load session store and signing key

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

WIP.md

@@ -96,9 +96,15 @@ step below is meant to be one focused, compilable, testable commit.
   expiry is checked on `load` (no mtime/background-cleanup reliance). Added `tempfile` dev-dep.
   5 tests. DEFERRED: writable-path validation + periodic cleanup sweep (Go's `NewStore`/
   `CleanupManager`) — not needed for correctness given load-time expiry.
-- [ ] **B6.** Extend `Application` to hold the `SessionStore` (enum), cookie signing key,
+- [x] **B6.** Extend `Application` to hold the `SessionStore` (enum), cookie signing key,
   `OidcEndpoint`, backchannel `reqwest` client; wire in `Application::new`. Also add the
   `host_browser` config field (needed by `OidcEndpoint`, see A3). Compiles, no behavior change.
+  Done: added `host_browser: Option<String>` to config schema (`AUTHENTIK_HOST_BROWSER`);
+  `Application` now holds `endpoint: OidcEndpoint` (built from outpost `config["authentik_host"]`
+  + `host_browser` + `is_embedded`) and `session_store: SessionStore` (filesystem, `temp_dir()`).
+  DEFERRED to B7: cookie signing key (needs axum-extra). DEFERRED to C10/C13: backchannel
+  `reqwest` client (needs Host-override) and `session_max_age` from `access_token_validity`
+  (avoids an f64→int `as` cast until it's actually used).
 - [ ] **B7.** Add `axum-extra` cookie support; signed session-ID cookie read/issue helper with
   per-provider domain/secure/samesite/path/maxage (mirror `getStore` options).
 

packages/ak-common/src/config/schema.rs

@@ -60,6 +60,7 @@ pub struct Config {
 
     // Outpost specific fields
     pub host: Option<String>,
+    pub host_browser: Option<String>,
     pub token: Option<String>,
     pub insecure: Option<bool>,
 }

src/outpost/proxy/application/mod.rs

@@ -1,13 +1,17 @@
 use std::sync::Arc;
 
 use ak_client::models::{ProxyMode, ProxyOutpostConfig};
-use ak_common::tls::store::Certificate;
+use ak_common::{config, tls::store::Certificate};
 use axum::{Router, routing::any};
 use eyre::{Result, eyre};
 use tracing::instrument;
 use url::Url;
 
-use crate::outpost::proxy::ProxyOutpost;
+use crate::outpost::proxy::{
+    ProxyOutpost,
+    endpoint::OidcEndpoint,
+    session::{SessionStore, filesystem::FsSessionStore},
+};
 
 pub(super) mod handlers;
 
@@ -17,6 +21,8 @@ pub(super) struct Application {
     pub(super) provider: ProxyOutpostConfig,
     pub(super) router: Router<Arc<Self>>,
     pub(super) cert: Option<Arc<Certificate>>,
+    pub(super) endpoint: OidcEndpoint,
+    pub(super) session_store: SessionStore,
 }
 
 impl Application {
@@ -41,6 +47,29 @@ impl Application {
             None
         };
 
+        let embedded = outpost.controller.is_embedded();
+        let authentik_host = outpost
+            .controller
+            .outpost
+            .load()
+            .config
+            .get("authentik_host")
+            .and_then(serde_json::Value::as_str)
+            .and_then(|raw| Url::parse(raw).ok());
+        let host_browser = config::get()
+            .host_browser
+            .as_deref()
+            .filter(|raw| !raw.is_empty())
+            .and_then(|raw| Url::parse(raw).ok());
+        let endpoint = OidcEndpoint::new(
+            &provider.oidc_configuration,
+            authentik_host.as_ref(),
+            host_browser.as_ref(),
+            embedded,
+        );
+
+        let session_store = SessionStore::Filesystem(FsSessionStore::new(std::env::temp_dir()));
+
         let router = Router::new()
             // TODO: /start
             .route(
@@ -79,6 +108,8 @@ impl Application {
             provider,
             router,
             cert,
+            endpoint,
+            session_store,
         })
     }
 }