diff --git a/WIP.md b/WIP.md index 58154edc93..4b8e730820 100644 --- a/WIP.md +++ b/WIP.md @@ -96,9 +96,15 @@ step below is meant to be one focused, compilable, testable commit. expiry is checked on `load` (no mtime/background-cleanup reliance). Added `tempfile` dev-dep. 5 tests. DEFERRED: writable-path validation + periodic cleanup sweep (Go's `NewStore`/ `CleanupManager`) — not needed for correctness given load-time expiry. -- [ ] **B6.** Extend `Application` to hold the `SessionStore` (enum), cookie signing key, +- [x] **B6.** Extend `Application` to hold the `SessionStore` (enum), cookie signing key, `OidcEndpoint`, backchannel `reqwest` client; wire in `Application::new`. Also add the `host_browser` config field (needed by `OidcEndpoint`, see A3). Compiles, no behavior change. + Done: added `host_browser: Option` to config schema (`AUTHENTIK_HOST_BROWSER`); + `Application` now holds `endpoint: OidcEndpoint` (built from outpost `config["authentik_host"]` + + `host_browser` + `is_embedded`) and `session_store: SessionStore` (filesystem, `temp_dir()`). + DEFERRED to B7: cookie signing key (needs axum-extra). DEFERRED to C10/C13: backchannel + `reqwest` client (needs Host-override) and `session_max_age` from `access_token_validity` + (avoids an f64→int `as` cast until it's actually used). - [ ] **B7.** Add `axum-extra` cookie support; signed session-ID cookie read/issue helper with per-provider domain/secure/samesite/path/maxage (mirror `getStore` options). diff --git a/packages/ak-common/src/config/schema.rs b/packages/ak-common/src/config/schema.rs index 3c8a2cb3fb..88017d24b2 100644 --- a/packages/ak-common/src/config/schema.rs +++ b/packages/ak-common/src/config/schema.rs @@ -60,6 +60,7 @@ pub struct Config { // Outpost specific fields pub host: Option, + pub host_browser: Option, pub token: Option, pub insecure: Option, } diff --git a/src/outpost/proxy/application/mod.rs b/src/outpost/proxy/application/mod.rs index 669421cec1..fec13c0ad1 100644 --- a/src/outpost/proxy/application/mod.rs +++ b/src/outpost/proxy/application/mod.rs @@ -1,13 +1,17 @@ use std::sync::Arc; use ak_client::models::{ProxyMode, ProxyOutpostConfig}; -use ak_common::tls::store::Certificate; +use ak_common::{config, tls::store::Certificate}; use axum::{Router, routing::any}; use eyre::{Result, eyre}; use tracing::instrument; use url::Url; -use crate::outpost::proxy::ProxyOutpost; +use crate::outpost::proxy::{ + ProxyOutpost, + endpoint::OidcEndpoint, + session::{SessionStore, filesystem::FsSessionStore}, +}; pub(super) mod handlers; @@ -17,6 +21,8 @@ pub(super) struct Application { pub(super) provider: ProxyOutpostConfig, pub(super) router: Router>, pub(super) cert: Option>, + pub(super) endpoint: OidcEndpoint, + pub(super) session_store: SessionStore, } impl Application { @@ -41,6 +47,29 @@ impl Application { None }; + let embedded = outpost.controller.is_embedded(); + let authentik_host = outpost + .controller + .outpost + .load() + .config + .get("authentik_host") + .and_then(serde_json::Value::as_str) + .and_then(|raw| Url::parse(raw).ok()); + let host_browser = config::get() + .host_browser + .as_deref() + .filter(|raw| !raw.is_empty()) + .and_then(|raw| Url::parse(raw).ok()); + let endpoint = OidcEndpoint::new( + &provider.oidc_configuration, + authentik_host.as_ref(), + host_browser.as_ref(), + embedded, + ); + + let session_store = SessionStore::Filesystem(FsSessionStore::new(std::env::temp_dir())); + let router = Router::new() // TODO: /start .route( @@ -79,6 +108,8 @@ impl Application { provider, router, cert, + endpoint, + session_store, }) } }