feat: add plugins for checking cookie session

Author: kespinola

charts/hub-gateway/Chart.yaml

@@ -18,7 +18,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: "0.4.0"
+version: "0.5.0"
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/hub-gateway/plugins/kratos.lua

@@ -66,32 +66,17 @@ local schema = {
 
 local _M = {
     version = 0.1,
-    priority = 1030,
-    name = "kratos",
+    priority = 2,
+    name = "session",
     schema = schema
 }
 
 function _M.check_schema(conf)
     return core.schema.check(schema, conf)
 end
 
-local function build_json_error(code, status, reason)
-
-    core.response.set_header(ctx, "content", "application/json")
-    local res = {
-        error = {
-            code = code,
-            status = status,
-            reason = reason
-        }
-    }
-    return json.encode(res)
-end
-
 function _M.access(conf, ctx)
-    local ret_code
     local headers = core.request.headers()
-    local method_name = ngx.req.get_method()
 
     local session_cookie_name = string.lower(conf.session_cookie_name or "ory_kratos_session")
     local cookie_header = string.lower("cookie_" .. session_cookie_name)
@@ -101,7 +86,6 @@ function _M.access(conf, ctx)
     local session_token = headers[session_cookie_name] or cookie_value
 
     if not session_token then
-        local res = build_json_error(ret_code, "Unauthorized", "Missing " .. session_cookie_name .. " header or cookie")
         return
     end
 
@@ -157,10 +141,10 @@ function _M.access(conf, ctx)
     -- Expose user id on $kratos_user_id variable
     -- Expose user email on $kratos_user_email variable
     if conf.expose_user_id then
-        core.request.set_header(ctx, "x-user-id", data.identity.id)
-        core.response.set_header("x-user-id", data.identity.id)
-        core.request.set_header(ctx, "x-user-email", data.identity.traits.email)
-        core.response.set_header("x-user-email", data.identity.traits.email)
+        core.request.set_header(ctx, "X-USER-ID", data.identity.id)
+        core.response.set_header("X-USER-ID", data.identity.id)
+        core.request.set_header(ctx, "X-USER-EMAIL", data.identity.traits.email)
+        core.response.set_header("X-USER-EMAIL", data.identity.traits.email)
         core.ctx.register_var("kratos_user_id", function(ctx)
             return data.identity.id
         end)

charts/hub-gateway/plugins/session-json.lua

@@ -0,0 +1,50 @@
+--
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements.  See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License.  You may obtain a copy of the License at
+--
+--     http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+--
+local core = require("apisix.core")
+local http = require("resty.http")
+local json = require("apisix.core.json")
+
+local schema = {
+    type = "object",
+    properties = {}
+}
+
+local _M = {
+    version = 0.1,
+    priority = 1,
+    name = "session-json",
+    schema = schema
+}
+
+function _M.check_schema(conf)
+    return core.schema.check(schema, conf)
+end
+
+function _M.access(conf, ctx)
+    local user_id = core.request.header(ctx, "X-USER-ID")
+    local uri = ctx.var.uri
+
+    if not user_id then
+        core.response.set_header("Content-Type", "application/json")
+
+        return 403, {
+            message = "no valid session"
+        }
+    end
+end
+
+return _M

charts/hub-gateway/plugins/session-redirect.lua

@@ -0,0 +1,63 @@
+--
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements.  See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License.  You may obtain a copy of the License at
+--
+--     http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+--
+local core = require("apisix.core")
+local http = require("resty.http")
+local json = require("apisix.core.json")
+
+local schema = {
+    type = "object",
+    properties = {
+        login_uri = {
+          type = "string"
+        },
+        redirect_to = {
+          type = "boolean",
+          default = false
+        }
+    },
+    require = {"login_uri"}
+}
+
+local _M = {
+    version = 0.1,
+    priority = 1,
+    name = "session-redirect",
+    schema = schema
+}
+
+function _M.check_schema(conf)
+    return core.schema.check(schema, conf)
+end
+
+function _M.access(conf, ctx)
+    local redirect_to = conf.redirect_to
+    local user_id = core.request.header(ctx, "X-USER-ID")
+    local uri = ctx.var.uri
+    local redirect_uri = conf.login_uri
+
+    if redirect_to then
+      redirect_uri = redirect_uri .. "?return_to=" .. uri
+    end
+
+    if not user_id then
+        core.response.set_header("Location", redirect_uri)
+
+        return 302, "Unauthorized please login"
+    end
+end
+
+return _M

