verikloak-bff 0.1.2 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6901b11146849ea25306d9f78b3cf7d8903dce4374efcf1322a7aed6a3d52872
-  data.tar.gz: 9a9cd3f59250aa57599de7e973009dedff8d075a395632eef1a19a889fb6257c
+  metadata.gz: 255d2d606e30f92f8c562d91d975be06975a7ba373bd607aa5057e5abcc279a6
+  data.tar.gz: 6f81b6407f5a1a6e5d307cb65981f48e12c5356ec411ba05d21829681bedb084
 SHA512:
-  metadata.gz: eed7006bf01e9a51b4824d8e4fdd2a759210270fdf5fdb07617a21b5b6e40862232dc162f8bec8e65fdb89cea59443eee7a030c7fdd2e335446c182b2745936a
-  data.tar.gz: d89ca6f1f4032198704a0167d1c3cad7b8b2b1adc68948bb06b0abbf45c4f51157e2d00f3906ad070c4c59c56ed7ddb31bd8f8a58cd06884304b890889685b91
+  metadata.gz: 995250cf2096de074988c0a00d4c2de0ff4b03c798089acfd0f0e0e5e3c0cdc3717da82f4f85be74db68fe40ced3cda5c27ae9f14ae41385a38a24e2eb9c4814
+  data.tar.gz: 157ddfbc41d48b9903b59f732ef8128a4d27127fee098d4a6e2388ca713ce15a749acad287b4995f87515d70233f74d4f44f7ac9d289de34d548d26bef3e9d17

data/CHANGELOG.md

@@ -7,6 +7,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [0.2.1] - 2025-09-23
+
+### Fixed
+- Skip inserting `Verikloak::BFF::HeaderGuard` in Rails when `Verikloak::Middleware` is absent (e.g., discovery not configured)
+  so that generators and boot sequences no longer fail.
+
+## [0.2.0] - 2025-09-22
+
+### Added
+- `Verikloak::HeaderSources` module for shared header normalization (consumable by verikloak-rails and other adapters).
+
+### Changed
+- `Configuration#token_header_priority=` now normalizes and deduplicates entries, reusing the shared helper and ignoring `HTTP_AUTHORIZATION` automatically.
+- `forwarded_header_name` assignments trigger re-normalization of token priority lists to keep middleware aligned across gems.
+
 ## [0.1.2] - 2025-09-21
 
 ### Added

data/README.md

@@ -23,8 +23,22 @@ bundle add verikloak-bff
 
 ## Usage
 
-- Rack-only apps: `use Verikloak::BFF::HeaderGuard` before your core Verikloak middleware.
-- Rails apps: see the full guide in [docs/rails.md](docs/rails.md) (Gemfile, middleware order、initializer、proxy examples)。
+### Rack Applications
+Add to your `config.ru`:
+```ruby
+use Verikloak::BFF::HeaderGuard, trusted_proxies: ['127.0.0.1', '10.0.0.0/8']
+# Place before your core Verikloak middleware
+```
+
+### Rails Applications
+Simply add to your Gemfile and the middleware will be automatically integrated:
+```ruby
+gem 'verikloak-bff'
+```
+
+The gem automatically inserts `Verikloak::BFF::HeaderGuard` into the Rails middleware stack after the core `Verikloak::Middleware`. If the core middleware is not present (e.g., discovery not configured), it gracefully skips insertion with a warning, allowing Rails to boot normally.
+
+For detailed configuration, proxy setup examples, and troubleshooting, see [docs/rails.md](docs/rails.md).
 
