verikloak-rails 0.1.1 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7d7d44a12b8963c944bc63c16ed0890ce63df67f5f6226f1db61aac701dbbc00
-  data.tar.gz: ff24126d34ee02f4eaa220c97db88e7f379657c9a26ece23f868be6ad46ecb9b
+  metadata.gz: 1add58266f9789a0e9263c36d5e33ab80207b02a87b999d22b5fa65b813f5f36
+  data.tar.gz: 58d956084cc1631e4a0854744627dd3ba95350f7a9c1687665b7025fd943addb
 SHA512:
-  metadata.gz: 968b2516670f1d4dd17dc3a4c2ddbb398b26ed0bc93007612ec4ee35c84d2066b3458e3d790f4e6211183d76daffa605464d9cf645da3050ad2e34af0468f4a0
-  data.tar.gz: dc05a2a815b3be7d9d67921bcc2bc2ddcbd9afdd71264de0f421e1b666906e862cc0963f64fef883a89ac66025c27abd10de967f77ff8d32665d81e895b28c57
+  metadata.gz: 183bb26475f75704c35880db14e67ea5a83a3c3923d3ca8c6788c92e7735a2d00deabb681f0e65b8bf561e2b6a5aa0cfb4e7ccc24760c091dbe0145f87558311
+  data.tar.gz: 24bc9a344903243e2c63015c4429b8ea713467df15636021f91fc4698a39600ecd0a84e9caccac489ffc1e1d809353961170008ceabed24a106ad65e1b720fef

data/CHANGELOG.md

@@ -7,34 +7,67 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [0.2.1] - 2025-09-21
+
+### Changed
+- Simplify `with_required_audience!` to always raise `Verikloak::Error`, letting the shared handler render forbidden responses
+
+### Fixed
+- Ensure the 500 JSON renderer logs exceptions against the actual Rails logger even when wrapped by tagged logging adapters
+
+### Documentation
+- Describe the `rescue_pundit` configuration flag and default initializer settings
+
+## [0.2.0] - 2025-09-14
+
+### Breaking
+- Extracted BFF-related functionality into a separate gem, "verikloak-bff". This gem no longer ships BFF-specific middleware or configuration
+
+### Removed
+- Middleware `Verikloak::Rails::MiddlewareIntegration::ForwardedAccessToken`
+- Configuration keys: `config.verikloak.trust_forwarded_access_token`, `config.verikloak.trusted_proxy_subnets`, `config.verikloak.token_header_priority`
+- Corresponding entries in the installer initializer template
+- BFF-related sections in README and related unit/integration specs
+
+### Migration
+1. Add `gem 'verikloak-bff'` to your application Gemfile and bundle
+2. Create an initializer (e.g., `config/initializers/verikloak_bff.rb`) and configure `Verikloak::BFF` (e.g., `trusted_proxies`, header/claims consistency)
+3. Insert the BFF middleware before the core `Verikloak::Middleware`:
+   ```ruby
+   config.middleware.insert_before Verikloak::Middleware, Verikloak::BFF::HeaderGuard
+   ```
+4. Remove any old `config.verikloak.*` BFF options from your app config; they are no longer used by this gem
+
+Reference: verikloak-bff https://github.com/taiyaky/verikloak-bff (Rails guide: `docs/rails.md`)
+
 ## [0.1.1] - 2025-09-13
 
 ### Fixed
-- ForwardedAccessToken: fix `ensure_bearer` accepting malformed values (e.g., `BearerXYZ`).
+- ForwardedAccessToken: fix `ensure_bearer` accepting malformed values (e.g., `BearerXYZ`)
 
 ### Changed
-- Strengthen Bearer scheme normalization to always produce `Bearer <token>`.
-  - Detect scheme case-insensitively.
-  - Collapse tabs/multiple spaces after the scheme to a single space.
-  - Normalize missing-space form `BearerXYZ` to `Bearer XYZ`.
-- Add/update middleware specs to cover the above normalization.
+- Strengthen Bearer scheme normalization to always produce `Bearer <token>`
+  - Detect scheme case-insensitively
+  - Collapse tabs/multiple spaces after the scheme to a single space
+  - Normalize missing-space form `BearerXYZ` to `Bearer XYZ`
+- Add/update middleware specs to cover the above normalization
 
