chore(deps): bump golang.org/x/oauth2 to v0.20.0

cmd/traefik-simple-auth/traefik-simple-auth.go

@@ -4,7 +4,7 @@ import (
 	"context"
 	"fmt"
 	"github.com/clambin/traefik-simple-auth/internal/cmd"
-	"github.com/clambin/traefik-simple-auth/internal/server"
+	"github.com/clambin/traefik-simple-auth/internal/server/configuration"
 	"github.com/prometheus/client_golang/prometheus"
 	"os"
 	"os/signal"
@@ -17,7 +17,7 @@ func main() {
 	ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
 	defer cancel()
 
-	cfg, err := server.GetConfiguration()
+	cfg, err := configuration.GetConfiguration()
 	if err == nil {
 		err = cmd.Run(ctx, cfg, prometheus.DefaultRegisterer, os.Stderr, version)
 	}

go.mod

@@ -12,7 +12,7 @@ require (
 	github.com/oauth2-proxy/mockoidc v0.0.0-20240214162133-caebfff84d25
 	github.com/prometheus/client_golang v1.19.0
 	github.com/stretchr/testify v1.9.0
-	golang.org/x/oauth2 v0.19.0
+	golang.org/x/oauth2 v0.20.0
 )
 
 require (

go.sum

@@ -58,8 +58,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/oauth2 v0.19.0 h1:9+E/EZBCbTLNrbN35fHv/a/d/mOBatymz1zbtQrXpIg=
-golang.org/x/oauth2 v0.19.0/go.mod h1:vYi7skDa1x015PmRRYZ7+s1cWyPgrPiSYRe4rnsexc8=
+golang.org/x/oauth2 v0.20.0 h1:4mQdhULixXKP1rwYBW0vAijoXnkTG0BLCDRzfe1idMo=
+golang.org/x/oauth2 v0.20.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

internal/cmd/run.go

@@ -4,7 +4,8 @@ import (
 	"context"
 	"errors"
 	"github.com/clambin/traefik-simple-auth/internal/server"
-	"github.com/clambin/traefik-simple-auth/internal/server/sessions"
+	"github.com/clambin/traefik-simple-auth/internal/server/configuration"
+	"github.com/clambin/traefik-simple-auth/pkg/sessions"
 	"github.com/clambin/traefik-simple-auth/pkg/state"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
@@ -14,7 +15,7 @@ import (
 	"time"
 )
 
-func Run(ctx context.Context, cfg server.Configuration, registry prometheus.Registerer, logOutput io.Writer, version string) error {
+func Run(ctx context.Context, cfg configuration.Configuration, registry prometheus.Registerer, logOutput io.Writer, version string) error {
 	var opts slog.HandlerOptions
 	if cfg.Debug {
 		opts.Level = slog.LevelDebug

internal/cmd/run_test.go

@@ -3,7 +3,7 @@ package cmd
 import (
 	"context"
 	"fmt"
-	"github.com/clambin/traefik-simple-auth/internal/server"
+	"github.com/clambin/traefik-simple-auth/internal/server/configuration"
 	"github.com/clambin/traefik-simple-auth/internal/server/testutils"
 	"github.com/clambin/traefik-simple-auth/pkg/domains"
 	"github.com/clambin/traefik-simple-auth/pkg/whitelist"
@@ -28,7 +28,7 @@ func TestRun(t *testing.T) {
 		<-ctx.Done()
 		require.NoError(t, oidcServer.Shutdown())
 	}()
-	cfg := server.Configuration{
+	cfg := configuration.Configuration{
 		Debug:             true,
 		Addr:              ":8081",
 		PromAddr:          ":9091",
@@ -112,7 +112,7 @@ func TestRun_Fail(t *testing.T) {
 		<-ctx.Done()
 		require.NoError(t, oidcServer.Shutdown())
 	}()
-	cfg := server.Configuration{
+	cfg := configuration.Configuration{
 		Debug:             true,
 		Addr:              ":-1",
 		PromAddr:          ":-1",

internal/server/configuration.go → internal/server/configuration/configuration.go