 ## Consistency mapping
 
@@ -53,7 +67,7 @@ See `examples/rack.ru` for a tiny Rack app demo.
 | `peer_preference`            | Symbol (`:remote_then_xff`/`:xff_only`) | `:remote_then_xff` | Whether to prefer `REMOTE_ADDR` before falling back to XFF. |
 | `clock_skew_leeway`          | Integer (seconds)                    | `30`         | Reserved for small exp/nbf skew handled by core verifier. |
 | `logger`                     | `Logger` or `nil`                    | `nil`        | Logger for audit tags (`rid`, `sub`, `kid`, `iss/aud`). |
-| `token_header_priority`      | Array[String]                        | `['HTTP_X_FORWARDED_ACCESS_TOKEN']` | When Authorization is empty and no token chosen, seed it from these env headers in order. `HTTP_AUTHORIZATION` is ignored as a source; forwarded header is considered only from trusted peers. |
+| `token_header_priority`      | Array[String]                        | `['HTTP_X_FORWARDED_ACCESS_TOKEN']` | When Authorization is empty and no token chosen, seed it from these env headers in order. Values are normalized via `Verikloak::HeaderSources`; `HTTP_AUTHORIZATION` is ignored as a source. |
 | `forwarded_header_name`      | String                               | `HTTP_X_FORWARDED_ACCESS_TOKEN` | Env key for forwarded access token. |
 | `auth_request_headers`       | Hash                                 | see code     | Mapping for `X-Auth-Request-*` env keys: `{ email, user, groups }`. |
 
@@ -82,6 +96,7 @@ For full reverse proxy examples (Nginx auth_request / oauth2-proxy), see [docs/r
 - Authorization seeding from priority headers
   - When no token is chosen and `HTTP_AUTHORIZATION` is empty, the middleware consults `token_header_priority` to seed Authorization.
   - `HTTP_AUTHORIZATION` itself is never used as a source; forwarded headers are considered only from trusted peers.
+  - Other gems can `require 'verikloak/header_sources'` to reuse the same normalization helpers when sharing configuration defaults.
 
 - Observability helpers
   - Downstream can inspect `env['verikloak.bff.token']` (chosen token, unverified) and `env['verikloak.bff.selected_peer']` (peer IP selected for trust decisions).

data/lib/verikloak/bff/configuration.rb

@@ -22,6 +22,8 @@
 # @!attribute [rw] logger
 #   @return [Logger, nil] optional logger for audit tags
 
+require 'verikloak/header_sources'
+
 module Verikloak
   module BFF
     # Configuration for Verikloak::BFF middleware (trusted proxies, header policies, logging, etc.).
@@ -29,12 +31,17 @@ module Verikloak
       attr_accessor :trusted_proxies, :prefer_forwarded, :require_forwarded_header,
                     :enforce_header_consistency, :enforce_claims_consistency,
                     :strip_suspicious_headers, :xff_strategy, :clock_skew_leeway,
-                    :logger, :token_header_priority, :peer_preference,
-                    :forwarded_header_name, :auth_request_headers, :log_with,
+                    :logger, :peer_preference, :auth_request_headers, :log_with,
                     :claims_consistency_mode
+      attr_reader :token_header_priority, :forwarded_header_name
 
