Skip to content

feat(auth): forward-auth verification endpoint #33

Description

@polaz

forward_auth config is parsed (and its policies already drive JWT route rules) but the verification endpoint it advertises is not served. Implement it so the proxy can act as an external auth gate for a fronting reverse proxy (nginx auth_request / Traefik forwardAuth).

Scope (when auth.mode == jwt and forward_auth.enabled)

  • Serve the endpoint at forward_auth.path (default /auth/verify). It validates the request's Bearer token and evaluates the configured route policies against the original request, taken from the fronting proxy's X-Forwarded-Method / X-Forwarded-Uri (falling back to X-Original-Method / X-Original-URI, then the verify request's own method/path).
  • 200 when allowed, echoing the configured claim headers (e.g. x-forwarded-user) so the fronting proxy copies the verified identity upstream.
  • 401 when unauthenticated (adds Location: forward_auth.login_url when configured, for error-page redirects); 403 when authenticated but missing a required role.
  • The endpoint is public (not behind the JWT middleware itself).

Refactor the auth decision (token → policy → claims) into one reusable function so the middleware and the verify endpoint share a single source of truth.

Out of scope (separate roadmap items)

External gRPC AuthZ (authz), BFF sessions (bff), and multi-application configs (applications_path).

Acceptance

  • Unit tests: 200 + claim headers, 401 (with/without login_url), 403, original method/path from forwarded headers; middleware behavior unchanged.
  • README: forward-auth endpoint under Features.

Estimate: 6h

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions