verikloak-bff 0.2.5 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b024a1e87d9a4cd895b0e052ba276cbf418b50d4f51b3f642d3916e7b713253e
-  data.tar.gz: 82bab8741e03c8b1f57bea89856b8811440c34778470c18a82c87c279a36c4a4
+  metadata.gz: 8a79baf28ee05a8774b36916c71281bd72cd35825148413c15e9f865b85416cb
+  data.tar.gz: 739244544590c0f306eff4d587c27c312adc4c081646a45d2ec4a58e83ce6abb
 SHA512:
-  metadata.gz: c2e1f2587d253acd2ac1f3a26b33d701adbe7cce48a6646f95658bd503e5238033bd855ab39fe23dc8ebb85af5bbb449b6170acba6e5bb840e8878afcd9e9d79
-  data.tar.gz: ecf08756e3af68c6d199ff54e40f10aee69a0a5c62d49cde1c5b1bd732dc319510490131e9a0ea357c82b67af7710ba7bd4a7303549b842b7a78fcddba86ad49
+  metadata.gz: 713b4e27ee284e38917a6fd4880414cdb8792fbffd4f7713112d2fa619f5ecf3120379a4a0b29eb115ce075c6373e0a4b25f1bca38bd8e8af0ff683944dcd8fd
+  data.tar.gz: ed258207b16fdb79fb079656393e0f7fd4bc1a650d942c6c19060c0aeaf45f8e63fa393a115bb8f80ea87f9c0d84cd025bb55a5ffb5259a981007211c896b786

data/CHANGELOG.md

@@ -7,6 +7,36 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [0.3.0] - 2025-01-01
+
+### Added
+- **`disabled` configuration option**: Explicitly disable the middleware in pass-through mode. When `disabled: false` (default) and `trusted_proxies` is not configured, a `ConfigurationError` is raised at startup.
+
+### Changed
+- **BREAKING**: `trusted_proxies` is now **required** when `disabled: false`. Previously, an empty `trusted_proxies` would silently disable the middleware (fail-open). Now it raises `Verikloak::BFF::HeaderGuard::ConfigurationError` to prevent unintended security gaps.
+
+### Fixed
+- **Security**: Prevent fail-open vulnerability where unset `trusted_proxies` could silently bypass proxy trust validation.
+
+---
+
+## [0.2.6] - 2025-12-31
+
+### Fixed
+- **Rails 8.x+ compatibility**: Remove `after_initialize` middleware insertion from generator template to avoid `FrozenError` when middleware stack is frozen.
+
+### Changed
+- Generator (`rails g verikloak:bff:install`) now creates a **configuration-only** initializer. Middleware insertion is handled automatically by `verikloak-rails`.
+- Generated initializer includes comprehensive configuration options with documentation comments.
+- **Breaking**: Minimum `verikloak` dependency raised from `>= 0.2.0` to `>= 0.3.0`.
+
+### Documentation
+- Add "Rails Integration" section explaining automatic middleware detection with `verikloak-rails`.
+- Add warning about Rails 8.x+ middleware stack freeze in `after_initialize`.
+- Add "oauth2-proxy Integration" section with header configuration reference and recommended settings.
+- Document manual middleware setup option for users not using `verikloak-rails`.
+- Update `docs/rails.md` with clearer setup instructions and Rails 8.x support note.
+
 ## [0.2.5] - 2025-09-28
 
 ### Changed

data/README.md

@@ -31,16 +31,25 @@ use Verikloak::BFF::HeaderGuard, trusted_proxies: ['127.0.0.1', '10.0.0.0/8']
 ```
 
 ### Rails Applications
-Add the gem to your Gemfile and run the install generator to drop an initializer that wires the middleware into Rails:
+Add both gems to your Gemfile:
 ```ruby
+gem 'verikloak-rails'
 gem 'verikloak-bff'
 ```
 
+Run the install generator to create a configuration file:
 ```sh
 bin/rails g verikloak:bff:install
 ```
 
-The generated initializer inserts `Verikloak::BFF::HeaderGuard` after the core `Verikloak::Middleware` during boot. If the core middleware is not present (for example, when verikloak-rails has not been fully configured yet), the initializer logs a warning and allows Rails to boot normally.