 ## [0.1.0] - 2025-09-07
 
 ### Added
-- Initial release of `verikloak-rails` (Rails integration for Verikloak).
-- Railtie auto-wiring via `config.verikloak.*` and installer generator `rails g verikloak:install`.
+- Initial release of `verikloak-rails` (Rails integration for Verikloak)
+- Railtie auto-wiring via `config.verikloak.*` and installer generator `rails g verikloak:install`
 - Controller concern with authentication helpers:
   - `before_action :authenticate_user!`
   - `current_user_claims`, `current_subject`, `current_token`, `authenticated?`, `with_required_audience!`
 - Rack middleware integration:
-  - Auto-inserts `Verikloak::Rails::MiddlewareIntegration::ForwardedAccessToken` and base `Verikloak::Middleware`.
-  - Optional BFF header promotion from `X-Forwarded-Access-Token` to `Authorization`, gated by `trust_forwarded_access_token` and `trusted_proxy_subnets` (never overwrites existing `Authorization`).
-  - Token sourcing priority configurable via `token_header_priority`.
+  - Auto-inserts `Verikloak::Rails::MiddlewareIntegration::ForwardedAccessToken` and base `Verikloak::Middleware`
+  - Optional BFF header promotion from `X-Forwarded-Access-Token` to `Authorization`, gated by `trust_forwarded_access_token` and `trusted_proxy_subnets` (never overwrites existing `Authorization`)
+  - Token sourcing priority configurable via `token_header_priority`
 - Consistent JSON error responses and statuses:
-  - 401/403/503 standardized; `WWW-Authenticate` header on 401.
-  - Optional global 500 JSON via `config.verikloak.render_500_json`.
-- Optional Pundit integration: rescue `Pundit::NotAuthorizedError` to 403 JSON (`config.verikloak.rescue_pundit`).
-- Request logging tags (`:request_id`, `:sub`) via `config.verikloak.logger_tags`.
-- Configurable initializer: `discovery_url`, `audience`, `issuer`, `leeway`, `skip_paths`, `trust_forwarded_access_token`, `trusted_proxy_subnets`, `auto_include_controller`, `error_renderer`, and more.
-- Compatibility: Ruby >= 3.1, Rails 6.1–8.x; depends on `verikloak` >= 0.1.2, < 0.2.
+  - 401/403/503 standardized; `WWW-Authenticate` header on 401
+  - Optional global 500 JSON via `config.verikloak.render_500_json`
+- Optional Pundit integration: rescue `Pundit::NotAuthorizedError` to 403 JSON (`config.verikloak.rescue_pundit`)
+- Request logging tags (`:request_id`, `:sub`) via `config.verikloak.logger_tags`
+- Configurable initializer: `discovery_url`, `audience`, `issuer`, `leeway`, `skip_paths`, `trust_forwarded_access_token`, `trusted_proxy_subnets`, `auto_include_controller`, `error_renderer`, and more
+- Compatibility: Ruby >= 3.1, Rails 6.1–8.x; depends on `verikloak` >= 0.1.2, < 0.2

data/README.md

@@ -40,7 +40,7 @@ Then configure `config/initializers/verikloak.rb`.
 | `current_user_claims` | Verified JWT claims (string keys) | `Hash` or `nil` | — |
 | `current_subject` | Convenience accessor for `sub` claim | `String` or `nil` | — |
 | `current_token` | Raw Bearer token from the request | `String` or `nil` | — |
-| `with_required_audience!(*aud)` | Enforce that `aud` includes all required entries | `void` | Renders standardized 403 JSON when requirements are not met |
+| `with_required_audience!(*aud)` | Enforce that `aud` includes all required entries | `void` | Raises `Verikloak::Error('forbidden')` so the concern renders standardized 403 JSON and halts the action |
 
