2026-04-01 19:33:15 +02:00
|
|
|
package serve
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"net/http"
|
|
|
|
|
"strings"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
type contextKey string
|
|
|
|
|
|
|
|
|
|
const userContextKey contextKey = "ax_user"
|
|
|
|
|
|
|
|
|
|
// withSessionAuth wraps a handler with ax session token authentication.
|
|
|
|
|
// Auth endpoints (/auth/*) are passed through without a token check.
|
|
|
|
|
// All other requests must supply Authorization: Bearer <server_token>.
|
2026-06-12 01:54:08 +02:00
|
|
|
// If the token is not a valid OIDC session, agentLookup is tried as a fallback.
|
|
|
|
|
func withSessionAuth(ah *authHandler, agentLookup func(string) string, next http.Handler) http.Handler {
|
2026-04-01 19:33:15 +02:00
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
if strings.HasPrefix(r.URL.Path, "/auth/") {
|
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
auth := r.Header.Get("Authorization")
|
|
|
|
|
if !strings.HasPrefix(auth, "Bearer ") {
|
|
|
|
|
writeError(w, http.StatusUnauthorized, "Bearer token required")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
token := strings.TrimPrefix(auth, "Bearer ")
|
|
|
|
|
username := ah.lookupSession(token)
|
2026-06-12 01:54:08 +02:00
|
|
|
if username == "" && agentLookup != nil {
|
|
|
|
|
username = agentLookup(token)
|
|
|
|
|
}
|
2026-04-01 19:33:15 +02:00
|
|
|
if username == "" {
|
|
|
|
|
writeError(w, http.StatusUnauthorized, "invalid or expired session; run 'ax login'")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
ctx := context.WithValue(r.Context(), userContextKey, username)
|
|
|
|
|
next.ServeHTTP(w, r.WithContext(ctx))
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func userFromContext(r *http.Request) string {
|
|
|
|
|
v, _ := r.Context().Value(userContextKey).(string)
|
|
|
|
|
return v
|
|
|
|
|
}
|