       # enforce_claims_consistency example:
       # { email: :email, user: :sub, groups: :realm_roles }
+      #
+      # Initialize configuration with secure defaults for proxy trust, token
+      # handling, and logging behavior.
+      #
+      # @return [void]
       def initialize
         @trusted_proxies = []
         @prefer_forwarded = true
@@ -48,7 +55,7 @@ module Verikloak
         @clock_skew_leeway = 30
         @logger = nil
         @log_with = nil
-        @forwarded_header_name = 'HTTP_X_FORWARDED_ACCESS_TOKEN'
+        self.forwarded_header_name = Verikloak::HeaderSources::DEFAULT_FORWARDED_HEADER
         @auth_request_headers = {
           email: 'HTTP_X_AUTH_REQUEST_EMAIL',
           user: 'HTTP_X_AUTH_REQUEST_USER',
@@ -56,9 +63,37 @@ module Verikloak
         }
         # When Authorization is empty and no chosen token exists, try these env headers (in order)
         # to seed Authorization, similar to verikloak-rails behavior. HTTP_AUTHORIZATION is always ignored as a source.
-        @token_header_priority = %w[
-          HTTP_X_FORWARDED_ACCESS_TOKEN
-        ]
+        self.token_header_priority = Verikloak::HeaderSources.default_priority(forwarded_header: @forwarded_header_name)
+      end
+
+      # Override forwarded header name while re-normalizing the token priority list.
+      # When the forwarded header changes, downstream priority normalization must
+      # be refreshed because the forwarded value participates in that list.
+      #
+      # @param header [String, Symbol]
+      # @return [void]
+      def forwarded_header_name=(header)
+        @forwarded_header_name = Verikloak::HeaderSources.normalize_env_key(header)
+        renormalize_token_priority!
+      end
+
+      # Assign token header priority list using shared normalization logic.
+      #
+      # @param priority [Array<String, Symbol>, String, Symbol, nil]
+      # @return [void]
+      def token_header_priority=(priority)
+        normalized, = Verikloak::HeaderSources.normalize_priority(priority, forwarded_header: @forwarded_header_name)
+        @token_header_priority = normalized
+      end
+
+      private
+
+      # Re-apply token header normalization so it reflects the current forwarded header.
+      #
+      # @return [void]
+      def renormalize_token_priority!
+        # Refresh the normalized list so it reflects the new forwarded header name.
+        self.token_header_priority = @token_header_priority
       end
     end
   end

data/lib/verikloak/bff/consistency_checks.rb

@@ -15,12 +15,11 @@ module Verikloak
     module ConsistencyChecks
       module_function
 
-      # Parse JWT payload without verifying (verikloak core will verify later).
-      # Decode JWT payload without verification.
+      # Decode the JWT payload without verifying the signature. Intended only
+      # for lightweight claim comparisons; full verification occurs downstream.
       #
       # @param token [String, nil]
       # @return [Hash] claims or empty hash on error
-
       def decode_claims(token)
         return {} unless token
         return {} if token.bytesize > Constants::MAX_TOKEN_BYTES
@@ -36,6 +35,7 @@ module Verikloak
       # @param env [Hash]
       # @param token [String, nil]
       # @param mapping [Hash] e.g., { email: :email, user: :sub, groups: :realm_roles }
+      # @param headers_map [Hash{Symbol=>String}, nil] overrides for header keys
       # @return [true, Array(:error, Symbol)] true or error tuple with failing field
       def enforce!(env, token, mapping, headers_map = nil)
         return true if mapping.nil? || mapping.empty?
@@ -63,6 +63,7 @@ module Verikloak
       #
       # @param env [Hash]
       # @param key [Symbol]
+      # @param headers_map [Hash{Symbol=>String}, nil]
       # @return [String, nil]
       def extract_header_value(env, key, headers_map = nil)
         return env[headers_map[key]] if headers_map && headers_map[key]

data/lib/verikloak/bff/errors.rb

@@ -12,6 +12,12 @@ module Verikloak
     class Error < StandardError
       attr_reader :code, :http_status
 
+      # Build a BFF error with a stable code and HTTP status.
+      #
+      # @param message [String, nil]
+      # @param code [String]
+      # @param http_status [Integer]
+      # @return [void]
       def initialize(message = nil, code: 'bff_error', http_status: 401)
         super(message || code)
         @code = code
@@ -21,6 +27,8 @@ module Verikloak
 
     # Raised when a request did not pass through a trusted proxy peer.
     class UntrustedProxyError < Error
+      # @param msg [String]
+      # @return [void]
       def initialize(msg = 'request did not pass through a trusted proxy')
         super(msg, code: 'untrusted_proxy', http_status: 401)
       end
@@ -28,6 +36,8 @@ module Verikloak
 
     # Raised when require_forwarded_header is enabled but the forwarded token is absent.
     class MissingForwardedTokenError < Error
+      # @param msg [String]
+      # @return [void]
       def initialize(msg = 'missing X-Forwarded-Access-Token')
         super(msg, code: 'missing_forwarded_token', http_status: 401)
       end
@@ -35,6 +45,8 @@ module Verikloak
 
     # Raised when Authorization and X-Forwarded-Access-Token both exist and differ.
     class HeaderMismatchError < Error
+      # @param msg [String]
+      # @return [void]
       def initialize(msg = 'authorization and forwarded token mismatch')
         super(msg, code: 'header_mismatch', http_status: 401)
       end
@@ -42,6 +54,9 @@ module Verikloak
 
     # Raised when X-Auth-Request-* headers conflict with JWT claims.
     class ClaimsMismatchError < Error
+      # @param field [Symbol, String]
+      # @param msg [String, nil]
+      # @return [void]
       def initialize(field, msg = nil)
         super(msg || "claims/header mismatch for #{field}", code: 'claims_mismatch', http_status: 403)
       end

data/lib/verikloak/bff/forwarded_token.rb

@@ -16,6 +16,8 @@ module Verikloak
       # Extract normalized tokens from the Rack env.
       #
       # @param env [Hash]
+      # @param forwarded_header_name [String] Rack env key for forwarded header
+      # @param auth_header_name [String] Rack env key for Authorization header
       # @return [Array(String, String)] [auth_token, forwarded_token]
       def extract(env, forwarded_header_name = FORWARDED_HEADER, auth_header_name = AUTH_HEADER)
         fwd_raw = env[forwarded_header_name]
@@ -54,6 +56,7 @@ module Verikloak
       # - Detects scheme case-insensitively
       # - Inserts a missing space (e.g., 'BearerXYZ' => 'Bearer XYZ')
       # - Collapses multiple spaces/tabs after the scheme to a single space
+      #
       # @param token [String]
       # @return [String]
       def ensure_bearer(token)
@@ -78,6 +81,7 @@ module Verikloak
       #
       # @param env [Hash]
       # @param token [String]
+      # @return [void]
       def set_authorization!(env, token)
         existing = env[AUTH_HEADER].to_s
         # Overwrite only if Authorization is empty or not a valid Bearer value
@@ -98,6 +102,8 @@ module Verikloak
       # downstream when not emitted by a trusted proxy.
       #
       # @param env [Hash]
+      # @param headers [Hash{Symbol=>String}, nil] explicit headers to strip
+      # @return [void]
       def strip_suspicious!(env, headers = nil)
         if headers.is_a?(Hash)
           headers.each_value { |h| env.delete(h) }

data/lib/verikloak/bff/header_guard.rb

@@ -15,6 +15,7 @@ require 'rack/utils'
 require 'json'
 require 'jwt'
 require 'digest'
+require 'verikloak/header_sources'
 require 'verikloak/bff/configuration'
 require 'verikloak/bff/errors'
 require 'verikloak/bff/proxy_trust'
@@ -30,6 +31,11 @@ module Verikloak
 
       module_function
 
+      # Generate sanitized token metadata suitable for structured logging without
+      # verifying the signature.
+      #
+      # @param token [String, nil]
+      # @return [Hash{Symbol=>Object}] sanitized tags keyed by JWT claim/header
       def token_tags(token)
         return {} unless token
 
@@ -46,6 +52,11 @@ module Verikloak
         {}
       end
 
+      # Decode a JWT without verifying the signature while guarding against
+      # excessively large tokens.
+      #
+      # @param token [String, nil]
+      # @return [Array<Hash>] payload and header hashes
       def decode_unverified(token)
         return [{}, {}] if token.nil? || token.bytesize > Constants::MAX_TOKEN_BYTES
 
@@ -54,10 +65,18 @@ module Verikloak
         [{}, {}]
       end
 
+      # Remove unsafe characters from a structured logging payload.
+      #
+      # @param payload [Hash]
+      # @return [Hash] sanitized payload suitable for logging
       def sanitize_payload(payload)
         payload.transform_values { |value| sanitize_log_field(value) }.compact
       end
 
+      # Sanitize an individual value destined for logs, pruning empty results.
+      #
+      # @param value [Object]
+      # @return [Object, nil] sanitized value or nil when the result is empty
       def sanitize_log_field(value)
         case value
         when nil
@@ -74,6 +93,10 @@ module Verikloak
         end
       end
 
+      # Remove control characters and invalid UTF-8 from a string.
+      #
+      # @param value [#to_s]
+      # @return [String]
       def sanitize_string(value)
         value.to_s.encode('UTF-8', invalid: :replace, undef: :replace, replace: '').gsub(LOG_CONTROL_CHARS, '')
       end
@@ -128,6 +151,7 @@ module Verikloak
       # Apply per-instance configuration overrides.
       #
       # @param opts [Hash]
+      # @return [void]
       def apply_overrides!(opts)
         cfg = @config
         opts.each do |k, v|
@@ -182,6 +206,7 @@ module Verikloak
       # @param env [Hash]
       # @param kind [Symbol] :ok, :mismatch, :claims_mismatch, :error
       # @param attrs [Hash]
+      # @return [void]
       def log_event(env, kind, **attrs)
         lg = logger(env)
         payload = { event: 'bff.header_guard', kind: kind, rid: request_id(env) }.merge(attrs).compact
@@ -205,6 +230,7 @@ module Verikloak
       # Raise when the request did not come through a trusted proxy.
       #
       # @param env [Hash]
+      # @raise [UntrustedProxyError]
       def ensure_trusted_proxy!(env)
         return if ProxyTrust.trusted?(env, @config.trusted_proxies, @config.xff_strategy)
 
@@ -214,6 +240,7 @@ module Verikloak
       # Enforce presence of forwarded token when required.
       #
       # @param fwd_token [String, nil]
+      # @raise [MissingForwardedTokenError]
       def ensure_forwarded_if_required!(fwd_token)
         return unless @config.require_forwarded_header
         raise MissingForwardedTokenError if fwd_token.nil? || fwd_token.to_s.strip.empty?
@@ -224,6 +251,7 @@ module Verikloak
       # @param env [Hash]
       # @param auth_token [String, nil]
       # @param fwd_token [String, nil]
+      # @raise [HeaderMismatchError]
       def enforce_header_consistency!(env, auth_token, fwd_token)
         return unless @config.enforce_header_consistency
         return unless auth_token && fwd_token
@@ -240,6 +268,8 @@ module Verikloak
       #
       # @param env [Hash]
       # @param chosen [String, nil]
+      # @return [void]
+      # @raise [ClaimsMismatchError]
       def enforce_claims_consistency!(env, chosen)
         res = ConsistencyChecks.enforce!(env, chosen, @config.enforce_claims_consistency, @config.auth_request_headers)
         return unless res.is_a?(Array) && res.first == :error
@@ -267,6 +297,7 @@ module Verikloak
       # @param chosen [String, nil]
       # @param auth_token [String, nil]
       # @param fwd_token [String, nil]
+      # @return [void]
       def normalize_authorization!(env, chosen, auth_token, fwd_token)
         return unless chosen
 
@@ -289,19 +320,21 @@ module Verikloak
 
       # Resolve the first env header from which to source a bearer token.
       # Forwarded is considered only when the peer is trusted; HTTP_AUTHORIZATION is never a source.
+      #
       # @param env [Hash]
       # @return [String, nil]
       def resolve_first_token_header(env)
         candidates = Array(@config.token_header_priority).dup
-        candidates -= ['HTTP_AUTHORIZATION']
-        fwd_key = 'HTTP_X_FORWARDED_ACCESS_TOKEN'
+        candidates -= [Verikloak::HeaderSources::AUTHORIZATION_HEADER]
+        fwd_key = @config.forwarded_header_name || Verikloak::HeaderSources::DEFAULT_FORWARDED_HEADER
         if candidates.include?(fwd_key) && !ProxyTrust.from_trusted_proxy?(env, @config.trusted_proxies)
           candidates -= [fwd_key]
         end
         candidates.find { |k| (v = env[k]) && !v.to_s.empty? }
       end
 
