Skip to content

chore: drop unimplemented BFF session config (out of scope)#38

Merged
polaz merged 1 commit into
mainfrom
chore/#37-drop-bff
Jun 20, 2026
Merged

chore: drop unimplemented BFF session config (out of scope)#38
polaz merged 1 commit into
mainfrom
chore/#37-drop-bff

Conversation

@polaz

@polaz polaz commented Jun 20, 2026

Copy link
Copy Markdown
Member

Summary

Removes the never-implemented BffConfig. On reflection, BFF does not belong in this crate: it is stateful session / token-lifecycle management (a separate product category, e.g. oauth2-proxy / Pomerium), whereas this proxy is a stateless transcoding data plane with stateless auth primitives. A server-side session / token store would also break the multi-instance-stateless design.

The auth surface that genuinely belongs here is already covered and stateless: JWT validation, forward-auth, external AuthZ (ext_authz), and OIDC discovery.

Changes

  • Remove BffConfig, the auth.bff field, and its default helpers.
  • Drop the BFF-specific cookieAuth OpenAPI security scheme (it was defined for the BFF login flow and never referenced; the proxy authenticates via bearer JWT).
  • Remove the bff: None stubs from auth test configs.
  • README: replace the (now-empty) Roadmap with a Non-goals note pointing to a dedicated BFF or the forward-auth / authz hooks.

No behavior change: the field was never wired into the request path.

Testing

cargo nextest run --features redis: 119 passed. clippy (all-features) + fmt clean.

Closes #37

BFF (cookie-based sessions, server-side token storage, refresh) is
stateful session-lifecycle management: a separate product (oauth2-proxy,
Pomerium), not a transcoding data plane. A server-side session store
would also break the stateless multi-instance design. This proxy already
covers the stateless auth surface that belongs here (JWT, forward-auth,
ext_authz, OIDC discovery).

Remove the never-wired BffConfig and its field, drop the BFF-specific
OpenAPI cookie security scheme, and document session/BFF as a non-goal.

Closes #37
@coderabbitai

coderabbitai Bot commented Jun 20, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 88bcfa5f-4ea7-44d1-9be9-3dd7b41739ef

📥 Commits

Reviewing files that changed from the base of the PR and between 417f350 and 1ce5b5d.

📒 Files selected for processing (5)
  • README.md
  • src/auth/forward.rs
  • src/auth/mod.rs
  • src/config.rs
  • src/openapi.rs
💤 Files with no reviewable changes (4)
  • src/openapi.rs
  • src/auth/mod.rs
  • src/auth/forward.rs
  • src/config.rs

📝 Walkthrough

Summary by CodeRabbit

  • Documentation

    • Clarified that session and BFF management (cookie-based login, server-side token storage, refresh flows) is out of scope; recommends dedicated BFF solutions or existing authentication hooks.
  • Breaking Changes

    • Removed Backend-for-Frontend (BFF) session configuration from supported YAML schemas.
    • Removed cookie-based authentication option from API documentation.

Walkthrough

Removes the unimplemented BffConfig struct and the bff: Option<BffConfig> field from AuthConfig in src/config.rs, drops the cookieAuth security scheme from the OpenAPI generator, removes bff: None from three test fixtures, and replaces the README Roadmap BFF entry with a Non-goals section.

Changes

BFF Session Config Removal

Layer / File(s) Summary
Remove BffConfig from AuthConfig and OpenAPI cookieAuth scheme
src/config.rs, src/openapi.rs
AuthConfig no longer has a bff field; BffConfig and its default helpers are deleted. The OpenAPI generate() function emits only the bearerAuth scheme, with cookieAuth removed from components.securitySchemes.
Test fixture cleanup and README non-goals update
src/auth/forward.rs, src/auth/mod.rs, README.md
Three AuthConfig struct literals in forward-auth and JWT auth tests drop the bff: None field. The README replaces the Roadmap BFF entry with a "Non-goals" section disclaiming session/BFF management.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

  • structured-world/structured-proxy#34: Introduced the forward-auth /auth/verify endpoint and Auth::decide logic whose test fixtures are updated in this PR by removing the bff: None field.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title 'chore: drop unimplemented BFF session config (out of scope)' accurately summarizes the primary change—removal of unused BFF configuration.
Description check ✅ Passed The description is well-related to the changeset, clearly explaining the architectural rationale and detailing all modifications made.
Linked Issues check ✅ Passed The PR fully addresses all requirements from issue #37: removal of BffConfig and auth.bff field, deletion of cookieAuth scheme, cleanup of test stubs, and README non-goals section.
Out of Scope Changes check ✅ Passed All changes are directly aligned with the stated objective of removing unimplemented BFF configuration; no extraneous modifications are present.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/#37-drop-bff

Comment @coderabbitai help to get the list of available commands and usage tips.

@greptile-apps

greptile-apps Bot commented Jun 20, 2026

Copy link
Copy Markdown

Greptile Summary

This PR removes the never-implemented BffConfig (Backend-for-Frontend session management) and its associated scaffolding, replacing the "Roadmap" section in the README with a "Non-goals" explanation of why stateful session management is out of scope for this stateless transcoding proxy.

  • src/config.rs: Deletes BffConfig, three default-value helpers, and the bff: Option<BffConfig> field from AuthConfig.
  • src/auth/{mod,forward}.rs: Removes bff: None stubs from test config literals to keep them in sync with the struct.
  • src/openapi.rs: Drops the cookieAuth security scheme (never referenced by any operation object in the spec).

Confidence Score: 5/5

Entirely safe to merge — removes dead, never-wired code with no runtime effect.

Every removed symbol (BffConfig, its defaults, the bff field, and the cookieAuth OpenAPI entry) was scaffolding that was never read on any request path. A grep across the full source tree confirms zero remaining references. The 119-test suite, clippy, and fmt all pass. This is a clean dead-code deletion.

No files require special attention.

Important Files Changed

Filename Overview
src/config.rs Removes the unimplemented BffConfig struct, its three default helpers, and the bff field from AuthConfig — pure dead-code deletion with no behaviour change.
src/auth/mod.rs Drops two bff: None stubs from test config literals to match the removed struct field; no logic change.
src/auth/forward.rs Drops one bff: None stub from a test config literal; no logic change.
src/openapi.rs Removes the cookieAuth security scheme entry from the generated OpenAPI spec; it was never referenced by any operation object so the output schema is unchanged in practice.
README.md Replaces the "Roadmap" section (single BFF bullet) with a "Non-goals" note that explains the stateless design rationale and points to alternatives.

Reviews (1): Last reviewed commit: "chore: drop unimplemented BFF session co..." | Re-trigger Greptile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

chore: drop unimplemented BFF session config (out of scope)

1 participant