Class: Verikloak::BFF::HeaderGuard

Inherits:
Object
  • Object
show all
Defined in:
lib/verikloak/bff/header_guard.rb

Overview

Rack middleware that enforces BFF boundary and header/claims consistency.

Defined Under Namespace

Classes: ConfigurationError, RequestTokens

Constant Summary collapse

VALID_PEER_PREFERENCES =

Recognized values for the peer_preference setting.

%i[remote_then_xff xff_only].freeze

Instance Method Summary collapse

Constructor Details

#initialize(app, opts = nil, **opts_kw) ⇒ HeaderGuard

Accept both Rack 2 and Rack 3 builder call styles:

  • new(app, key: val)
  • new(app, { key: val })

Parameters:

  • app (#call)
  • opts (Hash, nil) (defaults to: nil)
  • opts_kw (Hash)

Raises:



204
205
206
207
208
209
210
211
212
213
214
215
# File 'lib/verikloak/bff/header_guard.rb', line 204

def initialize(app, opts = nil, **opts_kw)
  @app = app
  # Use a per-instance copy of global config to avoid cross-request/test side effects
  @config = Verikloak::BFF.config.dup
  combined = {}
  combined.merge!(opts) if opts.is_a?(Hash)
  combined.merge!(opts_kw) if opts_kw && !opts_kw.empty?
  apply_overrides!(combined)

  # Check configuration validity
  validate_configuration!
end

Instance Method Details

#call(env) ⇒ Array(Integer, Hash, Array<#to_s>)

Process a Rack request through the BFF header guard pipeline.

Pipeline stages:

  1. Proxy trust validation
  2. Token extraction and state building
  3. Policy enforcement (forwarded token requirements, consistency checks)
  4. Request finalization (Authorization header normalization)

When disabled: true is set, the middleware passes through without any processing.

Parameters:

  • env (Hash)

Returns:

  • (Array(Integer, Hash, Array<#to_s>))

    Rack response triple



236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
# File 'lib/verikloak/bff/header_guard.rb', line 236

def call(env)
  # Pass through if middleware is explicitly disabled
  return @app.call(env) if disabled?

  # Stage 1: Validate request comes from trusted proxy
  ensure_trusted_proxy!(env)

  # Stage 2: Extract and validate tokens, build request state
  tokens = build_token_state(env)

  # Stage 3: Enforce configured policies (forwarded requirements, consistency)
  enforce_token_policies!(env, tokens)

  # Stage 4: Finalize request with normalized Authorization header
  finalize_request!(env, tokens)

  @app.call(env)
rescue Verikloak::BFF::Error => e
  HeaderGuardSanitizer.respond_with_error(env, @config, e)
end

#disabled?Boolean

Check if the middleware is explicitly disabled.

Returns:

  • (Boolean)


220
221
222
# File 'lib/verikloak/bff/header_guard.rb', line 220

def disabled?
  @config.disabled
end