-      # Seed Authorization from priority headers if nothing chosen and empty Authorization
+      # Seed Authorization from priority headers if nothing chosen and empty Authorization.
+      #
       # @param env [Hash]
       # @param chosen [String, nil]
       # @return [String, nil] possibly updated chosen token
@@ -317,9 +350,11 @@ module Verikloak
         chosen
       end
 
-      # Expose hints to downstream
+      # Expose hints to downstream middleware or apps.
+      #
       # @param env [Hash]
       # @param chosen [String, nil]
+      # @return [void]
       def expose_env_hints(env, chosen)
         env['verikloak.bff.token'] = chosen if chosen
         env['verikloak.bff.selected_peer'] =

data/lib/verikloak/bff/proxy_trust.rb

@@ -53,6 +53,7 @@ module Verikloak
       end
 
       # Return the selected peer IP according to preference and strategy.
+      #
       # @param env [Hash]
       # @param preference [Symbol] :remote_then_xff or :xff_only
       # @param strategy [Symbol] :rightmost or :leftmost
@@ -70,6 +71,7 @@ module Verikloak
       end
 
       # Parse string to IPAddr or nil on failure.
+      #
       # @param str [String]
       # @return [IPAddr, nil]
       def ip_or_nil(str)
@@ -79,6 +81,7 @@ module Verikloak
       end
 
       # Check whether a single rule trusts the selected remote.
+      #
       # @param rule [String, Regexp, Proc]
       # @param remote [String]
       # @param remote_ip [IPAddr, nil]
@@ -104,6 +107,7 @@ module Verikloak
 
       # Determine if the request originates from a trusted proxy subnet.
       # Rails-aligned behavior: prefer REMOTE_ADDR, fallback to nearest (rightmost) X-Forwarded-For.
+      #
       # @param env [Hash]
       # @param trusted [Array<String, Regexp, Proc>, nil]
       # @return [Boolean]