+The generator creates `config/initializers/verikloak_bff.rb` with BFF configuration options. **Edit this file to set `trusted_proxies`** (required unless `disabled: true`) and customize other options as needed.
+
+**Note**: Middleware insertion is handled automatically by `verikloak-rails`. The generated initializer only contains configuration—no manual middleware setup is required.
+
+> **Without verikloak-rails**: You can also configure middleware manually in `config/application.rb`:
+> ```ruby
+> config.middleware.insert_before Verikloak::Middleware, Verikloak::BFF::HeaderGuard
+> ```
 
 For detailed configuration, proxy setup examples, and troubleshooting, see [docs/rails.md](docs/rails.md).
 
@@ -60,7 +69,8 @@ See `examples/rack.ru` for a tiny Rack app demo.
 
 | Key                          | Type                                 | Default      | Description |
 |----------------------------- |--------------------------------------|--------------|-------------|
-| `trusted_proxies`            | Array[String/Regexp/Proc]            | *(required)* | Allowlist for proxy peers (by IP/CIDR/regex/proc). |
+| `disabled`                   | Boolean                              | `false`      | Explicitly disable the middleware (pass-through mode). When `false`, `trusted_proxies` must be configured. |
+| `trusted_proxies`            | Array[String/Regexp/Proc]            | *(required)* | Allowlist for proxy peers (by IP/CIDR/regex/proc). **Required** unless `disabled: true`. |
 | `prefer_forwarded`           | Boolean                              | `true`       | Prefer `X-Forwarded-Access-Token` over `Authorization`. |
 | `require_forwarded_header`   | Boolean                              | `false`      | Reject when no `X-Forwarded-Access-Token` (blocks direct access). |
 | `enforce_header_consistency` | Boolean                              | `true`       | If both headers exist, require identical token values. |
@@ -75,6 +85,19 @@ See `examples/rack.ru` for a tiny Rack app demo.
 | `forwarded_header_name`      | String                               | `HTTP_X_FORWARDED_ACCESS_TOKEN` | Env key for forwarded access token. |
 | `auth_request_headers`       | Hash                                 | see code     | Mapping for `X-Auth-Request-*` env keys: `{ email, user, groups }`. |
 
+### Configuration Requirements
+
+When `disabled: false` (the default), you **must** configure `trusted_proxies`. If it is not set, the middleware will raise a `ConfigurationError` at startup to prevent a fail-open security vulnerability.
+
+To explicitly disable the middleware (e.g., for development or testing), set `disabled: true`:
+
+```ruby
+# Pass-through mode: no proxy trust checking
+Verikloak::BFF.configure do |config|
+  config.disabled = true
+end
+```
+
 ## Errors
 This gem returns concise, RFC 6750–style error responses with stable codes. See [ERRORS.md](ERRORS.md) for details and examples.
 
@@ -110,6 +133,95 @@ For full reverse proxy examples (Nginx auth_request / oauth2-proxy), see [docs/r
 - Claims consistency modes
   - Default `:enforce` mode rejects requests with mismatches. Switch to `claims_consistency_mode: :log_only` when you only need observability signals; downstream services must continue verifying JWT signatures, issuer, audience, and expirations.
 
+## Rails Integration
+
+### Recommended: Use with verikloak-rails (Auto-detection)
+
+When both `verikloak-rails` and `verikloak-bff` are installed, the railtie automatically inserts the BFF middleware. No manual configuration is required.
+
+```ruby
+# Gemfile
+gem 'verikloak-rails'
+gem 'verikloak-bff'
+```
+
+The middleware stack will be configured as:
+```
+[Verikloak::BFF::HeaderGuard] → [Verikloak::Middleware] → [Your App]
+```
+
+### ⚠️ Rails 8.x+ Middleware Stack Freeze
+
+In Rails 8.x and later, the middleware stack is frozen after the `after_initialize` callback. Manual middleware insertion in `after_initialize` will raise `FrozenError`:
+
+```ruby
+# ❌ This will NOT work in Rails 8.x+
+Rails.application.config.after_initialize do
+  Rails.application.config.middleware.insert_after(
+    Verikloak::Middleware,
+    Verikloak::BFF::HeaderGuard
+  )
+end
+# => FrozenError: can't modify frozen Array
+```
+
+**Solution**: Use the automatic detection feature with `verikloak-rails`, or insert middleware in `config/application.rb` or an initializer (which runs before the stack is frozen):
+
+```ruby
+# ✅ This works - config/application.rb
+module MyApp
+  class Application < Rails::Application
+    config.middleware.insert_before Verikloak::Middleware, Verikloak::BFF::HeaderGuard
+  end
+end
+```
+
+## oauth2-proxy Integration
+
+### Header Configuration Reference
+
+| oauth2-proxy Setting | Header Sent | HeaderGuard Behavior |
+|---------------------|-------------|---------------------|
+| `--pass-access-token=true` | Cookie (`_oauth2_proxy`) | Not supported (cookie-based) |
+| `--pass-access-token=true` + nginx | `X-Forwarded-Access-Token` | Normalized to `Authorization` (default) |
+| `--set-authorization-header=true` | `Authorization: Bearer <token>` | Used directly |
+| `--set-xauthrequest=true` | `X-Auth-Request-Access-Token` | Requires `token_header_priority` config |
+
+### Recommended oauth2-proxy Configuration
+
+For best compatibility, configure oauth2-proxy to emit `X-Forwarded-Access-Token` via nginx:
+
+```bash
+oauth2-proxy \
+  --pass-access-token=true \
+  --set-authorization-header=false \
+  --set-xauthrequest=true \
+  --upstream=http://rails-api:3000
+```
+
+Then configure nginx to relay the token:
+
+```nginx
+proxy_set_header X-Forwarded-Access-Token $upstream_http_x_auth_request_access_token;
+```
+
+### Using X-Auth-Request-Access-Token Directly
+
+If you prefer to use `X-Auth-Request-Access-Token` without nginx relay, configure both `forwarded_header_name` and `token_header_priority`:
+
+```ruby
+use Verikloak::BFF::HeaderGuard,
+  trusted_proxies: ['10.0.0.0/8'],
+  # Set the forwarded header to X-Auth-Request-Access-Token
+  forwarded_header_name: 'HTTP_X_AUTH_REQUEST_ACCESS_TOKEN',
+  # Also add to priority list for Authorization seeding
+  token_header_priority: ['HTTP_X_AUTH_REQUEST_ACCESS_TOKEN']
+```
+
+> **Note**: If you only set `token_header_priority` without changing `forwarded_header_name`, 
+> `require_forwarded_header: true` will still expect `X-Forwarded-Access-Token` and return 401 
+> when it's missing.
+
 ## Development (for contributors)
 Clone and install dependencies:
 

data/lib/generators/verikloak/bff/install/templates/initializer.rb.erb

@@ -1,11 +1,129 @@
 # frozen_string_literal: true
 
-# Configure verikloak-bff to insert its HeaderGuard middleware only after the
-# Verikloak core middleware is present. This avoids boot errors when the core
-# gem has not yet been installed.
-Rails.application.config.after_initialize do
-  Verikloak::BFF::Rails::Middleware.insert_after_core(
-    Rails.application.config.middleware,
-    logger: Rails.logger
-  )
+# Verikloak BFF Configuration
+#
+# This file configures the Verikloak::BFF::HeaderGuard middleware.
+#
+# IMPORTANT: Middleware insertion is handled automatically by verikloak-rails.
+# Make sure you have both gems in your Gemfile:
+#
+#   gem 'verikloak-rails'
+#   gem 'verikloak-bff'
+#
+# The middleware stack will be configured as:
+#   [Verikloak::BFF::HeaderGuard] → [Verikloak::Middleware] → [Your App]
+#
+# If you are NOT using verikloak-rails, you must manually insert the middleware
+# in config/application.rb (NOT in after_initialize, which causes FrozenError in Rails 8.x+):
+#
+#   config.middleware.insert_before Verikloak::Middleware, Verikloak::BFF::HeaderGuard
+#
+Verikloak::BFF.configure do |config|
+  # ==========================================================================
+  # Disable Middleware (Development/Testing Only)
+  # ==========================================================================
+  # Explicitly disable the middleware (pass-through mode).
+  # When disabled: false (default), trusted_proxies MUST be configured.
+  #
+  # SECURITY WARNING: Only set to true in development/test environments.
+  # Production deployments should ALWAYS configure trusted_proxies.
+  #
+  # config.disabled = ENV.fetch('VERIKLOAK_BFF_DISABLED', 'false') == 'true'
+
+  # ==========================================================================
+  # Trust Boundary (REQUIRED when disabled: false)
+  # ==========================================================================
+  # Allowlist for trusted proxy peers. Requests from untrusted peers are rejected.
+  # Supports IP addresses, CIDR ranges, Regexp, or Proc.
+  #
+  # SECURITY: Keep this list as specific as possible. Review whenever proxy
+  # topology changes to avoid unintentionally widening the trust boundary.
+  #
+  # NOTE: This setting is REQUIRED. If not configured and disabled is false,
+  # a ConfigurationError will be raised at startup to prevent fail-open vulnerabilities.
+  #
+  config.trusted_proxies = ENV.fetch('TRUSTED_PROXIES', '127.0.0.1').split(',').map(&:strip)
+
+  # ==========================================================================
+  # Peer Selection
+  # ==========================================================================
+  # How to determine the client's peer IP for trust decisions.
+  #
+  # :remote_then_xff (default) - Prefer REMOTE_ADDR, then fall back to XFF
+  # :xff_only                  - Use only X-Forwarded-For header
+  #
+  # config.peer_preference = :remote_then_xff
+
+  # Which X-Forwarded-For entry to use when multiple proxies are involved.
+  #
+  # :rightmost (default) - Nearest proxy (recommended for most setups)
+  # :leftmost            - Original client (use only if you trust all proxies)
+  #
+  # config.xff_strategy = :rightmost
+
+  # ==========================================================================
+  # Token Selection & Header Handling
+  # ==========================================================================
+  # Prefer X-Forwarded-Access-Token over Authorization header.
+  #
+  # config.prefer_forwarded = true
+
+  # Reject requests without X-Forwarded-Access-Token (blocks direct access).
+  # Enable this to ensure all requests go through the BFF proxy.
+  #
+  # config.require_forwarded_header = false
+
+  # Require Authorization and X-Forwarded-Access-Token to contain the same token
+  # when both are present.
+  #
+  # config.enforce_header_consistency = true
+
+  # Remove external X-Auth-Request-* headers before passing downstream.
+  # Prevents header injection attacks.
+  #
+  # config.strip_suspicious_headers = true
+
+  # ==========================================================================
+  # Claims Consistency (Optional)
+  # ==========================================================================
+  # Compare X-Auth-Request-* headers against JWT claims.
+  # Useful for detecting token substitution attacks.
+  #
+  # config.enforce_claims_consistency = {
+  #   email: :email,           # X-Auth-Request-Email == JWT email claim
+  #   user: :sub,              # X-Auth-Request-User == JWT sub claim
+  #   groups: :realm_roles     # X-Auth-Request-Groups ⊆ JWT realm_access.roles
+  # }
+
+  # :enforce (default) - Reject mismatches with 403
+  # :log_only          - Log mismatches but allow request to proceed
+  #
+  # config.claims_consistency_mode = :enforce
+
+  # ==========================================================================
+  # Header Name Customization
+  # ==========================================================================
+  # Customize forwarded token header name (if your proxy uses a different header).
+  #
+  # config.forwarded_header_name = 'HTTP_X_FORWARDED_ACCESS_TOKEN'
+
+  # Customize X-Auth-Request-* header names.
+  #
+  # config.auth_request_headers = {
+  #   email:  'HTTP_X_AUTH_REQUEST_EMAIL',
+  #   user:   'HTTP_X_AUTH_REQUEST_USER',
+  #   groups: 'HTTP_X_AUTH_REQUEST_GROUPS'
+  # }
+
+  # Priority list for seeding Authorization header when empty.
+  #
+  # config.token_header_priority = ['HTTP_X_FORWARDED_ACCESS_TOKEN']
+
+  # ==========================================================================
+  # Logging
+  # ==========================================================================
+  # Structured logging hook for observability.
+  # Payload includes: rid (request_id), sub, kid, iss, aud
+  #
+  # config.log_with = ->(payload) { Rails.logger.info(payload.to_json) }
 end

data/lib/verikloak/bff/configuration.rb

@@ -3,6 +3,8 @@
 # Configuration object for verikloak-bff. Holds middleware settings such as
 # proxy trust rules, header consistency policies, and logging options.
 #
+# @!attribute [rw] disabled
+#   @return [Boolean] explicitly disable the middleware (pass-through mode)
 # @!attribute [rw] trusted_proxies
 #   @return [Array<String, Regexp, Proc>] allowlist of trusted proxy peers
 # @!attribute [rw] prefer_forwarded
@@ -28,7 +30,7 @@ module Verikloak
   module BFF
     # Configuration for Verikloak::BFF middleware (trusted proxies, header policies, logging, etc.).
     class Configuration
-      attr_accessor :trusted_proxies, :prefer_forwarded, :require_forwarded_header,
+      attr_accessor :disabled, :trusted_proxies, :prefer_forwarded, :require_forwarded_header,
                     :enforce_header_consistency, :enforce_claims_consistency,
                     :strip_suspicious_headers, :xff_strategy, :clock_skew_leeway,
                     :logger, :peer_preference, :auth_request_headers, :log_with,
@@ -43,6 +45,7 @@ module Verikloak
       #
       # @return [void]
       def initialize
+        @disabled = false
         @trusted_proxies = []
         @prefer_forwarded = true
         @require_forwarded_header = false

data/lib/verikloak/bff/header_guard.rb

@@ -96,10 +96,78 @@ module Verikloak
       def sanitize_string(value)
         value.to_s.encode('UTF-8', invalid: :replace, undef: :replace, replace: '').gsub(LOG_CONTROL_CHARS, '')
       end
+
+      # Describe the source of the chosen token for logging purposes.
+      #
+      # @param prefer_forwarded [Boolean]
+      # @param auth_token [String, nil]
+      # @param fwd_token [String, nil]
+      # @return [String] "authorization" or "forwarded"
+      def token_source(prefer_forwarded, auth_token, fwd_token)
+        return 'forwarded' if prefer_forwarded && fwd_token
+
+        if auth_token && fwd_token
+          'authorization'
+        else
+          (auth_token ? 'authorization' : 'forwarded')
+        end
+      end
+
+      # Extract request id for logging from common headers.
+      #
+      # @param env [Hash]
+      # @return [String, nil]
+      def request_id(env)
+        env['HTTP_X_REQUEST_ID'] || env['action_dispatch.request_id']
+      end
+
+      # Emit a structured log line if a logger is present.
+      #
+      # @param env [Hash]
+      # @param config [Configuration]
+      # @param kind [Symbol] :ok, :mismatch, :claims_mismatch, :error
+      # @param attrs [Hash]
+      # @return [void]
+      def log_event(env, config, kind, **attrs)
+        lg = config.logger || env['rack.logger']
+        payload = { event: 'bff.header_guard', kind: kind, rid: request_id(env) }.merge(attrs).compact
+        sanitized = sanitize_payload(payload)
+        if config.log_with.respond_to?(:call)
+          begin
+            config.log_with.call(sanitized)
+          rescue StandardError
+            # ignore log hook failures
+          end
+        end
+        return unless lg
+
+        msg = sanitized.map { |k, v| v.nil? || v.to_s.empty? ? nil : "#{k}=#{v}" }.compact.join(' ')
+        level = (kind == :ok ? :info : :warn)
+        lg.public_send(level, msg)
+      rescue StandardError
+        # no-op on logging errors
+      end
+
+      # Build a minimal RFC6750-style error response.
+      #
+      # @param env [Hash]
+      # @param config [Configuration]
+      # @param error [Verikloak::BFF::Error]
+      # @return [Array(Integer, Hash, Array<String>)]
+      def respond_with_error(env, config, error)
+        log_event(env, config, :error, code: error.code)
+        body = { error: error.code, message: error.message }.to_json
+        headers = { 'Content-Type' => 'application/json',
+                    'WWW-Authenticate' => %(Bearer error="#{error.code}", error_description="#{error.message}") }
+        [error.http_status, headers, [body]]
+      end
     end
 
     # Rack middleware that enforces BFF boundary and header/claims consistency.
     class HeaderGuard
+      # Error raised when trusted_proxies is not configured and disabled is not explicitly set.
+      class ConfigurationError < StandardError; end
+
       RequestTokens = Struct.new(:auth, :forwarded, :chosen)
 
       # Accept both Rack 2 and Rack 3 builder call styles:
@@ -109,6 +177,7 @@ module Verikloak
       # @param app [#call]
       # @param opts [Hash, nil]
       # @param opts_kw [Hash]
+      # @raise [ConfigurationError] when trusted_proxies is not configured and disabled is false
       def initialize(app, opts = nil, **opts_kw)
         @app = app
         # Use a per-instance copy of global config to avoid cross-request/test side effects
@@ -118,9 +187,15 @@ module Verikloak
         combined.merge!(opts_kw) if opts_kw && !opts_kw.empty?
         apply_overrides!(combined)
 
-        return unless @config.trusted_proxies.nil? || @config.trusted_proxies.empty?
+        # Check configuration validity
+        validate_configuration!
+      end
 
-        raise ArgumentError, 'trusted_proxies must be configured'
+      # Check if the middleware is explicitly disabled.
+      #
+      # @return [Boolean]
+      def disabled?
+        @config.disabled
       end
 
       # Process a Rack request through the BFF header guard pipeline.
@@ -131,9 +206,14 @@ module Verikloak
       # 3. Policy enforcement (forwarded token requirements, consistency checks)
       # 4. Request finalization (Authorization header normalization)
       #
+      # When `disabled: true` is set, the middleware passes through without any processing.
+      #
       # @param env [Hash]
       # @return [Array(Integer, Hash, Array<#to_s>)] Rack response triple
       def call(env)
+        # Pass through if middleware is explicitly disabled
+        return @app.call(env) if disabled?
+
         # Stage 1: Validate request comes from trusted proxy
         ensure_trusted_proxy!(env)
 
@@ -148,11 +228,28 @@ module Verikloak
 
         @app.call(env)
       rescue Verikloak::BFF::Error => e
-        respond_with_error(env, e)
+        HeaderGuardSanitizer.respond_with_error(env, @config, e)
       end
 
       private
 
+      # Validate that required configuration is present.
+      # Raises ConfigurationError if trusted_proxies is not configured and disabled is false.
+      #
+      # @raise [ConfigurationError]
+      # @return [void]
+      def validate_configuration!
+        return if @config.disabled
+
+        proxies = @config.trusted_proxies
+        return unless proxies.nil? || proxies.empty?
+
+        raise ConfigurationError,
+              'trusted_proxies must be configured for Verikloak::BFF::HeaderGuard. ' \
+              'Set trusted_proxies to an array of allowed proxy addresses/CIDRs, ' \
+              'or set disabled: true to explicitly skip BFF protection.'
+      end
+
       # Build token state by extracting, validating, and selecting the active token.
       #
       # @param env [Hash]
@@ -210,63 +307,6 @@ module Verikloak
         auth_token || fwd_token
       end
 
-      # Describe the source of the chosen token for logging purposes.
-      #
-      # @param auth_token [String, nil]
-      # @param fwd_token [String, nil]
-      # @return [String] "authorization" or "forwarded"
-      def token_source(auth_token, fwd_token)
-        return 'forwarded' if @config.prefer_forwarded && fwd_token
-
-        if auth_token && fwd_token
-          'authorization'
-        else
-          (auth_token ? 'authorization' : 'forwarded')
-        end
-      end
-
-      # Extract request id for logging from common headers.
-      #
-      # @param env [Hash]
-      # @return [String, nil]
-      def request_id(env)
-        env['HTTP_X_REQUEST_ID'] || env['action_dispatch.request_id']
-      end
-
-      # Resolve logger to use (config-provided or rack.logger).
-      #
-      # @param env [Hash]
-      # @return [Logger, nil]
-      def logger(env)
-        @config.logger || env['rack.logger']
-      end
-
-      # Emit a structured log line if a logger is present.
-      #
-      # @param env [Hash]
-      # @param kind [Symbol] :ok, :mismatch, :claims_mismatch, :error
-      # @param attrs [Hash]
-      # @return [void]
-      def log_event(env, kind, **attrs)
-        lg = logger(env)
-        payload = { event: 'bff.header_guard', kind: kind, rid: request_id(env) }.merge(attrs).compact
-        sanitized = HeaderGuardSanitizer.sanitize_payload(payload)
-        if @config.log_with.respond_to?(:call)
-          begin
-            @config.log_with.call(sanitized)
-          rescue StandardError
-            # ignore log hook failures
-          end
-        end
-        return unless lg
-
-        msg = sanitized.map { |k, v| v.nil? || v.to_s.empty? ? nil : "#{k}=#{v}" }.compact.join(' ')
-        level = (kind == :ok ? :info : :warn)
-        lg.public_send(level, msg)
-      rescue StandardError
-        # no-op on logging errors
-      end
-
       # Raise when the request did not come through a trusted proxy.
       #
       # @param env [Hash]
@@ -300,7 +340,7 @@ module Verikloak
         digest_b = ::Digest::SHA256.hexdigest(fwd_token)
         return if Rack::Utils.secure_compare(digest_a, digest_b)
 
-        log_event(env, :mismatch, reason: 'authorization_vs_forwarded')
+        HeaderGuardSanitizer.log_event(env, @config, :mismatch, reason: 'authorization_vs_forwarded')
         raise HeaderMismatchError
       end
 
@@ -315,7 +355,7 @@ module Verikloak
         return unless res.is_a?(Array) && res.first == :error
 
         field = res.last
-        log_event(env, :claims_mismatch, field: field.to_s)
+        HeaderGuardSanitizer.log_event(env, @config, :claims_mismatch, field: field.to_s)
         return if claims_consistency_log_only?
 
         raise ClaimsMismatchError, field
@@ -342,20 +382,8 @@ module Verikloak
         return unless chosen
 
         ForwardedToken.set_authorization!(env, chosen)
-        log_event(env, :ok, source: token_source(auth_token, fwd_token), **HeaderGuardSanitizer.token_tags(chosen))
-      end
-
-      # Build a minimal RFC6750-style error response.
-      #
-      # @param env [Hash]
-      # @param error [Verikloak::BFF::Error]
-      # @return [Array(Integer, Hash, Array<String>)]
-      def respond_with_error(env, error)
-        log_event(env, :error, code: error.code)
-        body = { error: error.code, message: error.message }.to_json
-        headers = { 'Content-Type' => 'application/json',
-                    'WWW-Authenticate' => %(Bearer error="#{error.code}", error_description="#{error.message}") }
-        [error.http_status, headers, [body]]
+        source = HeaderGuardSanitizer.token_source(@config.prefer_forwarded, auth_token, fwd_token)
+        HeaderGuardSanitizer.log_event(env, @config, :ok, source: source, **HeaderGuardSanitizer.token_tags(chosen))
       end
 
       # Resolve the first env header from which to source a bearer token.

data/lib/verikloak/bff/version.rb

@@ -5,6 +5,6 @@
 # @return [String]
 module Verikloak
   module BFF
-    VERSION = '0.2.5'
+    VERSION = '0.3.0'
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: verikloak-bff
 version: !ruby/object:Gem::Version
-  version: 0.2.5
+  version: 0.3.0
 platform: ruby
 authors:
 - taiyaky
@@ -55,7 +55,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.2.0
+        version: 0.3.0
     - - "<"
       - !ruby/object:Gem::Version
         version: 1.0.0
@@ -65,7 +65,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.2.0
+        version: 0.3.0
     - - "<"
       - !ruby/object:Gem::Version
         version: 1.0.0
@@ -101,7 +101,7 @@ metadata:
   source_code_uri: https://github.com/taiyaky/verikloak-bff
   changelog_uri: https://github.com/taiyaky/verikloak-bff/blob/main/CHANGELOG.md
   bug_tracker_uri: https://github.com/taiyaky/verikloak-bff/issues
-  documentation_uri: https://rubydoc.info/gems/verikloak-bff/0.2.5
+  documentation_uri: https://rubydoc.info/gems/verikloak-bff/0.3.0
   rubygems_mfa_required: 'true'
 rdoc_options: []
 require_paths: