Perbaikan Middelware dan tool generete

2025-08-21 22:44:55 +07:00
parent fb41d7720e
commit 80dafd2a69
5 changed files with 133 additions and 39 deletions
--- a/internal/middleware/auth_middleware.go
+++ b/internal/middleware/auth_middleware.go
@@ -0,0 +1,59 @@
+package middleware
+
+import (
+	"fmt"
+	"net/http"
+
+	"api-service/internal/config"
+
+	"github.com/gin-gonic/gin"
+)
+
+// ConfigurableAuthMiddleware provides flexible authentication based on configuration
+func ConfigurableAuthMiddleware(cfg *config.Config) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		// Skip authentication for development/testing if explicitly disabled
+		if !cfg.Keycloak.Enabled {
+			fmt.Println("Authentication is disabled - allowing all requests")
+			c.Next()
+			return
+		}
+
+		// Use Keycloak authentication when enabled
+		AuthMiddleware()(c)
+	}
+}
+
+// StrictAuthMiddleware enforces authentication regardless of Keycloak.Enabled setting
+func StrictAuthMiddleware() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		if appConfig == nil {
+			fmt.Println("AuthMiddleware: Config not initialized")
+			c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"error": "authentication service not configured"})
+			return
+		}
+
+		// Always enforce authentication
+		AuthMiddleware()(c)
+	}
+}
+
+// OptionalKeycloakAuthMiddleware allows requests but adds authentication info if available
+func OptionalKeycloakAuthMiddleware() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		if appConfig == nil || !appConfig.Keycloak.Enabled {
+			c.Next()
+			return
+		}
+
+		authHeader := c.GetHeader("Authorization")
+		if authHeader == "" {
+			// No token provided, but continue
+			c.Next()
+			return
+		}
+
+		// Try to validate token, but don't fail if invalid
+		AuthMiddleware()(c)
+	}
+}
--- a/internal/middleware/keycloak_middleware.go
+++ b/internal/middleware/keycloak_middleware.go
@@ -13,6 +13,8 @@ import (
 	"sync"
 	"time"

+	"api-service/internal/config"
+
 	"github.com/gin-gonic/gin"
 	"github.com/golang-jwt/jwt/v5"
 	"golang.org/x/sync/singleflight"
@@ -22,24 +24,19 @@ var (
 	ErrInvalidToken = errors.New("invalid token")
 )

-// Configurable Keycloak parameters - replace with your actual values or load from config/env
-const (
-	KeycloakIssuer   = "https://keycloak.example.com/auth/realms/yourrealm"
-	KeycloakAudience = "your-client-id"
-	JwksURL          = KeycloakIssuer + "/protocol/openid-connect/certs"
-)
-
 // JwksCache caches JWKS keys with expiration
 type JwksCache struct {
 	mu        sync.RWMutex
 	keys      map[string]*rsa.PublicKey
 	expiresAt time.Time
 	sfGroup   singleflight.Group
+	config    *config.Config
 }

-func NewJwksCache() *JwksCache {
+func NewJwksCache(cfg *config.Config) *JwksCache {
 	return &JwksCache{
-		keys: make(map[string]*rsa.PublicKey),
+		keys:   make(map[string]*rsa.PublicKey),
+		config: cfg,
 	}
 }

@@ -74,7 +71,17 @@ func (c *JwksCache) GetKey(kid string) (*rsa.PublicKey, error) {
 }

 func (c *JwksCache) fetchKeys() (map[string]*rsa.PublicKey, error) {
-	resp, err := http.Get(JwksURL)
+	if !c.config.Keycloak.Enabled {
+		return nil, fmt.Errorf("keycloak authentication is disabled")
+	}
+
+	jwksURL := c.config.Keycloak.JwksURL
+	if jwksURL == "" {
+		// Construct JWKS URL from issuer if not explicitly provided
+		jwksURL = c.config.Keycloak.Issuer + "/protocol/openid-connect/certs"
+	}
+
+	resp, err := http.Get(jwksURL)
 	if err != nil {
 		return nil, err
 	}
@@ -138,11 +145,32 @@ func base64UrlDecode(s string) ([]byte, error) {
 	return base64.URLEncoding.DecodeString(s)
 }

-var jwksCache = NewJwksCache()
+// Global config instance
+var appConfig *config.Config
+var jwksCacheInstance *JwksCache
+
+// InitializeAuth initializes the auth middleware with config
+func InitializeAuth(cfg *config.Config) {
+	appConfig = cfg
+	jwksCacheInstance = NewJwksCache(cfg)
+}

 // AuthMiddleware validates Bearer token as Keycloak JWT token
 func AuthMiddleware() gin.HandlerFunc {
 	return func(c *gin.Context) {
+		if appConfig == nil {
+			fmt.Println("AuthMiddleware: Config not initialized")
+			c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"error": "authentication service not configured"})
+			return
+		}
+
+		if !appConfig.Keycloak.Enabled {
+			// Skip authentication if Keycloak is disabled but log for debugging
+			fmt.Println("AuthMiddleware: Keycloak authentication is disabled - allowing all requests")
+			c.Next()
+			return
+		}
+
 		fmt.Println("AuthMiddleware: Checking Authorization header") // Debug log

 		authHeader := c.GetHeader("Authorization")
@@ -174,8 +202,8 @@ func AuthMiddleware() gin.HandlerFunc {
 				return nil, errors.New("kid header not found")
 			}

-			return jwksCache.GetKey(kid)
-		}, jwt.WithIssuer(KeycloakIssuer), jwt.WithAudience(KeycloakAudience))
+			return jwksCacheInstance.GetKey(kid)
+		}, jwt.WithIssuer(appConfig.Keycloak.Issuer), jwt.WithAudience(appConfig.Keycloak.Audience))

 		if err != nil || !token.Valid {
 			fmt.Printf("AuthMiddleware: Invalid or expired token: %v\n", err) // Debug log