data/lib/verikloak/bff/rails.rb

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+
+module Verikloak
+  module BFF
+    # Rails-specific functionality for Verikloak BFF
+    module Rails
+      # Middleware management utilities for Rails applications
+      #
+      # This module provides functionality to insert Verikloak BFF middleware
+      # into Rails middleware stack, with proper error handling for cases where
+      # the core Verikloak middleware is not present.
+      module Middleware
+        module_function
+
+        # Inserts Verikloak::BFF::HeaderGuard middleware after Verikloak::Middleware
+        #
+        # Attempts to insert the HeaderGuard middleware into the Rails middleware stack
+        # after the core Verikloak::Middleware. If the core middleware is not present,
+        # logs a warning and gracefully skips the insertion.
+        #
+        # @param stack [ActionDispatch::MiddlewareStack] Rails middleware stack
+        # @param logger [Logger, nil] Optional logger for warning messages
+        # @return [Boolean] true if insertion succeeded, false if skipped due to missing core
+        # @raise [RuntimeError] Re-raises non-middleware-related runtime errors
+        #
+        # @example Inserting middleware in Rails configuration
+        #   Verikloak::BFF::Rails::Middleware.insert_after_core(
+        #     Rails.application.config.middleware,
+        #     logger: Rails.logger
+        #   )
+        def insert_after_core(stack, logger: nil)
+          stack.insert_after(::Verikloak::Middleware, ::Verikloak::BFF::HeaderGuard)
+          true
+        rescue RuntimeError => e
+          raise unless missing_core?(e)
+
+          log_skip(logger)
+          false
+        end
+
+        # Checks if the error indicates missing core Verikloak middleware
+        #
+        # Examines a RuntimeError to determine if it was caused by attempting
+        # to insert middleware after a non-existent Verikloak::Middleware.
+        #
+        # @param error [RuntimeError] The error to examine
+        # @return [Boolean] true if error indicates missing Verikloak::Middleware
+        #
+        # @example Checking for missing middleware error
+        #   begin
+        #     stack.insert_after(::Verikloak::Middleware, SomeMiddleware)
+        #   rescue RuntimeError => e
+        #     puts "Missing core!" if missing_core?(e)
+        #   end
+        def missing_core?(error)
+          error.message.include?('No such middleware') &&
+            error.message.include?('Verikloak::Middleware')
+        end
+
+        # Logs a warning message about skipping middleware insertion
+        #
+        # Outputs a descriptive warning message explaining why the HeaderGuard
+        # middleware insertion was skipped and provides guidance for resolution.
+        # Uses the provided logger if available, otherwise falls back to warn().
+        #
+        # @param logger [Logger, nil] Optional logger instance for structured logging
+        #
+        # @example Logging with Rails logger
+        #   log_skip(Rails.logger)
+        #
+        # @example Logging without logger (uses warn)
+        #   log_skip(nil)
+        def log_skip(logger)
+          message = <<~MSG.chomp
+            [verikloak-bff] Skipping Verikloak::BFF::HeaderGuard insertion because Verikloak::Middleware is not present. Configure verikloak-rails discovery settings and restart once core verification is enabled.
+          MSG
+
+          if logger
+            logger.warn(message)
+          else
+            warn(message)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/verikloak/bff/railtie.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require_relative 'rails'
+
+module Verikloak
+  # Module providing Verikloak BFF (Backend for Frontend) functionality
+  module BFF
+    # Railtie class for integrating Verikloak BFF middleware into Rails applications
+    #
+    # This class automatically inserts Verikloak::BFF::Rails::Middleware into the
+    # Rails initialization process. The middleware is inserted after the
+    # 'verikloak.middleware' initializer and configured with an appropriate logger.
+    #
+    # @example Automatic initialization in Rails applications
+    #   # Simply adding verikloak-bff to Gemfile automatically enables it
+    #   gem 'verikloak-bff'
+    #
+    # @see Verikloak::BFF::Rails::Middleware
+    class Railtie < ::Rails::Railtie
+      # Initializer that inserts Verikloak BFF middleware into Rails application
+      #
+      # This initializer runs after 'verikloak.middleware' and inserts
+      # Verikloak::BFF::Rails::Middleware at the appropriate position.
+      # Uses Rails.logger as the logger if available.
+      #
+      # @param app [Rails::Application] Rails application instance
+      initializer 'verikloak.bff.insert_middleware', after: 'verikloak.middleware' do |app|
+        logger = ::Rails.logger if defined?(::Rails.logger)
+
+        Verikloak::BFF::Rails::Middleware.insert_after_core(app.config.middleware, logger: logger)
+      end
+    end
+  end
+end

data/lib/verikloak/bff/version.rb

@@ -5,6 +5,6 @@
 # @return [String]
 module Verikloak
   module BFF
-    VERSION = '0.1.2'
+    VERSION = '0.2.1'
   end
 end