 ### Data Sources
 | Value | Rack env keys | Fallback (RequestStore) | Notes |
@@ -82,48 +82,19 @@ end
 ```
 
 ## Middleware
-### Inserted Middlewares
+### Inserted Middleware
 | Component | Inserted after | Purpose |
 | --- | --- | --- |
-| `Verikloak::Rails::MiddlewareIntegration::ForwardedAccessToken` | `Rails::Rack::Logger` | Promote trusted `X-Forwarded-Access-Token` to `Authorization` and, when `Authorization` is empty, set it from a prioritized list of headers |
-| `Verikloak::Middleware` | `ForwardedAccessToken` | Validate Bearer JWT (OIDC discovery + JWKS), set `verikloak.user`/`verikloak.token`, and honor `skip_paths` |
+| `Verikloak::Middleware` | `Rails::Rack::Logger` | Validate Bearer JWT (OIDC discovery + JWKS), set `verikloak.user`/`verikloak.token`, and honor `skip_paths` |
 
-### Header Sources and Trust
-- Never overwrites an existing `Authorization` header.
-- Considers `X-Forwarded-Access-Token` only when both are true: `config.verikloak.trust_forwarded_access_token` is enabled and the direct peer IP is within `config.verikloak.trusted_proxy_subnets`.
-- `config.verikloak.token_header_priority` decides which env header can seed `Authorization` when it is empty. Note: `HTTP_AUTHORIZATION` is ignored as a source (it is the target header); include other headers if you need additional sources. Forwarded headers are skipped if not trusted.
-- Direct peer detection prefers `REMOTE_ADDR`, falling back to the nearest proxy in `X-Forwarded-For` when needed.
+### BFF Integration
+Support for BFF header handling (e.g., normalizing or enforcing `X-Forwarded-Access-Token`) now lives in a dedicated gem: verikloak-bff.
+Note: verikloak-bff's `HeaderGuard` never overwrites an existing `Authorization` header.
 
-### BFF Header Promotion
-When fronted by a BFF (e.g., oauth2-proxy) that injects `X-Forwarded-Access-Token`, you can promote that header to `Authorization` from trusted sources only.
+- Gem: https://github.com/taiyaky/verikloak-bff
+- Rails guide: `docs/rails.md` in that repository
 
-Enable promotion and restrict to trusted subnets:
-
-```ruby
-Rails.application.configure do
-  config.verikloak.trust_forwarded_access_token = true
-  config.verikloak.trusted_proxy_subnets = [
-    '10.0.0.0/8',
-    '192.168.0.0/16'
-  ]
-end
-```
-
-### Reordering or Disabling (advanced)
-You can adjust the stack in an initializer after the gem loads, for example:
-
-```ruby
-Rails.application.configure do
-  # Remove header-promotion middleware if you never use BFF tokens
-  config.middleware.delete Verikloak::Rails::MiddlewareIntegration::ForwardedAccessToken
-
-  # Or move the middleware earlier/later if your stack requires it
-  # config.middleware.insert_before SomeOtherMiddleware, Verikloak::Rails::MiddlewareIntegration::ForwardedAccessToken,
-  #   trust_forwarded: Verikloak::Rails.config.trust_forwarded_access_token,
-  #   trusted_proxies: Verikloak::Rails.config.trusted_proxy_subnets,
-  #   header_priority: Verikloak::Rails.config.token_header_priority
-end
-```
+Use verikloak-bff alongside this gem when you front Rails with a BFF/proxy such as oauth2-proxy and need to enforce trusted forwarding and header consistency.
 
 ## Configuration (initializer)
 ### Keys
@@ -136,13 +107,10 @@ Keys under `config.verikloak`:
 | `issuer` | String | Expected `iss` | `nil` |
 | `leeway` | Integer | Clock skew allowance (seconds) | `60` |
 | `skip_paths` | Array<String> | Paths to skip verification | `['/up','/health','/rails/health']` |
-| `trust_forwarded_access_token` | Boolean | Trust `X-Forwarded-Access-Token` from trusted proxies | `false` |
-| `trusted_proxy_subnets` | Array<String or IPAddr> | Subnets allowed to be treated as trusted | `[]` (treat all as trusted; set explicit ranges in production) |
 | `logger_tags` | Array<Symbol> | Tags to add to Rails logs. Supports `:request_id`, `:sub` | `[:request_id, :sub]` |
 | `error_renderer` | Object responding to `render(controller, error)` | Override error rendering | built-in JSON renderer |
 | `auto_include_controller` | Boolean | Auto-include controller concern | `true` |
-| `render_500_json` | Boolean | Rescue `StandardError` and render JSON 500 | `false` |
-| `token_header_priority` | Array<String> | Env header priority to source bearer token | `['HTTP_X_FORWARDED_ACCESS_TOKEN','HTTP_AUTHORIZATION']` |
+| `render_500_json` | Boolean | Rescue `StandardError`, log the exception, and render JSON 500 | `false` |
 | `rescue_pundit` | Boolean | Rescue `Pundit::NotAuthorizedError` to 403 JSON when Pundit is present | `true` |
 
 Environment variable examples are in the generated initializer.
@@ -150,7 +118,6 @@ Environment variable examples are in the generated initializer.
 ### Minimum Setup
 - Required: set `discovery_url` to your provider’s OIDC discovery document URL.
 - Recommended: set `audience` (expected `aud`), and `issuer` when known.
-- Optional: enable BFF header promotion only with explicit `trusted_proxy_subnets`.
 
 ```ruby
 # config/initializers/verikloak.rb
@@ -160,15 +127,12 @@ Rails.application.configure do
   # Optional but recommended when you know it
   # config.verikloak.issuer        = 'https://idp.example.com/realms/myrealm'
 
-  # Leave header promotion off unless you run a trusted BFF/proxy
-  # config.verikloak.trust_forwarded_access_token = false
-  # config.verikloak.trusted_proxy_subnets = ['10.0.0.0/8']
+  # For BFF/proxy header handling, see verikloak-bff
 end
 ```
 
 Notes:
-- For array-like values (`audience`, `skip_paths`, `trusted_proxy_subnets`, `token_header_priority`), prefer defining Ruby arrays in the initializer. If passing via ENV, use comma-separated strings and parse in the initializer.
-- Header sourcing/trust behavior is described in “Middleware → Header Sources and Trust”.
+- For array-like values (`audience`, `skip_paths`), prefer defining Ruby arrays in the initializer. If passing via ENV, use comma-separated strings and parse in the initializer.
 
 ### Full Example (selected options)
 ```ruby
@@ -179,16 +143,8 @@ Rails.application.configure do
   config.verikloak.leeway        = Integer(ENV.fetch('VERIKLOAK_LEEWAY', '60'))
   config.verikloak.skip_paths    = %w[/up /health /rails/health]
 
-  # Enable BFF header promotion only from trusted subnets
-  config.verikloak.trust_forwarded_access_token = ENV.fetch('VERIKLOAK_TRUST_FWD_TOKEN', 'false') == 'true'
-  config.verikloak.trusted_proxy_subnets = [
-    '10.0.0.0/8', # internal LB
-    # '192.168.0.0/16'
-  ]
-
   config.verikloak.logger_tags = %i[request_id sub]
   config.verikloak.render_500_json = ENV.fetch('VERIKLOAK_RENDER_500', 'false') == 'true'
-  config.verikloak.token_header_priority = %w[HTTP_X_FORWARDED_ACCESS_TOKEN HTTP_AUTHORIZATION]
 
   # Optional Pundit rescue (403 JSON)
   config.verikloak.rescue_pundit = ENV.fetch('VERIKLOAK_RESCUE_PUNDIT', 'true') == 'true'
@@ -203,14 +159,9 @@ end
 | `audience` | `VERIKLOAK_AUDIENCE` |
 | `issuer` | `VERIKLOAK_ISSUER` |
 | `leeway` | `VERIKLOAK_LEEWAY` |
-| `trust_forwarded_access_token` | `VERIKLOAK_TRUST_FWD_TOKEN` |
 | `render_500_json` | `VERIKLOAK_RENDER_500` |
 | `rescue_pundit` | `VERIKLOAK_RESCUE_PUNDIT` |
 
-### Notes
-- Default for `trust_forwarded_access_token` is secure (`false`). Set `trusted_proxy_subnets` before enabling.
-- The middleware never overwrites an existing `Authorization` header.
-- If `trusted_proxy_subnets` is empty, all peers are treated as trusted. In production, set explicit subnets or keep `trust_forwarded_access_token` disabled.
 
 ## Errors
 This gem standardizes JSON error responses and HTTP statuses. See [ERRORS.md](ERRORS.md) for details and examples.
@@ -220,7 +171,7 @@ This gem standardizes JSON error responses and HTTP statuses. See [ERRORS.md](ER
 | --- | --- | --- | --- | --- |
 | 401 Unauthorized | `invalid_token`, `unauthorized` | Missing/invalid Bearer token; failed signature/expiry/issuer/audience checks | `WWW-Authenticate: Bearer` with optional `error` and `error_description` | `{ "error": "invalid_token", "message": "token expired" }` |
 | 403 Forbidden | `forbidden` | Audience check failure via `with_required_audience!`; optionally `Pundit::NotAuthorizedError` when rescue is enabled | — | `{ "error": "forbidden", "message": "Required audience not satisfied" }` |
-| 503 Service Unavailable | `jwks_fetch_failed`, `jwks_parse_failed`, `discovery_metadata_fetch_failed`, `discovery_metadata_invalid` | Upstream metadata/JWKS issues | — | `{ "error": "jwks_fetch_failed", "message": "..." }` |
+| 503 Service Unavailable | `jwks_fetch_failed`, `jwks_parse_failed`, `discovery_metadata_fetch_failed`, `discovery_metadata_invalid`, `invalid_discovery_url`, `discovery_redirect_error` | Upstream metadata/JWKS issues | — | `{ "error": "jwks_fetch_failed", "message": "..." }` |
 
 ### Customize
 Customize rendering by assigning `config.verikloak.error_renderer`.
@@ -261,8 +212,8 @@ Note: Always sanitize values placed into `WWW-Authenticate` header parameters to
 class CompactErrorRenderer
   private
   def sanitize_quoted(val)
-    # Escape quotes/backslashes and strip CR/LF
-    val.to_s.gsub(/(["\\])/) { |m| "\\#{m}" }.gsub(/[\r\n]/, ' ')
+    # Escape quotes/backslashes and strip CR/LF (collapse runs to a single space)
+    val.to_s.gsub(/(["\\])/) { |m| "\\#{m}" }.gsub(/[\r\n]+/, ' ')
   end
 end
 ```
@@ -338,5 +289,6 @@ See [CHANGELOG.md](CHANGELOG.md) for release history.
 
 ## References
 - verikloak-rails (this gem): https://rubygems.org/gems/verikloak-rails
+- verikloak-bff: https://rubygems.org/gems/verikloak-bff
 - Verikloak (base gem): https://github.com/taiyaky/verikloak
 - Verikloak on RubyGems: https://rubygems.org/gems/verikloak

data/lib/verikloak/rails/configuration.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require 'ipaddr'
-
 module Verikloak
   module Rails
     # Configuration for verikloak-rails.
@@ -25,12 +23,6 @@ module Verikloak
     # @!attribute [rw] skip_paths
     #   Paths to skip verification.
     #   @return [Array<String>]
-    # @!attribute [rw] trust_forwarded_access_token
-    #   Whether to trust `X-Forwarded-Access-Token` from trusted proxies.
-    #   @return [Boolean]
-    # @!attribute [r] trusted_proxy_subnets
-    #   Trusted proxy subnets.
-    #   @return [Array<IPAddr>]
     # @!attribute [rw] logger_tags
     #   Log tags to include (supports :request_id, :sub).
     #   @return [Array<Symbol>]
@@ -43,37 +35,29 @@ module Verikloak
     # @!attribute [rw] render_500_json
     #   Rescue StandardError and render a JSON 500 response.
     #   @return [Boolean]
-    # @!attribute [rw] token_header_priority
-    #   Env header keys in priority order for sourcing bearer token.
-    #   @return [Array<String>]
+    # @!attribute [rw] rescue_pundit
+    #   Rescue `Pundit::NotAuthorizedError` and render JSON 403 responses.
+    #   @return [Boolean]
     class Configuration
-      attr_accessor :discovery_url, :audience, :issuer, :leeway, :skip_paths, :trust_forwarded_access_token,
-                    :logger_tags, :error_renderer, :auto_include_controller, :render_500_json, :token_header_priority,
-                    :rescue_pundit
-      attr_reader   :trusted_proxy_subnets
+      attr_accessor :discovery_url, :audience, :issuer, :leeway, :skip_paths,
+                    :logger_tags, :error_renderer, :auto_include_controller,
+                    :render_500_json, :rescue_pundit
 
+      # Initialize configuration with sensible defaults for Rails apps.
+      # @return [void]
       def initialize
         @discovery_url = nil
         @audience      = nil
         @issuer        = nil
         @leeway        = 60
         @skip_paths    = ['/up', '/health', '/rails/health']
-        @trust_forwarded_access_token = false
-        @trusted_proxy_subnets = []
         @logger_tags    = %i[request_id sub]
         @error_renderer = Verikloak::Rails::ErrorRenderer.new
         @auto_include_controller = true
         @render_500_json = false
-        @token_header_priority = %w[HTTP_X_FORWARDED_ACCESS_TOKEN HTTP_AUTHORIZATION]
         @rescue_pundit = true
       end
 
-      # Assign trusted proxy subnets.
-      # @param list [Array<String, IPAddr>, String, IPAddr] one or more CIDRs or IPAddr instances
-      def trusted_proxy_subnets=(list)
-        @trusted_proxy_subnets = Array(list).map { |e| e.is_a?(IPAddr) ? e : IPAddr.new(e) }
-      end
-
       # Options forwarded to the base Verikloak Rack middleware.
       # @return [Hash]
       # @example

data/lib/verikloak/rails/controller.rb

@@ -16,7 +16,8 @@ module Verikloak
         before_action :authenticate_user!
         # Register generic error handler first so specific handlers take precedence.
         if Verikloak::Rails.config.render_500_json
-          rescue_from StandardError do |_e|
+          rescue_from StandardError do |e|
+            _verikloak_log_internal_error(e)
             render json: { error: 'internal_server_error', message: 'An unexpected error occurred' },
                    status: :internal_server_error
           end
@@ -84,13 +85,14 @@ module Verikloak
       #
       # @param required [Array<String>] one or more audiences to require
       # @return [void]
+      # @raise [Verikloak::Error] when the required audience is missing
       # @example
       #   with_required_audience!('my-api', 'payments')
       def with_required_audience!(*required)
         aud = Array(current_user_claims&.dig('aud'))
         return if required.flatten.all? { |r| aud.include?(r) }
 
-        render json: { error: 'forbidden', message: 'Required audience not satisfied' }, status: :forbidden
+        raise ::Verikloak::Error.new('forbidden', 'Required audience not satisfied')
       end
 
       private
@@ -99,18 +101,69 @@ module Verikloak
       # @yieldreturn [Object] result of the block
       # @return [Object]
       def _verikloak_tag_logs(&)
-        tags = []
-        if Verikloak::Rails.config.logger_tags.include?(:request_id)
-          rid = request.request_id || request.headers['X-Request-Id']
-          tags << "req:#{rid}" if rid
-        end
-        tags << "sub:#{current_subject}" if Verikloak::Rails.config.logger_tags.include?(:sub) && current_subject
+        tags = _verikloak_build_log_tags
         if ::Rails.logger.respond_to?(:tagged) && tags.any?
           ::Rails.logger.tagged(*tags, &)
         else
           yield
         end
       end
+
+      # Build log tags from request context with minimal branching and safe values.
+      # @return [Array<String>]
+      def _verikloak_build_log_tags
+        tags = []
+        if Verikloak::Rails.config.logger_tags.include?(:request_id)
+          rid = request.request_id || request.headers['X-Request-Id']
+          rid = rid.to_s.gsub(/[\r\n]+/, ' ')
+          tags << "req:#{rid}" unless rid.empty?
+        end
+        if Verikloak::Rails.config.logger_tags.include?(:sub)
+          sub = current_subject
+          if sub
+            sanitized = sub.to_s.gsub(/[[:cntrl:]]+/, ' ').strip
+            tags << "sub:#{sanitized}" unless sanitized.empty?
+          end
+        end
+        tags
+      end
+
+      # Write StandardError details to the controller or Rails logger when
+      # rendering the generic 500 JSON response. Logging ensures the
+      # underlying failure is still visible to operators even though the
+      # response body is static.
+      #
+      # @param exception [Exception]
+      # @return [void]
+      def _verikloak_log_internal_error(exception)
+        target_logger = _verikloak_base_logger
+        return unless target_logger.respond_to?(:error)
+
+        target_logger.error("[Verikloak] #{exception.class}: #{exception.message}")
+        backtrace = exception.backtrace
+        target_logger.error(backtrace.join("\n")) if backtrace&.any?
+      rescue StandardError
+        # Never allow logging failures to interfere with request handling.
+        nil
+      end
+
+      # Locate the innermost logger that responds to `error`.
+      # @return [Object, nil]
+      def _verikloak_base_logger
+        root_logger = if defined?(::Rails) && ::Rails.respond_to?(:logger)
+                        ::Rails.logger
+                      elsif respond_to?(:logger)
+                        logger
+                      end
+        current = root_logger
+        while current.respond_to?(:logger)
+          next_logger = current.logger
+          break if next_logger.nil? || next_logger.equal?(current)
+
+          current = next_logger
+        end
+        current
+      end
     end
   end
 end

data/lib/verikloak/rails/error_renderer.rb

@@ -14,7 +14,10 @@ module Verikloak
         'jwks_fetch_failed' => 503,
         'jwks_parse_failed' => 503,
         'discovery_metadata_fetch_failed' => 503,
-        'discovery_metadata_invalid' => 503
+        'discovery_metadata_invalid' => 503,
+        # Additional infrastructure/configuration errors from core
+        'invalid_discovery_url' => 503,
+        'discovery_redirect_error' => 503
       }.freeze
 
       # Render an error as JSON, adding `WWW-Authenticate` when appropriate.
@@ -77,7 +80,7 @@ module Verikloak
       # @param val [String]
       # @return [String]
       def sanitize_quoted(val)
-        val.to_s.gsub(/(["\\])/) { |m| "\\#{m}" }.gsub(/[\r\n]/, ' ')
+        val.to_s.gsub(/(["\\])/) { |m| "\\#{m}" }.gsub(/[\r\n]+/, ' ')
       end
     end
   end

data/lib/verikloak/rails/railtie.rb

@@ -8,7 +8,7 @@ module Verikloak
     # Hooks verikloak-rails into a Rails application lifecycle.
     #
     # - Applies configuration from `config.verikloak`
-    # - Inserts middleware (`ForwardedAccessToken`, then `Verikloak::Middleware`)
+    # - Inserts base `Verikloak::Middleware`
     # - Auto-includes controller concern when enabled
     class Railtie < ::Rails::Railtie
       config.verikloak = ActiveSupport::OrderedOptions.new
@@ -18,18 +18,13 @@ module Verikloak
       initializer 'verikloak.configure' do |app|
         Verikloak::Rails.configure do |c|
           rails_cfg = app.config.verikloak
-          %i[discovery_url audience issuer leeway skip_paths trust_forwarded_access_token
-             trusted_proxy_subnets logger_tags error_renderer auto_include_controller
-             render_500_json token_header_priority rescue_pundit].each do |key|
+          %i[discovery_url audience issuer leeway skip_paths
+             logger_tags error_renderer auto_include_controller
+             render_500_json rescue_pundit].each do |key|
             c.send("#{key}=", rails_cfg[key]) if rails_cfg.key?(key)
           end
         end
         app.middleware.insert_after ::Rails::Rack::Logger,
-                                    Verikloak::Rails::MiddlewareIntegration::ForwardedAccessToken,
-                                    trust_forwarded: Verikloak::Rails.config.trust_forwarded_access_token,
-                                    trusted_proxies: Verikloak::Rails.config.trusted_proxy_subnets,
-                                    header_priority: Verikloak::Rails.config.token_header_priority
-        app.middleware.insert_after Verikloak::Rails::MiddlewareIntegration::ForwardedAccessToken,
                                     ::Verikloak::Middleware,
                                     **Verikloak::Rails.config.middleware_options
       end

data/lib/verikloak/rails/version.rb

@@ -2,6 +2,6 @@
 
 module Verikloak
   module Rails
-    VERSION = '0.1.1'
+    VERSION = '0.2.1'
   end
 end

data/lib/verikloak/rails.rb

@@ -4,7 +4,6 @@ require 'verikloak/rails/version'
 require 'verikloak/rails/configuration'
 require 'verikloak/rails/error_renderer'
 require 'verikloak/rails/controller'
-require 'verikloak/rails/middleware_integration'
 require 'verikloak/rails/railtie'
 
 module Verikloak

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: verikloak-rails
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.1
 platform: ruby
 authors:
 - taiyaky
@@ -49,8 +49,8 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: '0.2'
-description: 'Rails integration for Verikloak: auto middleware, helpers, JSON errors,
-  BFF header support.'
+description: 'Rails integration for Verikloak: auto middleware, helpers, and standardized
+  JSON errors.'
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -64,7 +64,6 @@ files:
 - lib/verikloak/rails/configuration.rb
 - lib/verikloak/rails/controller.rb
 - lib/verikloak/rails/error_renderer.rb
-- lib/verikloak/rails/middleware_integration.rb
 - lib/verikloak/rails/railtie.rb
 - lib/verikloak/rails/version.rb
 homepage: https://github.com/taiyaky/verikloak-rails
@@ -74,7 +73,7 @@ metadata:
   source_code_uri: https://github.com/taiyaky/verikloak-rails
   changelog_uri: https://github.com/taiyaky/verikloak-rails/blob/main/CHANGELOG.md
   bug_tracker_uri: https://github.com/taiyaky/verikloak-rails/issues
-  documentation_uri: https://rubydoc.info/gems/verikloak-rails/0.1.1
+  documentation_uri: https://rubydoc.info/gems/verikloak-rails/0.2.1
   rubygems_mfa_required: 'true'
 rdoc_options: []
 require_paths:

data/lib/verikloak/rails/middleware_integration.rb

@@ -1,126 +0,0 @@
-# frozen_string_literal: true
-
-require 'ipaddr'
-
-module Verikloak
-  module Rails
-    # Internal namespace for Rack middleware glue.
-    module MiddlewareIntegration
-      # Promotes forwarded access tokens to Authorization when trusted.
-      #
-      # - Optionally trusts `X-Forwarded-Access-Token` from configured subnets
-      # - Never overwrites an existing `Authorization` header
-      # - Can derive the token from a prioritized list of headers
-      class ForwardedAccessToken
-        BEARER_SCHEME = 'Bearer'
-        BEARER_SCHEME_LENGTH = BEARER_SCHEME.length
-        # Initialize the middleware.
-        #
-        # @param app [#call] next Rack app
-        # @param trust_forwarded [Boolean] whether to trust forwarded access tokens
-        # @param trusted_proxies [Array<IPAddr>, Array<String>] subnets considered trusted
-        # @param header_priority [Array<String>] env header keys to search, in order
-        def initialize(app, trust_forwarded:, trusted_proxies:,
-                       header_priority: %w[HTTP_X_FORWARDED_ACCESS_TOKEN HTTP_AUTHORIZATION])
-          @app = app
-          @trust_forwarded = trust_forwarded
-          @trusted_proxies = Array(trusted_proxies)
-          @header_priority = header_priority
-        end
-
-        # Rack entry point: possibly promote a token and pass to the next app.
-        #
-        # @param env [Hash] Rack environment
-        # @return [Array(Integer, Hash, #each)] Rack response triple from downstream app
-        # @example Promote forwarded token
-        #   env = { 'REMOTE_ADDR' => '10.0.0.1', 'HTTP_X_FORWARDED_ACCESS_TOKEN' => 'abc' }
-        #   status, headers, body = middleware.call(env)
-        def call(env)
-          promote_forwarded_if_trusted(env)
-          first = resolve_first_token_header(env)
-          set_authorization_from(env, first) if first
-          @app.call(env)
-        end
-
-        private
-
-        # Promote X-Forwarded-Access-Token to Authorization when trusted.
-        # @param env [Hash]
-        # @return [void]
-        def promote_forwarded_if_trusted(env)
-          return unless @trust_forwarded && from_trusted_proxy?(env)
-
-          forwarded = env['HTTP_X_FORWARDED_ACCESS_TOKEN']
-          return if forwarded.to_s.empty?
-          return unless env['HTTP_AUTHORIZATION'].to_s.empty?
-
-          env['HTTP_AUTHORIZATION'] = ensure_bearer(forwarded)
-        end
-
-        # Resolve the first header key from which to source a bearer token.
-        # Respects trust policy for forwarded tokens and never returns
-        # 'HTTP_AUTHORIZATION'.
-        #
-        # @param env [Hash]
-        # @return [String, nil]
-        def resolve_first_token_header(env)
-          candidates = @header_priority.dup
-          candidates -= ['HTTP_X_FORWARDED_ACCESS_TOKEN'] unless @trust_forwarded && from_trusted_proxy?(env)
-          candidates.find { |k| (val = env[k]) && !val.to_s.empty? && k != 'HTTP_AUTHORIZATION' }
-        end
-
-        # Set Authorization header from the given env header key.
-        # @param env [Hash]
-        # @param header_key [String]
-        # @return [void]
-        def set_authorization_from(env, header_key)
-          token = env[header_key]
-          env['HTTP_AUTHORIZATION'] ||= ensure_bearer(token)
-        end
-
-        # Normalize to a proper 'Bearer <token>' header value.
-        # - Detects scheme case-insensitively
-        # - Inserts a missing space (e.g., 'BearerXYZ' => 'Bearer XYZ')
-        # - Collapses multiple spaces/tabs after the scheme to a single space
-        # @param token [String]
-        # @return [String]
-        def ensure_bearer(token)
-          s = token.to_s.strip
-          # Case-insensitive 'Bearer' with spaces/tabs after
-          if s =~ /\A#{BEARER_SCHEME}[ \t]+/i
-            rest = s.sub(/\A#{BEARER_SCHEME}[ \t]+/i, '')
-            return "#{BEARER_SCHEME} #{rest}"
-          end
-
-          # Case-insensitive 'Bearer' with no separator (e.g., 'BearerXYZ')
-          if s =~ /\A#{BEARER_SCHEME}(?![ \t])/i
-            rest = s[BEARER_SCHEME_LENGTH..] || ''
-            return "#{BEARER_SCHEME} #{rest}"
-          end
-
-          # No scheme present; add it
-          "#{BEARER_SCHEME} #{s}"
-        end
-
-        # Whether the request originates from a trusted proxy subnet.
-        # @param env [Hash]
-        # @return [Boolean]
-        def from_trusted_proxy?(env)
-          return true if @trusted_proxies.empty?
-
-          # Prefer REMOTE_ADDR (direct peer). Fallback to the nearest proxy from X-Forwarded-For if present.
-          ip = (env['REMOTE_ADDR'] || '').to_s.strip
-          ip = env['HTTP_X_FORWARDED_FOR'].to_s.split(',').last.to_s.strip if ip.empty? && env['HTTP_X_FORWARDED_FOR']
-          return false if ip.empty?
-
-          begin
-            req_ip = IPAddr.new(ip)
-            @trusted_proxies.any? { |subnet| subnet.include?(req_ip) }
-          rescue IPAddr::InvalidAddressError
-            false
-          end
-        end
-      end
-    end
-  end
-end