@@ -1,4 +1,4 @@
-package server
+package configuration
 
 import (
 	"encoding/base64"

internal/server/configuration_test.go → internal/server/configuration/configuration_test.go

@@ -1,4 +1,4 @@
-package server
+package configuration
 
 import (
 	"github.com/clambin/traefik-simple-auth/pkg/domains"

internal/server/extractor.go → internal/server/extractor/extractor.go

@@ -1,9 +1,9 @@
-package server
+package extractor
 
 import (
 	"context"
 	"errors"
-	"github.com/clambin/traefik-simple-auth/internal/server/sessions"
+	"github.com/clambin/traefik-simple-auth/pkg/sessions"
 	"log/slog"
 	"net/http"
 )
@@ -17,7 +17,7 @@ func SessionExtractor(sessions sessions.Sessions, logger *slog.Logger) func(next
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if userSession, err := sessions.Validate(r); err == nil {
-				r = r.WithContext(context.WithValue(r.Context(), sessionKey, userSession))
+				r = WithSession(r, userSession)
 			} else if !errors.Is(err, http.ErrNoCookie) {
 				logger.Warn("received invalid session cookie", "err", err)
 			}
@@ -31,3 +31,7 @@ func GetSession(r *http.Request) (sessions.Session, bool) {
 	userSession, ok := r.Context().Value(sessionKey).(sessions.Session)
 	return userSession, ok
 }
+
+func WithSession(r *http.Request, userSession sessions.Session) *http.Request {
+	return r.WithContext(context.WithValue(r.Context(), sessionKey, userSession))
+}

internal/server/extractor_test.go → internal/server/extractor/extractor_test.go

@@ -1,7 +1,7 @@
-package server
+package extractor
 
 import (
-	"github.com/clambin/traefik-simple-auth/internal/server/sessions"
+	"github.com/clambin/traefik-simple-auth/pkg/sessions"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"log/slog"

internal/server/handlers.go

@@ -3,9 +3,11 @@ package server
 import (
 	"encoding/json"
 	"errors"
-	"github.com/clambin/traefik-simple-auth/internal/server/sessions"
+	"github.com/clambin/traefik-simple-auth/internal/server/extractor"
+	"github.com/clambin/traefik-simple-auth/internal/server/logging"
 	"github.com/clambin/traefik-simple-auth/pkg/domains"
 	"github.com/clambin/traefik-simple-auth/pkg/oauth"
+	"github.com/clambin/traefik-simple-auth/pkg/sessions"
 	"github.com/clambin/traefik-simple-auth/pkg/state"
 	"github.com/clambin/traefik-simple-auth/pkg/whitelist"
 	"golang.org/x/oauth2"
@@ -20,7 +22,7 @@ import (
 // forwards the request to the originally requested destination.
 func ForwardAuthHandler(domains domains.Domains, oauthHandlers map[domains.Domain]oauth.Handler, states state.States[string], logger *slog.Logger) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		logger.Debug("request received", "request", loggedRequest(r))
+		logger.Debug("request received", "request", logging.Request(r))
 
 		// check that the request is for one of the configured domains
 		domain, ok := domains.Domain(r.URL)
@@ -31,7 +33,7 @@ func ForwardAuthHandler(domains domains.Domains, oauthHandlers map[domains.Domai
 		}
 
 		// validate that the request has a valid session cookie
-		if sess, ok := GetSession(r); ok {
+		if sess, ok := extractor.GetSession(r); ok {
 			logger.Debug("allowing valid request", slog.String("email", sess.Email))
 			w.Header().Set("X-Forwarded-User", sess.Email)
 			w.WriteHeader(http.StatusOK)
@@ -60,10 +62,10 @@ func ForwardAuthHandler(domains domains.Domains, oauthHandlers map[domains.Domai
 // This means that the user's next request has an invalid cookie, triggering a new oauth flow.
 func LogoutHandler(domains domains.Domains, sessionStore sessions.Sessions, logger *slog.Logger) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		logger.Debug("request received", "request", loggedRequest(r))
+		logger.Debug("request received", "request", logging.Request(r))
 
 		// remove the cached cookie
-		session, ok := GetSession(r)
+		session, ok := extractor.GetSession(r)
 		if !ok {
 			http.Error(w, "Invalid session", http.StatusUnauthorized)
 			return
@@ -74,7 +76,7 @@ func LogoutHandler(domains domains.Domains, sessionStore sessions.Sessions, logg
 
 		// Write a blank session cookie to override the current valid one.
 		domain, _ := domains.Domain(r.URL)
-		http.SetCookie(w, sessionStore.Cookie(sessions.Session{}, domain))
+		http.SetCookie(w, sessionStore.Cookie(sessions.Session{}, string(domain)))
 
 		http.Error(w, "You have been logged out", http.StatusUnauthorized)
 		logger.Info("user has been logged out", "user", session.Email)
@@ -94,7 +96,7 @@ func AuthCallbackHandler(
 	logger *slog.Logger,
 ) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		logger.Debug("request received", "request", loggedRequest(r))
+		logger.Debug("request received", "request", logging.Request(r))
 
 		// Look up the (random) state to find the final destination.
 		encodedState := r.URL.Query().Get("state")
@@ -134,7 +136,7 @@ func AuthCallbackHandler(
 
 		// GetUserEmailAddress successful. Create a session and redirect the user to the final destination.
 		session := sessions.Session(user)
-		http.SetCookie(w, sessions.Cookie(session, domain))
+		http.SetCookie(w, sessions.Cookie(session, string(domain)))
 
 		logger.Info("user logged in. redirecting ...", "user", user, "url", targetURL)
 		http.Redirect(w, r, targetURL, http.StatusTemporaryRedirect)

internal/server/logged-request.go → internal/server/logging/logged-request.go

@@ -1,4 +1,4 @@
-package server
+package logging
 
 import (
 	"log/slog"
@@ -10,7 +10,7 @@ var _ slog.LogValuer = request{}
 
 type request struct{ request *http.Request }
 
-func loggedRequest(r *http.Request) slog.LogValuer {
+func Request(r *http.Request) slog.LogValuer {
 	return request{request: r}
 }
 

internal/server/logged-request_test.go → internal/server/logging/logged-request_test.go

@@ -1,4 +1,4 @@
-package server
+package logging
 
 import (
 	"bytes"
@@ -15,7 +15,7 @@ func Test_loggedRequest(t *testing.T) {
 
 	var out bytes.Buffer
 	l := logtest.NewJSONLogger(&out, slog.LevelInfo)
-	l.Info("request", "r", loggedRequest(r))
+	l.Info("request", "r", Request(r))
 
 	want := `{"level":"INFO","msg":"request","r":{"url":"https://example.com/","X-Forwarded-For":"127.0.0.1:0"}}
 `

internal/server/metrics.go

@@ -2,6 +2,7 @@ package server
 
 import (
 	"github.com/clambin/go-common/http/metrics"
+	"github.com/clambin/traefik-simple-auth/internal/server/extractor"
 	"github.com/prometheus/client_golang/prometheus"
 	"net/http"
 	"strconv"
@@ -52,15 +53,15 @@ func NewMetrics(namespace, subsystem string, constLabels map[string]string, buck
 	}
 }
 
-func (m Metrics) Measure(req *http.Request, statusCode int, duration time.Duration) {
-	sess, _ := GetSession(req)
+func (m Metrics) Measure(r *http.Request, statusCode int, duration time.Duration) {
+	sess, _ := extractor.GetSession(r)
 	code := strconv.Itoa(statusCode)
-	path := req.URL.Path
+	path := r.URL.Path
 	if path != OAUTHPath && path != OAUTHPath+"/logout" {
 		path = "/"
 	}
-	m.requestCounter.WithLabelValues(sess.Email, req.URL.Host, path, code).Inc()
-	m.requestDuration.WithLabelValues(sess.Email, req.URL.Host, path, code).Observe(duration.Seconds())
+	m.requestCounter.WithLabelValues(sess.Email, r.URL.Host, path, code).Inc()
+	m.requestDuration.WithLabelValues(sess.Email, r.URL.Host, path, code).Observe(duration.Seconds())
 }
 
 func (m Metrics) Describe(ch chan<- *prometheus.Desc) {

internal/server/metrics_test.go

@@ -2,8 +2,8 @@ package server
 
 import (
 	"context"
-	"github.com/clambin/traefik-simple-auth/internal/server/sessions"
 	"github.com/clambin/traefik-simple-auth/internal/server/testutils"
+	"github.com/clambin/traefik-simple-auth/pkg/sessions"
 	"github.com/prometheus/client_golang/prometheus/testutil"
 	"github.com/stretchr/testify/assert"
 	"net/http"

internal/server/routes.go

@@ -2,9 +2,10 @@ package server
 
 import (
 	"github.com/clambin/go-common/http/middleware"
-	"github.com/clambin/traefik-simple-auth/internal/server/sessions"
+	"github.com/clambin/traefik-simple-auth/internal/server/extractor"
 	"github.com/clambin/traefik-simple-auth/pkg/domains"
 	"github.com/clambin/traefik-simple-auth/pkg/oauth"
+	"github.com/clambin/traefik-simple-auth/pkg/sessions"
 	"github.com/clambin/traefik-simple-auth/pkg/state"
 	"github.com/clambin/traefik-simple-auth/pkg/whitelist"
 	"log/slog"
@@ -40,7 +41,7 @@ func addRoutes(
 
 func forwardAuthMiddleware(sessions sessions.Sessions, m *Metrics, logger *slog.Logger) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
-		return SessionExtractor(sessions, logger.With("middleware", "sessionExtractor"))( // extract & validate the session cookie from the request
+		return extractor.SessionExtractor(sessions, logger.With("middleware", "sessionExtractor"))( // extract & validate the session cookie from the request
 			withMetrics(m)( // measure request metrics
 				next,
 			),

internal/server/server.go

@@ -2,9 +2,10 @@ package server
 
 import (
 	"context"
-	"github.com/clambin/traefik-simple-auth/internal/server/sessions"
+	"github.com/clambin/traefik-simple-auth/internal/server/configuration"
 	"github.com/clambin/traefik-simple-auth/pkg/domains"
 	"github.com/clambin/traefik-simple-auth/pkg/oauth"
+	"github.com/clambin/traefik-simple-auth/pkg/sessions"
 	"github.com/clambin/traefik-simple-auth/pkg/state"
 	"log/slog"
 	"net/http"
@@ -17,7 +18,7 @@ const OAUTHPath = "/_oauth"
 
 // New returns a new http.Handler that handles traefik's forward-auth requests, and the associated oauth flow.
 // It panics if config.Provider is invalid.
-func New(ctx context.Context, sessions sessions.Sessions, states state.States[string], config Configuration, metrics *Metrics, logger *slog.Logger) http.Handler {
+func New(ctx context.Context, sessions sessions.Sessions, states state.States[string], config configuration.Configuration, metrics *Metrics, logger *slog.Logger) http.Handler {
 	logger = logger.With("provider", config.Provider)
 
 	oauthHandlers := make(map[domains.Domain]oauth.Handler)
@@ -68,7 +69,7 @@ func makeAuthURL(authPrefix string, domain domains.Domain, OAUTHPath string) str
 }
 
