move data from headers to body

nuts-foundation · Jul 17, 2024 · 188bb6c · 188bb6c
1 parent ddc1479
commit 188bb6c
Show file tree

Hide file tree

Showing 5 changed files with 50 additions and 15 deletions.
diff --git a/api/transfer.go b/api/transfer.go
@@ -1,6 +1,7 @@
 package api
 
 import (
+	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -201,14 +202,25 @@ func (w Wrapper) UpdateTransferNegotiationStatus(ctx echo.Context, transferID st
 func (w Wrapper) NotifyTransferUpdate(ctx echo.Context, taskID string) error {
 	// This gets called by a transfer sending XIS to inform the local node there's FHIR tasks to be retrieved.
 	// The PEP added introspection result to the X-Userinfo header
-	introspectionResult := ctx.Request().Header.Get("X-Userinfo")
-	//log.Errorf("X-Userinfo: %s", introspectionResult)
-
-	if introspectionResult == "" {
+	b64IntrospectionResult := ctx.Request().Header.Get("X-Userinfo")
+	//log.Errorf("X-Userinfo: %s", b64IntrospectionResult)
+	if b64IntrospectionResult == "" {
 		return errors.New("missing X-Userinfo header")
 	}
+
+	// b64 -> json string
+	introspectionResult, err := base64.URLEncoding.DecodeString(b64IntrospectionResult)
+	if err != nil {
+		return fmt.Errorf("failed to base64 decode X-Userinfo header: %w", err)
+	}
+
+	// json string -> map
 	target := map[string]interface{}{}
-	_ = json.Unmarshal([]byte(introspectionResult), &target)
+	err = json.Unmarshal(introspectionResult, &target)
+	if err != nil {
+		return fmt.Errorf("failed to unmarshal X-Userinfo header: %w", err)
+	}
+
 	// client_id for senderDID and sub for customerDID
 	senderDID := target["client_id"].(string)
 	customerDID := target["sub"].(string)

diff --git a/docker-compose/left/config/pep/nginx.conf b/docker-compose/left/config/pep/nginx.conf
@@ -102,8 +102,7 @@ http {
         location /_oauth2_authorize {
             internal;
             proxy_method      POST;
-            proxy_set_header  request $request;
-            proxy_set_header  X-Userinfo $http_x_userinfo;
+            proxy_set_header  Content-Type "application/json";
             proxy_pass        http://pip-left/v1/data;
         }
     }

diff --git a/docker-compose/left/config/pep/oauth2.js b/docker-compose/left/config/pep/oauth2.js
@@ -15,7 +15,7 @@ function introspectAccessToken(r) {
                 const introspection = JSON.parse(reply.responseBody);
                 if (introspection.active === true) {
                     //dpop(r, introspection.cnf)
-                    r.headersOut['X-Userinfo'] = reply.responseBody;
+                    r.headersOut['X-Userinfo'] = btoa(reply.responseBody);
                     r.return(200);
                 } else {
                     r.return(403);
@@ -31,13 +31,25 @@ function introspectAccessToken(r) {
 function authorize(r) {
     // const xUserinfo = r.headersIn['X-Userinfo'];
     // const requestLine = r.request
+    const input =
+        JSON.stringify({
+            "input": {
+                "request": {
+                    "method": r.variables.request_method,
+                    "path": r.variables.request_uri, // original non-normalized request_uri, may need some processing in more complex situations
+                    "headers": {
+                        "X-Userinfo": r.headersIn["X-Userinfo"]
+                    }
+                }
+            }
+        });
     r.subrequest("/_oauth2_authorize",
-        { method: "POST"},
+        { method: "POST", body: input},
         function(reply) {
             if (reply.status === 200) {
                 r.error(reply.responseBody);
                 const authResult = JSON.parse(reply.responseBody);
-                if (authResult.allow === true) {
+                if (authResult.result.allow === true) {
                     r.return(200);
                 } else {
                     r.return(403);

diff --git a/docker-compose/right/config/pep/nginx.conf b/docker-compose/right/config/pep/nginx.conf
@@ -102,8 +102,7 @@ http {
         location /_oauth2_authorize {
             internal;
             proxy_method      POST;
-            proxy_set_header  request $request;
-            proxy_set_header  X-Userinfo $http_x_userinfo;
+            proxy_set_header  Content-Type "application/json";
             proxy_pass        http://pip-right/v1/data;
         }
     }

diff --git a/docker-compose/right/config/pep/oauth2.js b/docker-compose/right/config/pep/oauth2.js
@@ -15,7 +15,7 @@ function introspectAccessToken(r) {
                 const introspection = JSON.parse(reply.responseBody);
                 if (introspection.active === true) {
                     //dpop(r, introspection.cnf)
-                    r.headersOut['X-Userinfo'] = reply.responseBody;
+                    r.headersOut['X-Userinfo'] = btoa(reply.responseBody);
                     r.return(200);
                 } else {
                     r.return(403);
@@ -31,13 +31,26 @@ function introspectAccessToken(r) {
 function authorize(r) {
     // const xUserinfo = r.headersIn['X-Userinfo'];
     // const requestLine = r.request
+    const input =
+        JSON.stringify({
+            "input": {
+                "request": {
+                    "method": r.variables.request_method,
+                    "path": r.variables.request_uri, // original non-normalized request_uri, may need some processing in more complex situations
+                    "headers": {
+                        "X-Userinfo": r.headersIn["X-Userinfo"]
+                    }
+                }
+
+            }
+        });
     r.subrequest("/_oauth2_authorize",
-        { method: "POST"},
+        { method: "POST", body: input},
         function(reply) {
             if (reply.status === 200) {
                 r.error(reply.responseBody);
                 const authResult = JSON.parse(reply.responseBody);
-                if (authResult.allow === true) {
+                if (authResult.result.allow === true) {
                     r.return(200);
                 } else {
                     r.return(403);