data/lib/verikloak/header_sources.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+# Helpers shared across verikloak middleware for normalizing Rack env header
+# names and token source priority lists. Extracted to allow other gems (such as
+# verikloak-rails) to consume the same normalization logic.
+module Verikloak
+  # Provides normalization helpers for Rack env header keys and token priority lists.
+  module HeaderSources
+    module_function
+
+    DEFAULT_FORWARDED_HEADER = 'HTTP_X_FORWARDED_ACCESS_TOKEN'
+    AUTHORIZATION_HEADER     = 'HTTP_AUTHORIZATION'
+
+    # Normalize a Rack env header key, accepting symbols, mixed case, or dash
+    # separated names and returning an upper-case HTTP_* variant.
+    #
+    # @param header [String, Symbol, nil]
+    # @return [String] normalized env key or empty string when blank
+    def normalize_env_key(header)
+      key = header.to_s.strip
+      return '' if key.empty?
+
+      key = key.tr('-', '_').upcase
+      key = "HTTP_#{key}" unless key.start_with?('HTTP_')
+      key
+    end
+
+    # Normalize a token priority list by stripping blanks, rejecting
+    # Authorization as a source, and deduplicating entries while preserving
+    # order.
+    #
+    # @param priority [Array<String, Symbol>, String, Symbol, nil]
+    # @param forwarded_header [String, Symbol]
+    # @param drop_authorization [Boolean]
+    # @return [Array(Array<String>, String)] normalized priority and forwarded key
+    def normalize_priority(priority, forwarded_header: DEFAULT_FORWARDED_HEADER, drop_authorization: true)
+      forwarded_env = normalize_env_key(forwarded_header)
+      items = Array(priority).flatten
+
+      normalized = items.map { |value| normalize_env_key(value) }.reject(&:empty?)
+      normalized = [forwarded_env] if normalized.empty?
+      normalized = normalized.reject { |key| drop_authorization && key == AUTHORIZATION_HEADER }
+
+      deduped = []
+      normalized.each do |key|
+        deduped << key unless deduped.include?(key)
+      end
+
+      [deduped.freeze, forwarded_env]
+    end
+
+    # Default priority list using the provided forwarded header name.
+    #
+    # @param forwarded_header [String, Symbol]
+    # @return [Array<String>] normalized default priority
+    def default_priority(forwarded_header: DEFAULT_FORWARDED_HEADER)
+      normalize_priority([forwarded_header], forwarded_header: forwarded_header).first
+    end
+  end
+end

data/lib/verikloak-bff.rb

@@ -18,3 +18,6 @@ require 'verikloak/bff/proxy_trust'
 require 'verikloak/bff/forwarded_token'
 require 'verikloak/bff/consistency_checks'
 require 'verikloak/bff/header_guard'
+require 'verikloak/bff/rails'
+
+require 'verikloak/bff/railtie' if defined?(Rails::Railtie)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: verikloak-bff
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.2.1
 platform: ruby
 authors:
 - taiyaky
@@ -55,20 +55,20 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.1.2
+        version: 0.2.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '0.2'
+        version: 1.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.1.2
+        version: 0.2.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '0.2'
+        version: 1.0.0
 description: Framework-agnostic Rack middleware that normalizes forwarded tokens,
   enforces trust boundaries, and checks header/claims consistency before verikloak.
 executables: []
@@ -87,7 +87,10 @@ files:
 - lib/verikloak/bff/forwarded_token.rb
 - lib/verikloak/bff/header_guard.rb
 - lib/verikloak/bff/proxy_trust.rb
+- lib/verikloak/bff/rails.rb
+- lib/verikloak/bff/railtie.rb
 - lib/verikloak/bff/version.rb
+- lib/verikloak/header_sources.rb
 homepage: https://github.com/taiyaky/verikloak-bff
 licenses:
 - MIT
@@ -95,7 +98,7 @@ metadata:
   source_code_uri: https://github.com/taiyaky/verikloak-bff
   changelog_uri: https://github.com/taiyaky/verikloak-bff/blob/main/CHANGELOG.md
   bug_tracker_uri: https://github.com/taiyaky/verikloak-bff/issues
-  documentation_uri: https://rubydoc.info/gems/verikloak-bff/0.1.2
+  documentation_uri: https://rubydoc.info/gems/verikloak-bff/0.2.1
   rubygems_mfa_required: 'true'
 rdoc_options: []
 require_paths: