up @@ -66,32 +66,17 @@ local schema = {

local _M = {
version = 0.1,
priority = 1030,
name = "kratos",
priority = 2,
name = "session",
schema = schema
}

function _M.check_schema(conf)
return core.schema.check(schema, conf)
end

local function build_json_error(code, status, reason)

core.response.set_header(ctx, "content", "application/json")
local res = {
error = {
code = code,
status = status,
reason = reason
}
}
return json.encode(res)
end

function _M.access(conf, ctx)
local ret_code
local headers = core.request.headers()
local method_name = ngx.req.get_method()

local session_cookie_name = string.lower(conf.session_cookie_name or "ory_kratos_session")
local cookie_header = string.lower("cookie_" .. session_cookie_name)
Expand All @@ -101,7 +86,6 @@ function _M.access(conf, ctx)
local session_token = headers[session_cookie_name] or cookie_value

if not session_token then
local res = build_json_error(ret_code, "Unauthorized", "Missing " .. session_cookie_name .. " header or cookie")
return
end

Expand Down Expand Up @@ -157,10 +141,10 @@ function _M.access(conf, ctx)
-- Expose user id on $kratos_user_id variable
-- Expose user email on $kratos_user_email variable
if conf.expose_user_id then
core.request.set_header(ctx, "x-user-id", data.identity.id)
core.response.set_header("x-user-id", data.identity.id)
core.request.set_header(ctx, "x-user-email", data.identity.traits.email)
core.response.set_header("x-user-email", data.identity.traits.email)
core.request.set_header(ctx, "X-USER-ID", data.identity.id)
core.response.set_header("X-USER-ID", data.identity.id)
core.request.set_header(ctx, "X-USER-EMAIL", data.identity.traits.email)
core.response.set_header("X-USER-EMAIL", data.identity.traits.email)
core.ctx.register_var("kratos_user_id", function(ctx)
return data.identity.id
end)
Expand Down
50 changes: 50 additions & 0 deletions charts/hub-gateway/plugins/session-json.lua
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
--
-- Licensed to the Apache Software Foundation (ASF) under one or more
-- contributor license agreements. See the NOTICE file distributed with
-- this work for additional information regarding copyright ownership.
-- The ASF licenses this file to You under the Apache License, Version 2.0
-- (the "License"); you may not use this file except in compliance with
-- the License. You may obtain a copy of the License at
--
-- http://www.apache.org/licenses/LICENSE-2.0
--
-- Unless required by applicable law or agreed to in writing, software
-- distributed under the License is distributed on an "AS IS" BASIS,
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-- See the License for the specific language governing permissions and
-- limitations under the License.
--
local core = require("apisix.core")
local http = require("resty.http")
local json = require("apisix.core.json")

local schema = {
type = "object",
properties = {}
}

local _M = {
version = 0.1,
priority = 1,
name = "session-json",
schema = schema
}

function _M.check_schema(conf)
return core.schema.check(schema, conf)
end

function _M.access(conf, ctx)
local user_id = core.request.header(ctx, "X-USER-ID")
local uri = ctx.var.uri

if not user_id then
core.response.set_header("Content-Type", "application/json")

return 403, {
message = "no valid session"
}
end
end

return _M
63 changes: 63 additions & 0 deletions charts/hub-gateway/plugins/session-redirect.lua
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
--
-- Licensed to the Apache Software Foundation (ASF) under one or more
-- contributor license agreements. See the NOTICE file distributed with
-- this work for additional information regarding copyright ownership.
-- The ASF licenses this file to You under the Apache License, Version 2.0
-- (the "License"); you may not use this file except in compliance with
-- the License. You may obtain a copy of the License at
--
-- http://www.apache.org/licenses/LICENSE-2.0
--
-- Unless required by applicable law or agreed to in writing, software
-- distributed under the License is distributed on an "AS IS" BASIS,
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-- See the License for the specific language governing permissions and
-- limitations under the License.
--
local core = require("apisix.core")
local http = require("resty.http")
local json = require("apisix.core.json")

local schema = {
type = "object",
properties = {
login_uri = {
type = "string"
},
redirect_to = {
type = "boolean",
default = false
}
},
require = {"login_uri"}
}

local _M = {
version = 0.1,
priority = 1,
name = "session-redirect",
schema = schema
}

function _M.check_schema(conf)
return core.schema.check(schema, conf)
end

function _M.access(conf, ctx)
local redirect_to = conf.redirect_to
local user_id = core.request.header(ctx, "X-USER-ID")
local uri = ctx.var.uri
local redirect_uri = conf.login_uri

if redirect_to then
redirect_uri = redirect_uri .. "?return_to=" .. uri
end

if not user_id then
core.response.set_header("Location", redirect_uri)

return 302, "Unauthorized please login"
end
end

return _M
14 changes: 13 additions & 1 deletion charts/hub-gateway/templates/apisixroute.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
{{- $namespace := .Values.hubNamespace -}}
{{- $domain := .Values.domain -}}
{{- $sessionCookie := .Values.sessionCookieName -}}
{{- $loginUri := .Values.loginUri -}}
{{- with .Values.routes }}
{{- range . }}
apiVersion: apisix.apache.org/v2
Expand All @@ -26,7 +27,8 @@ spec:
methods:
{{- .methods | toYaml | nindent 8 }}
plugins:
{{- if .setUserHeader }}
{{- with .kratos }}
{{- if .enabled | default false }}
- name: kratos
enable: true
config:
Expand All @@ -35,6 +37,16 @@ spec:
expose_user_id: true
session_cookie_name: {{ $sessionCookie }}
{{- end }}
{{- end }}
{{- with .sessionRedirect }}
{{- if .enabled }}
- name: session-redirect
enable: true
config:
login_uri: {{ $loginUri }}
redirect_to: {{ .redirectTo | default false }}
{{- end }}
{{- end }}
{{- if .regexUri }}
- name: proxy-rewrite
enable: true
Expand Down
49 changes: 44 additions & 5 deletions charts/hub-gateway/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ hubNamespace: default
domain: 127.0.0.1.nip.io
port: 9080
sessionCookieName: "hub_session"
loginUri: "http://hub.127.0.0.1.nip.io:9080/login"

routes:
- name: api
Expand All @@ -13,7 +14,8 @@ routes:
methods:
- POST
- OPTIONS
setUserHeader: true
kratos:
enabled: true
regexUri:
- "/graphql"
- "/"
Expand All @@ -27,7 +29,8 @@ routes:
methods:
- POST
- OPTIONS
setUserHeader: true
kratos:
enabled: true
regexUri:
- "/graphql"
- "/"
Expand All @@ -41,7 +44,10 @@ routes:
methods:
- POST
- OPTIONS
setUserHeader: true
kratos:
enabled: true
sessionJson:
enabled: true
regexUri:
- "/graphql"
- "/"
Expand All @@ -55,13 +61,19 @@ routes:
- /browser/organizations/*
methods:
- POST
setUserHeader: true
kratos:
enabled: true
sessionRedirect:
enabled: true

- name: ui-private
subdomain: hub
serviceName: hub
servicePort: 80
setUserHeader: true
kratos:
enabled: true
sessionRedirect:
enabled: true
methods:
- GET
paths:
Expand All @@ -70,12 +82,27 @@ routes:
- /webhooks/*
- /members
- /members/*
- /organizations
- /organizations/new
- /projects
- /projects/*
- /treasuries
- /treasuries/*

- name: ui-private-invite
subdomain: hub
serviceName: hub
servicePort: 80
kratos:
enabled: true
sessionRedirect:
enabled: true
redirectTo: true
methods:
- GET
paths:
- /invites/*

- name: ui-public
subdomain: hub
serviceName: hub
Expand Down Expand Up @@ -103,6 +130,12 @@ apisixPlugins:
servicePort: 80
files:
- plugins/kratos.lua
sessionRedirect:
files:
- plugins/session-redirect.lua
sessionJson:
files:
- plugins/session-json.lua

apisix:
enabled: true
Expand Down Expand Up @@ -158,6 +191,8 @@ apisix:

plugins:
- kratos
- session-redirect
- session-json
- mocking
- cors
- redirect
Expand All @@ -175,6 +210,10 @@ apisix:
mounts:
- key: "kratos.lua"
path: "/opts/custom_plugins/apisix/plugins/kratos.lua"
- key: "session-redirect.lua"
path: "/opts/custom_plugins/apisix/plugins/session-redirect.lua"
- key: "session-json.lua"
path: "/opts/custom_plugins/apisix/plugins/session-json.lua"

logs:
enableAccessLog: true
Expand Down

0 comments on commit cdebcfe

Please sign in to comment.