feat: allowed onepanel-auth-token header to provide authentication token.

Updated server to make that key not require a grpc-gateway prefix.
2025-10-04 05:16:24 +08:00 · 2020-07-20 20:52:36 -07:00
parent b01c0c41a8
commit 7af3c9dd7c
2 changed files with 20 additions and 1 deletions
--- a/main.go
+++ b/main.go
@@ -15,6 +15,7 @@ import (
 	"net"
 	"net/http"
 	"path/filepath"
+	"strings"

 	"github.com/gorilla/handlers"
 	grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
@@ -159,7 +160,7 @@ func startHTTPProxy() {

 	// Register gRPC server endpoint
 	// Note: Make sure the gRPC server is running properly and accessible
-	mux := runtime.NewServeMux()
+	mux := runtime.NewServeMux(runtime.WithIncomingHeaderMatcher(customHeaderMatcher))
 	opts := []grpc.DialOption{grpc.WithInsecure()}

 	registerHandler(api.RegisterWorkflowTemplateServiceHandlerFromEndpoint, ctx, mux, endpoint, opts)
@@ -251,3 +252,16 @@ func watchConfigmapChanges(client *v1.Client, namespace string, stopCh <-chan st
 	neverStopCh := make(chan struct{})
 	controller.Run(neverStopCh)
 }
+
+// customHeaderMatcher is used to allow certain headers so we don't require a grpc-gateway prefix
+func customHeaderMatcher(key string) (string, bool) {
+	lowerCaseKey := strings.ToLower(key)
+	switch lowerCaseKey {
+	case "onepanel-auth-token":
+		return lowerCaseKey, true
+	case "cookie":
+		return lowerCaseKey, true
+	default:
+		return runtime.DefaultHeaderMatcher(key)
+	}
+}
--- a/server/auth/auth.go
+++ b/server/auth/auth.go
@@ -50,6 +50,10 @@ func getBearerToken(ctx context.Context) (*string, bool) {
 		}
 	}

+	for _, t := range md.Get("onepanel-auth-token") {
+		return &t, true
+	}
+
 	return nil, false
 }

@@ -98,6 +102,7 @@ func IsAuthorized(c *v1.Client, namespace, verb, group, resource, name string) (
 //   2. Is there a token? There should be a token for everything except logging in.
 func UnaryInterceptor(kubeConfig *v1.Config, db *v1.DB, sysConfig v1.SystemConfig) grpc.UnaryServerInterceptor {
 	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (resp interface{}, err error) {
+		// Check if the provided token is valid. This does not require a token in the header.
 		if info.FullMethod == "/api.AuthService/IsValidToken" {
 			md, ok := metadata.FromIncomingContext(ctx)
 			if !ok {