feat(oidc): support token refreshing via offline_access scope

- refactored code - moved api/v1/auth to auth/ - security enhancement - env example update - default jwt ttl changed to 24 hours
2026-04-20 07:21:26 +02:00 · 2025-04-23 17:50:22 +08:00
parent 28c9a2e9d0
commit b815c6fd69
21 changed files with 668 additions and 310 deletions
--- a/internal/net/gphttp/middleware/oidc.go
+++ b/internal/net/gphttp/middleware/oidc.go
@@ -6,7 +6,7 @@ import (
 	"sync"
 	"sync/atomic"

-	"github.com/yusing/go-proxy/internal/api/v1/auth"
+	"github.com/yusing/go-proxy/internal/auth"
 	"github.com/yusing/go-proxy/internal/gperr"
 )

@@ -76,13 +76,17 @@ func (amw *oidcMiddleware) before(w http.ResponseWriter, r *http.Request) (proce
 		amw.auth.LogoutHandler(w, r)
 		return false
 	}
-	if err := amw.auth.CheckToken(r); err != nil {
-		if errors.Is(err, auth.ErrMissingToken) {
-			amw.auth.HandleAuth(w, r)
-		} else {
-			auth.WriteBlockPage(w, http.StatusForbidden, err.Error(), auth.OIDCLogoutPath)
-		}
-		return false
+
+	err := amw.auth.CheckToken(r)
+	if err == nil {
+		return true
 	}
-	return true
+
+	switch {
+	case errors.Is(err, auth.ErrMissingToken):
+		amw.auth.HandleAuth(w, r)
+	default:
+		auth.WriteBlockPage(w, http.StatusForbidden, err.Error(), auth.OIDCLogoutPath)
+	}
+	return false
 }