From b0d8e64275ee91e09ced4878b520b572d51c5b2a Mon Sep 17 00:00:00 2001
From: renaldybrada <renaldybrada@gmail.com>
Date: Wed, 18 Feb 2026 09:21:29 +0700
Subject: [PATCH] keycloak configuration

---
 internal/config/config.go           |  7 +++++++
 internal/config/helper.go           |  8 ++++++++
 internal/config/struct.go           |  9 +++++++++
 internal/middleware/authKeycloak.go | 23 ++++++++++++-----------
 internal/routes/routes.go           |  2 +-
 5 files changed, 37 insertions(+), 12 deletions(-)

diff --git a/internal/config/config.go b/internal/config/config.go
index bcd43dd..73715cd 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -23,6 +23,13 @@ func LoadConfig() *Config {
 		Security: SecurityConfig{
 			TrustedOrigins: parseOrigins(getEnv("SECURITY_TRUSTED_ORIGINS", "http://localhost:3000,http://localhost:8080")),
 		},
+		Keycloak: KeycloakConfig{
+			BaseUrl:   getEnv("KEYCLOAK_BASE_URL", "https://auth.rssa.top"),
+			Realm:     getEnv("KEYCLOAK_REALM", "sandbox"),
+			Audience:  getEnv("KEYCLOAK_AUDIENCE", "akbar-test"),
+			Issuer:    getEnv("KEYCLOAK_ISSUER", "https://auth.rssa.top/realms/sandbox"),
+			IsEnabled: getEnvAsBool("KEYCLOAK_IS_ENABLE", false),
+		},
 	}
 
 	config.loadCustomDatabaseConfigs()
diff --git a/internal/config/helper.go b/internal/config/helper.go
index 58e72f7..d52084d 100644
--- a/internal/config/helper.go
+++ b/internal/config/helper.go
@@ -47,6 +47,14 @@ func getEnvAsBoolFromMap(config map[string]string, key string, defaultValue bool
 	return defaultValue
 }
 
+func getEnvAsBool(key string, defaultValue bool) bool {
+	valueStr := getEnv(key, "")
+	if value, err := strconv.ParseBool(valueStr); err == nil {
+		return value
+	}
+	return defaultValue
+}
+
 // Helper functions for getting default values based on database type
 func getDefaultPort(dbType string) int {
 	switch dbType {
diff --git a/internal/config/struct.go b/internal/config/struct.go
index 35df448..d964b99 100644
--- a/internal/config/struct.go
+++ b/internal/config/struct.go
@@ -7,6 +7,7 @@ type Config struct {
 	Databases    map[string]DatabaseConfig
 	ReadReplicas map[string][]DatabaseConfig
 	Security     SecurityConfig
+	Keycloak     KeycloakConfig
 }
 
 type ServerConfig struct {
@@ -48,3 +49,11 @@ type DatabaseConfig struct {
 type SecurityConfig struct {
 	TrustedOrigins []string `mapstructure:"trusted_origins"`
 }
+
+type KeycloakConfig struct {
+	BaseUrl   string
+	Realm     string
+	Audience  string
+	Issuer    string
+	IsEnabled bool
+}
diff --git a/internal/middleware/authKeycloak.go b/internal/middleware/authKeycloak.go
index a7793c2..06c1f32 100644
--- a/internal/middleware/authKeycloak.go
+++ b/internal/middleware/authKeycloak.go
@@ -1,11 +1,11 @@
 package middleware
 
 import (
+	"antrian-operasi/internal/config"
 	"antrian-operasi/internal/shared"
 	"fmt"
 	"log"
 	"net/http"
-	"os"
 	"strings"
 	"time"
 
@@ -14,16 +14,11 @@ import (
 	"github.com/golang-jwt/jwt/v4"
 )
 
-func AuthKeycloak() (gin.HandlerFunc, error) {
-	baseURL := os.Getenv("KEYCLOAK_BASE_URL")
-	realm := os.Getenv("KEYCLOAK_REALM")
-	audience := os.Getenv("KEYCLOAK_AUDIENCE")
-	issuer := os.Getenv("KEYCLOAK_ISSUER")
-
+func AuthKeycloak(cfg config.KeycloakConfig) (gin.HandlerFunc, error) {
 	jwksURL := fmt.Sprintf(
 		"%s/realms/%s/protocol/openid-connect/certs",
-		baseURL,
-		realm,
+		cfg.BaseUrl,
+		cfg.Realm,
 	)
 
 	jwks, err := keyfunc.Get(jwksURL, keyfunc.Options{
@@ -37,6 +32,12 @@ func AuthKeycloak() (gin.HandlerFunc, error) {
 	}
 
 	return func(c *gin.Context) {
+		// bypassing keycloak validation, if not enabled
+		if !cfg.IsEnabled {
+			log.Println("bypassing keycloak validation")
+			c.Next()
+		}
+
 		errorResponse := shared.BaseErrorResponse{
 			Success: false,
 			Code:    401,
@@ -63,14 +64,14 @@ func AuthKeycloak() (gin.HandlerFunc, error) {
 
 		// validate issuer
 		errorResponse.Message = "invalid keycloak configuration"
-		if claims["iss"] != issuer {
+		if claims["iss"] != cfg.Issuer {
 			errorResponse.Errors = []string{"invalid issuer"}
 			c.AbortWithStatusJSON(http.StatusUnauthorized, errorResponse)
 			return
 		}
 
 		// validate audience
-		if !claims.VerifyAudience(audience, true) {
+		if !claims.VerifyAudience(cfg.Audience, true) {
 			errorResponse.Errors = []string{"invalid audience"}
 			c.AbortWithStatusJSON(http.StatusUnauthorized, errorResponse)
 			return
diff --git a/internal/routes/routes.go b/internal/routes/routes.go
index 481c220..9fe3a88 100644
--- a/internal/routes/routes.go
+++ b/internal/routes/routes.go
@@ -35,7 +35,7 @@ func RegisterRoutes(cfg *config.Config, dbService database.Service) *gin.Engine
 	// init middleware
 	router.Use(middleware.SecureCORSConfig(cfg.Security))
 
-	authKeycloak, err := middleware.AuthKeycloak()
+	authKeycloak, err := middleware.AuthKeycloak(cfg.Keycloak)
 	if err != nil {
 		log.Fatalf("Unable to initiate keycloak auth")
 	}