charts/hub-gateway/templates/apisixroute.yaml

@@ -2,6 +2,7 @@
 {{- $namespace := .Values.hubNamespace -}}
 {{- $domain := .Values.domain -}}
 {{- $sessionCookie := .Values.sessionCookieName -}}
+{{- $loginUri := .Values.loginUri -}}
 {{- with .Values.routes }}
 {{- range . }}
 apiVersion: apisix.apache.org/v2
@@ -26,7 +27,8 @@ spec:
       methods:
       {{- .methods | toYaml | nindent 8 }}
     plugins:
-    {{- if .setUserHeader }}
+    {{- with .kratos }}
+    {{- if .enabled | default false }}
     - name: kratos
       enable: true
       config:
@@ -35,6 +37,16 @@ spec:
         expose_user_id: true
         session_cookie_name: {{ $sessionCookie }}
     {{- end }}
+    {{- end }}
+    {{- with .sessionRedirect }}
+    {{- if .enabled }}
+    - name: session-redirect
+      enable: true
+      config:
+        login_uri: {{ $loginUri }}
+        redirect_to: {{ .redirectTo | default false }}
+    {{- end }}
+    {{- end }}
     {{- if .regexUri }}
     - name: proxy-rewrite
       enable: true

charts/hub-gateway/values.yaml

@@ -2,6 +2,7 @@ hubNamespace: default
 domain: 127.0.0.1.nip.io
 port: 9080
 sessionCookieName: "hub_session"
+loginUri: "http://hub.127.0.0.1.nip.io:9080/login"
 
 routes:
 - name: api
@@ -13,7 +14,8 @@ routes:
   methods:
     - POST
     - OPTIONS
-  setUserHeader: true
+  kratos:
+    enabled: true
   regexUri:
     - "/graphql"
     - "/"
@@ -27,7 +29,8 @@ routes:
   methods:
     - POST
     - OPTIONS
-  setUserHeader: true
+  kratos:
+    enabled: true
   regexUri:
     - "/graphql"
     - "/"
@@ -41,7 +44,10 @@ routes:
   methods:
     - POST
     - OPTIONS
-  setUserHeader: true
+  kratos:
+    enabled: true
+  sessionJson:
+    enabled: true
   regexUri:
     - "/graphql"
     - "/"
@@ -55,13 +61,19 @@ routes:
     - /browser/organizations/*
   methods:
     - POST
-  setUserHeader: true
+  kratos:
+    enabled: true
+  sessionRedirect:
+    enabled: true
 
 - name: ui-private
   subdomain: hub
   serviceName: hub
   servicePort: 80
-  setUserHeader: true
+  kratos:
+    enabled: true
+  sessionRedirect:
+    enabled: true
   methods:
     - GET
   paths:
@@ -70,12 +82,27 @@ routes:
     - /webhooks/*
     - /members
     - /members/*
+    - /organizations
     - /organizations/new
     - /projects
     - /projects/*
     - /treasuries
     - /treasuries/*
 
+- name: ui-private-invite
+  subdomain: hub
+  serviceName: hub
+  servicePort: 80
+  kratos:
+    enabled: true
+  sessionRedirect:
+    enabled: true
+    redirectTo: true
+  methods:
+    - GET
+  paths:
+    - /invites/*
+
 - name: ui-public
   subdomain: hub
   serviceName: hub
@@ -103,6 +130,12 @@ apisixPlugins:
     servicePort: 80
     files:
       - plugins/kratos.lua
+  sessionRedirect:
+    files:
+      - plugins/session-redirect.lua
+  sessionJson:
+    files:
+      - plugins/session-json.lua
 
 apisix:
   enabled: true
@@ -158,6 +191,8 @@ apisix:
 
   plugins:
     - kratos
+    - session-redirect
+    - session-json
     - mocking
     - cors
     - redirect
@@ -175,6 +210,10 @@ apisix:
           mounts:
             - key: "kratos.lua"
               path: "/opts/custom_plugins/apisix/plugins/kratos.lua"
+            - key: "session-redirect.lua"
+              path: "/opts/custom_plugins/apisix/plugins/session-redirect.lua"
+            - key: "session-json.lua"
+              path: "/opts/custom_plugins/apisix/plugins/session-json.lua"
 
   logs:
     enableAccessLog: true