feat: clearer error when secret is not a valid base64-encoded value

clambin · Apr 29, 2024 · e351263 · e351263
1 parent 8ef81f0
commit e351263
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 29 deletions.
diff --git a/README.md b/README.md
@@ -176,7 +176,7 @@ traefik-simple-auth supports the following command-line arguments:
 
 ```
 Usage:
-   -addr string
+  -addr string
         The address to listen on for HTTP requests (default ":8080")
   -auth-prefix string
         prefix to construct the authRedirect URL from the domain (default "auth")
@@ -185,7 +185,7 @@ Usage:
   -client-secret string
         OAuth2 Client Secret
   -debug
-        Enable debug mode
+        Log debug messages
   -domains string
         Comma-separated list of domains to allow access
   -expiry duration
@@ -195,9 +195,9 @@ Usage:
   -provider string
         The OAuth2 provider to use (default "google")
   -secret string
-        Secret to use for authentication (base64-encoded)
+        Secret to use for authentication (base64 encoded)
   -session-cookie-name string
-        The cookie name to use for authentication (default "traefik-simple-auth")
+        The cookie name to use for authentication (default "_traefik_simple_auth")
   -users string
         Comma-separated list of usernames to login
 ```
@@ -206,7 +206,7 @@ Usage:
 
 - `debug`
 
-  Enable debug mode
+  Log debug messages
 
 - `addr`
 
@@ -242,7 +242,7 @@ Usage:
 
 - `domains`
 
-   A comma-separated list of all domains that should be allowed. If "example.com" is an allowed domain, then all subdomains (eg. www.example.com) are allowed.
+   A comma-separated list of all allowed domains. If "example.com" is an allowed domain, then all subdomains (eg. www.example.com) are allowed.
 
 - `expiry`
 
@@ -254,7 +254,7 @@ Usage:
 
 - `users`
 
-  A comma-separated list of email addresses that should be allowed to use traefik-simple-auth.
+  A comma-separated list of email addresses that should be allowed to use traefik-simple-auth. If the list is blank, then any email address will be allowed.
 
 ## Metrics
 

diff --git a/internal/configuration/configuration.go b/internal/configuration/configuration.go
@@ -12,7 +12,7 @@ import (
 )
 
 var (
-	debug             = flag.Bool("debug", false, "Enable debug mode")
+	debug             = flag.Bool("debug", false, "Log debug messages")
 	addr              = flag.String("addr", ":8080", "The address to listen on for HTTP requests")
 	promAddr          = flag.String("prom", ":9090", "The address to listen on for Prometheus scrape requests")
 	sessionCookieName = flag.String("session-cookie-name", "_traefik_simple_auth", "The cookie name to use for authentication")
@@ -23,7 +23,7 @@ var (
 	provider          = flag.String("provider", "google", "The OAuth2 provider to use")
 	clientId          = flag.String("client-id", "", "OAuth2 Client ID")
 	clientSecret      = flag.String("client-secret", "", "OAuth2 Client Secret")
-	secret            = flag.String("secret", "", "Secret to use for authentication")
+	secret            = flag.String("secret", "", "Secret to use for authentication (base64 encoded)")
 )
 
 type Configuration struct {
@@ -42,36 +42,35 @@ type Configuration struct {
 }
 
 func GetConfiguration() (Configuration, error) {
-	domainList, err := domains.GetDomains(strings.Split(*domainsString, ","))
+	cfg := Configuration{
+		Debug:             *debug,
+		Addr:              *addr,
+		PromAddr:          *promAddr,
+		SessionCookieName: *sessionCookieName,
+		Expiry:            *expiry,
+		Provider:          *provider,
+		ClientID:          *clientId,
+		ClientSecret:      *clientSecret,
+		AuthPrefix:        *authPrefix,
+	}
+	var err error
+	cfg.Domains, err = domains.GetDomains(strings.Split(*domainsString, ","))
 	if err != nil {
 		return Configuration{}, fmt.Errorf("invalid domain list: %w", err)
 	}
-	if len(domainList) == 0 {
+	if len(cfg.Domains) == 0 {
 		return Configuration{}, errors.New("no valid domains")
 	}
-	whiteList, err := whitelist.New(strings.Split(*users, ","))
+	cfg.Whitelist, err = whitelist.New(strings.Split(*users, ","))
 	if err != nil {
 		return Configuration{}, fmt.Errorf("invalid whitelist: %w", err)
 	}
-	secretBytes, err := base64.StdEncoding.DecodeString(*secret)
+	cfg.Secret, err = base64.StdEncoding.DecodeString(*secret)
 	if err != nil {
-		return Configuration{}, err
+		return Configuration{}, fmt.Errorf("failed to decode secret: %w", err)
 	}
-	if *clientId == "" || *clientSecret == "" {
+	if cfg.ClientID == "" || cfg.ClientSecret == "" {
 		return Configuration{}, errors.New("must specify both client-id and client-secret")
 	}
-	return Configuration{
-		Debug:             *debug,
-		Addr:              *addr,
-		PromAddr:          *promAddr,
-		SessionCookieName: *sessionCookieName,
-		Expiry:            *expiry,
-		Secret:            secretBytes,
-		Domains:           domainList,
-		Whitelist:         whiteList,
-		Provider:          *provider,
-		ClientID:          *clientId,
-		ClientSecret:      *clientSecret,
-		AuthPrefix:        *authPrefix,
-	}, nil
+	return cfg, nil
 }