v0.26.0

internal/net/gphttp/middleware/forwardauth.go

@@ -3,12 +3,14 @@ package middleware
 import (
 	"context"
 	"errors"
+	"fmt"
 	"net"
 	"net/http"
 	"strings"
 	"time"
 
-	"github.com/yusing/godoxy/internal/route/routes"
+	entrypoint "github.com/yusing/godoxy/internal/entrypoint/types"
+	httpevents "github.com/yusing/goutils/events/http"
 	httputils "github.com/yusing/goutils/http"
 	"github.com/yusing/goutils/http/httpheaders"
 )
@@ -46,7 +48,7 @@ func (m *forwardAuthMiddleware) setup() {
 
 // before implements RequestModifier.
 func (m *forwardAuthMiddleware) before(w http.ResponseWriter, r *http.Request) (proceed bool) {
-	route, ok := routes.HTTP.Get(m.Route)
+	route, ok := entrypoint.FromCtx(r.Context()).HTTPRoutes().Get(m.Route)
 	if !ok {
 		ForwardAuth.LogWarn(r).Str("route", m.Route).Msg("forwardauth route not found")
 		w.WriteHeader(http.StatusInternalServerError)
@@ -92,6 +94,8 @@ func (m *forwardAuthMiddleware) before(w http.ResponseWriter, r *http.Request) (
 	defer resp.Body.Close()
 
 	if resp.StatusCode < http.StatusOK || resp.StatusCode >= http.StatusMultipleChoices {
+		defer httpevents.Blocked(r, "ForwardAuth", fmt.Sprintf("HTTP %d", resp.StatusCode))
+
 		body, release, err := httputils.ReadAllBody(resp)
 		defer release(body)
 
@@ -100,10 +104,23 @@ func (m *forwardAuthMiddleware) before(w http.ResponseWriter, r *http.Request) (
 			w.WriteHeader(http.StatusInternalServerError)
 			return false
 		}
-
 		httpheaders.CopyHeader(w.Header(), resp.Header)
 		httpheaders.RemoveHopByHopHeaders(w.Header())
 
+		isGet := r.Method == http.MethodGet
+		isWS := httpheaders.IsWebsocket(r.Header)
+		if !isGet || isWS {
+			reqType := r.Method
+			if isWS {
+				reqType = "WebSocket"
+			}
+			ForwardAuth.LogWarn(r).Msgf(
+				"[ForwardAuth] %s request rejected by auth upstream (HTTP %d).\nConsider adding bypass rule for this path if needed",
+				reqType,
+				resp.StatusCode,
+			)
+		}
+
 		loc, err := resp.Location()
 		if err != nil {
 			if !errors.Is(err, http.ErrNoLocation) {