feat(proxyd): add external authentication support and refactor auth handling #228
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ontext value assignment
… log level to debug
…nts for request handling
…nd authentication callback
…ing for auth_url resolution
…ging and add helper function to retrieve map keys
… server creation and context population
…ctions, fix error handling in performAuthCallback for failed auth
0xAlec
reviewed
Mar 25, 2025
proxyd/server.go
Outdated
Comment on lines
623
to
624
| s.srvMu.Lock() | ||
| defer s.srvMu.Unlock() |
There was a problem hiding this comment.
do you need this mutex here? what concurrent access is there in this function?
0xAlec
reviewed
Mar 25, 2025
proxyd/server.go
Outdated
Comment on lines
663
to
673
| func (s *Server) performAuthCallback(r *http.Request, apiKey string, authURL string) (string, error) { | ||
| authReqBody := map[string]string{ | ||
| "id": apiKey, | ||
| } | ||
|
|
||
| // Marshal the auth request to JSON | ||
| jsonBody, err := json.Marshal(authReqBody) | ||
| if err != nil { | ||
| log.Error("performAuthCallback failed to marshal request", "err", err) | ||
| return "", fmt.Errorf("failed to marshal auth request: %w", err) | ||
| } |
There was a problem hiding this comment.
too implementation specific, just forward the request as-is to the auth_url
0xAlec
reviewed
Mar 25, 2025
proxyd/server.go
Outdated
Comment on lines
705
to
725
| // Read response body for logging | ||
| body, err := io.ReadAll(resp.Body) | ||
| if err != nil { | ||
| log.Error("performAuthCallback failed to read response body", "err", err) | ||
| return "", fmt.Errorf("failed to read auth response: %w", err) | ||
| } | ||
|
|
||
| // Parse response to check authenticated status | ||
| var authResponse struct { | ||
| Authenticated bool `json:"authenticated"` | ||
| } | ||
| if err := json.Unmarshal(body, &authResponse); err != nil { | ||
| log.Error("performAuthCallback failed to decode response", | ||
| "err", err) | ||
| return "", fmt.Errorf("failed to decode auth response: %w", err) | ||
| } | ||
|
|
||
| if !authResponse.Authenticated { | ||
| log.Error("performAuthCallback authentication failed") | ||
| return "", fmt.Errorf("authentication failed") | ||
| } |
There was a problem hiding this comment.
i dont think this logic is necessary, just reject if response is 401 otherwise fail open
added 3 commits
March 26, 2025 07:09
chunter-cb
reviewed
Mar 26, 2025
proxyd/server.go
Outdated
| req.Header = r.Header | ||
|
|
||
| // Make the request | ||
| client := &http.Client{Timeout: 5 * time.Second} |
There was a problem hiding this comment.
can store a http client instead of creating a new one each time
chunter-cb
reviewed
Mar 26, 2025
proxyd/server.go
Outdated
| } | ||
|
|
||
| // Copy original headers | ||
| req.Header = r.Header |
There was a problem hiding this comment.
Might be able to use Clone() instead here
chunter-cb
reviewed
Mar 26, 2025
proxyd/server.go
Outdated
| log.Error("performAuthCallback failed to read request body", "err", err) | ||
| return "", fmt.Errorf("failed to read request body: %w", err) | ||
| } | ||
| r.Body.Close() |
chunter-cb
suggested changes
Mar 26, 2025
chunter-cb
approved these changes
Apr 1, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Implement authentication for RPC endpoints through authentication callback in proxyd. Proxyd will make an outgoing call to an auxiliary service for authentication instead of relying on hardcoded/environment values provided in the configuration file.
Tests
Please describe any tests you've added. If you've added no tests, or left important behavior untested, please explain why not.
Additional context
Add any other context about the problem you're solving.
Metadata