Class: Verikloak::BFF::HeaderGuard
- Inherits:
-
Object
- Object
- Verikloak::BFF::HeaderGuard
- Defined in:
- lib/verikloak/bff/header_guard.rb
Overview
Rack middleware that enforces BFF boundary and header/claims consistency.
Defined Under Namespace
Classes: ConfigurationError, RequestTokens
Constant Summary collapse
- VALID_PEER_PREFERENCES =
Recognized values for the
peer_preferencesetting. %i[remote_then_xff xff_only].freeze
Instance Method Summary collapse
-
#call(env) ⇒ Array(Integer, Hash, Array<#to_s>)
Process a Rack request through the BFF header guard pipeline.
-
#disabled? ⇒ Boolean
Check if the middleware is explicitly disabled.
-
#initialize(app, opts = nil, **opts_kw) ⇒ HeaderGuard
constructor
Accept both Rack 2 and Rack 3 builder call styles: - new(app, key: val) - new(app, { key: val }).
Constructor Details
#initialize(app, opts = nil, **opts_kw) ⇒ HeaderGuard
Accept both Rack 2 and Rack 3 builder call styles:
- new(app, key: val)
- new(app, { key: val })
204 205 206 207 208 209 210 211 212 213 214 215 |
# File 'lib/verikloak/bff/header_guard.rb', line 204 def initialize(app, opts = nil, **opts_kw) @app = app # Use a per-instance copy of global config to avoid cross-request/test side effects @config = Verikloak::BFF.config.dup combined = {} combined.merge!(opts) if opts.is_a?(Hash) combined.merge!(opts_kw) if opts_kw && !opts_kw.empty? apply_overrides!(combined) # Check configuration validity validate_configuration! end |
Instance Method Details
#call(env) ⇒ Array(Integer, Hash, Array<#to_s>)
Process a Rack request through the BFF header guard pipeline.
Pipeline stages:
- Proxy trust validation
- Token extraction and state building
- Policy enforcement (forwarded token requirements, consistency checks)
- Request finalization (Authorization header normalization)
When disabled: true is set, the middleware passes through without any processing.
236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 |
# File 'lib/verikloak/bff/header_guard.rb', line 236 def call(env) # Pass through if middleware is explicitly disabled return @app.call(env) if disabled? # Stage 1: Validate request comes from trusted proxy ensure_trusted_proxy!(env) # Stage 2: Extract and validate tokens, build request state tokens = build_token_state(env) # Stage 3: Enforce configured policies (forwarded requirements, consistency) enforce_token_policies!(env, tokens) # Stage 4: Finalize request with normalized Authorization header finalize_request!(env, tokens) @app.call(env) rescue Verikloak::BFF::Error => e HeaderGuardSanitizer.respond_with_error(env, @config, e) end |
#disabled? ⇒ Boolean
Check if the middleware is explicitly disabled.
220 221 222 |
# File 'lib/verikloak/bff/header_guard.rb', line 220 def disabled? @config.disabled end |