feat: add OIDC authentication for server mode

2026-04-01 19:33:15 +02:00
parent 7bce56384f
commit 52a975b66d
13 changed files with 515 additions and 7 deletions
--- a/serve/oidc.go
+++ b/serve/oidc.go
@@ -0,0 +1,41 @@
+package serve
+
+import (
+	"context"
+	"net/http"
+	"strings"
+)
+
+type contextKey string
+
+const userContextKey contextKey = "ax_user"
+
+// withSessionAuth wraps a handler with ax session token authentication.
+// Auth endpoints (/auth/*) are passed through without a token check.
+// All other requests must supply Authorization: Bearer <server_token>.
+func withSessionAuth(ah *authHandler, next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if strings.HasPrefix(r.URL.Path, "/auth/") {
+			next.ServeHTTP(w, r)
+			return
+		}
+		auth := r.Header.Get("Authorization")
+		if !strings.HasPrefix(auth, "Bearer ") {
+			writeError(w, http.StatusUnauthorized, "Bearer token required")
+			return
+		}
+		token := strings.TrimPrefix(auth, "Bearer ")
+		username := ah.lookupSession(token)
+		if username == "" {
+			writeError(w, http.StatusUnauthorized, "invalid or expired session; run 'ax login'")
+			return
+		}
+		ctx := context.WithValue(r.Context(), userContextKey, username)
+		next.ServeHTTP(w, r.WithContext(ctx))
+	})
+}
+
+func userFromContext(r *http.Request) string {
+	v, _ := r.Context().Value(userContextKey).(string)
+	return v
+}