 // traefikForwardAuthParser takes a request passed by traefik's forwardAuth middleware and reconstructs the original request.
-func traefikForwardAuthParser(logger *slog.Logger) func(next http.Handler) http.Handler {
+func traefikForwardAuthParser(_ *slog.Logger) func(next http.Handler) http.Handler {
 	//logger = logger.With("handler", "traefikForwardAuthParser")
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

internal/server/server_test.go

@@ -2,9 +2,11 @@ package server
 
 import (
 	"context"
-	"github.com/clambin/traefik-simple-auth/internal/server/sessions"
+	"github.com/clambin/traefik-simple-auth/internal/server/configuration"
+	"github.com/clambin/traefik-simple-auth/internal/server/extractor"
 	"github.com/clambin/traefik-simple-auth/internal/server/testutils"
 	"github.com/clambin/traefik-simple-auth/pkg/domains"
+	"github.com/clambin/traefik-simple-auth/pkg/sessions"
 	"github.com/clambin/traefik-simple-auth/pkg/state"
 	"github.com/clambin/traefik-simple-auth/pkg/whitelist"
 	"github.com/oauth2-proxy/mockoidc"
@@ -26,7 +28,7 @@ func TestServer_Panics(t *testing.T) {
 				panics = true
 			}
 		}()
-		cfg := Configuration{
+		cfg := configuration.Configuration{
 			Provider: "foobar",
 			Domains:  domains.Domains{"example.com"},
 		}
@@ -96,7 +98,7 @@ func TestForwardAuthHandler(t *testing.T) {
 			r := testutils.ForwardAuthRequest(http.MethodGet, tt.args.target, "/")
 			w := httptest.NewRecorder()
 			if tt.args.session != nil {
-				r = r.WithContext(context.WithValue(r.Context(), sessionKey, *tt.args.session))
+				r = extractor.WithSession(r, *tt.args.session)
 			}
 
 			h.ServeHTTP(w, r)
@@ -120,7 +122,7 @@ func TestLogoutHandler(t *testing.T) {
 	t.Run("logging out clears the session cookie", func(t *testing.T) {
 		r := testutils.ForwardAuthRequest(http.MethodGet, "example.com", "/_oauth/logout")
 		session := sessionStore.Session("foo@example.com")
-		r = r.WithContext(context.WithValue(r.Context(), sessionKey, session))
+		r = extractor.WithSession(r, session)
 		w := httptest.NewRecorder()
 		s.ServeHTTP(w, r)
 		require.Equal(t, http.StatusUnauthorized, w.Code)
@@ -244,7 +246,7 @@ func setupServer(ctx context.Context, t *testing.T, metrics *Metrics) (sessions.
 	}()
 
 	list, _ := whitelist.New([]string{"foo@example.com"})
-	cfg := Configuration{
+	cfg := configuration.Configuration{
 		Provider:      "oidc",
 		AuthPrefix:    "auth",
 		ClientID:      oidcServer.ClientID,
@@ -305,7 +307,7 @@ func Test_getOriginalTarget(t *testing.T) {
 // before:
 // Benchmark_authHandler-16                  927531              1194 ns/op             941 B/op         14 allocs/op
 func Benchmark_authHandler(b *testing.B) {
-	config := Configuration{
+	config := configuration.Configuration{
 		Domains:   domains.Domains{"example.com"},
 		Whitelist: map[string]struct{}{"foo@example.com": {}},
 		Provider:  "google",
@@ -315,7 +317,7 @@ func Benchmark_authHandler(b *testing.B) {
 	s := New(context.Background(), sessionStore, stateStore, config, nil, slog.Default())
 	sess := sessionStore.SessionWithExpiration("foo@example.com", time.Hour)
 	r := testutils.ForwardAuthRequest(http.MethodGet, "example.com", "/foo")
-	r.AddCookie(sessionStore.Cookie(sess, config.Domains[0]))
+	r.AddCookie(sessionStore.Cookie(sess, string(config.Domains[0])))
 	w := httptest.NewRecorder()
 
 	b.ResetTimer()