Feat/OIDC middleware (#50)

* implement OIDC middleware

* auth code cleanup

* allow override allowed_user in middleware, fix typos

* fix tests and callbackURL

* update next release docs

* fix OIDC middleware not working with Authentik

* feat: add groups support for OIDC claims (#41)

Allow users to specify allowed groups in the env and use it to inspect the claims.

This performs a logical AND of users and groups (additive).

* merge feat/oidc-middleware (#49)

* api: enrich provider statistifcs

* fix: docker monitor now uses container status

* Feat/auto schemas (#48)

* use auto generated schemas

* go version bump and dependencies upgrade

* clarify some error messages

---------

Co-authored-by: yusing <yusing@6uo.me>

* cleanup some loadbalancer code

* api: cleanup websocket code

* api: add /v1/health/ws for health bubbles on dashboard

* feat: experimental memory logger and logs api for WebUI

---------

Co-authored-by: yusing <yusing@6uo.me>

---------

Co-authored-by: yusing <yusing@6uo.me>
Co-authored-by: Peter Olds <peter@olds.co>

internal/api/v1/auth/userpass_test.go

@@ -0,0 +1,116 @@
+package auth
+
+import (
+	"bytes"
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	E "github.com/yusing/go-proxy/internal/error"
+	. "github.com/yusing/go-proxy/internal/utils/testing"
+	"golang.org/x/crypto/bcrypt"
+)
+
+func newMockUserPassAuth() *UserPassAuth {
+	return &UserPassAuth{
+		username: "username",
+		pwdHash:  E.Must(bcrypt.GenerateFromPassword([]byte("password"), bcrypt.DefaultCost)),
+		secret:   []byte("abcdefghijklmnopqrstuvwxyz"),
+		tokenTTL: time.Hour,
+	}
+}
+
+func TestUserPassValidateCredentials(t *testing.T) {
+	auth := newMockUserPassAuth()
+	err := auth.validatePassword("username", "password")
+	ExpectNoError(t, err)
+	err = auth.validatePassword("username", "wrong-password")
+	ExpectError(t, ErrInvalidPassword, err)
+	err = auth.validatePassword("wrong-username", "password")
+	ExpectError(t, ErrInvalidUsername, err)
+}
+
+func TestUserPassCheckToken(t *testing.T) {
+	auth := newMockUserPassAuth()
+	token, err := auth.NewToken()
+	ExpectNoError(t, err)
+	tests := []struct {
+		token   string
+		wantErr bool
+	}{
+		{
+			token:   token,
+			wantErr: false,
+		},
+		{
+			token:   "invalid-token",
+			wantErr: true,
+		},
+		{
+			token:   "",
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		req := &http.Request{Header: http.Header{}}
+		if tt.token != "" {
+			req.Header.Set("Cookie", auth.TokenCookieName()+"="+tt.token)
+		}
+		err = auth.CheckToken(req)
+		if tt.wantErr {
+			ExpectTrue(t, err != nil)
+		} else {
+			ExpectNoError(t, err)
+		}
+	}
+}
+
+func TestUserPassLoginCallbackHandler(t *testing.T) {
+	type cred struct {
+		User string `json:"username"`
+		Pass string `json:"password"`
+	}
+	auth := newMockUserPassAuth()
+	tests := []struct {
+		creds   cred
+		wantErr bool
+	}{
+		{
+			creds: cred{
+				User: "username",
+				Pass: "password",
+			},
+			wantErr: false,
+		},
+		{
+			creds: cred{
+				User: "username",
+				Pass: "wrong-password",
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		w := httptest.NewRecorder()
+		req := &http.Request{
+			Host: "app.example.com",
+			Body: io.NopCloser(bytes.NewReader(E.Must(json.Marshal(tt.creds)))),
+		}
+		auth.LoginCallbackHandler(w, req)
+		if tt.wantErr {
+			ExpectEqual(t, w.Code, http.StatusUnauthorized)
+		} else {
+			setCookie := E.Must(http.ParseSetCookie(w.Header().Get("Set-Cookie")))
+			ExpectTrue(t, setCookie.Name == auth.TokenCookieName())
+			ExpectTrue(t, setCookie.Value != "")
+			ExpectEqual(t, setCookie.Domain, "example.com")
+			ExpectEqual(t, setCookie.Path, "/")
+			ExpectEqual(t, setCookie.SameSite, http.SameSiteLaxMode)
+			ExpectEqual(t, setCookie.HttpOnly, true)
+			ExpectEqual(t, w.Code, http.StatusOK)
+		}
+	}
+}