Pull request

README.md

@@ -13,6 +13,7 @@ The following backends are supported.
 
 * [Simple](#simple)
 * [Upstream](#upstream)
+* [Refresh](#refresh)
 * [GitlabCI](#gitlabci)
 * [LDAP](#ldap)
 
@@ -77,6 +78,91 @@ Example
 	upstream url=https://google.com,skipverify=true,timeout=5s
 ```
 
+### Refresh
+
+Authentication with Refresh Token against configurable endpoints with response caching and cache entry expiration times. If failure conditions in the configuration file are met a 401 is returned otherwise result will be successful.
+This module is designed to be used with the [caddy-secrets](https://github.com/startsmartlabs/caddy-secrets) plugin, a yaml file with a `reauth` object with an `endpoints` array will hold configurations for endpoints and how they work together for auth service.
+
+Parameters for this backend:
+
+| Parameter-Name    | Description                                                                              |
+| ------------------|------------------------------------------------------------------------------------------|
+| url               | http/https url to call                                                                   |
+| skipverify        | true to ignore TLS errors (optional, false by default)                                   |
+| timeout           | request timeout (optional 1m by default, go duration syntax is supported)                |
+| follow            | follow redirects (disabled by default as redirecting to a login page might cause a 200)  |
+| cookies           | true to pass cookies to the upstream server                                              |
+| limit             | int to set response size limit for endpoint requests (default 1000)                      |
+| lifetime          | time interval that a file cached by this module will remain valid (default 3 hours)      |
+| cleaninterval     | time interval to clean cache of expired entries (default 1 second)                       |
+
+Examples
+
+- Caddyfile
+```
+	refresh url=https://example.com,skipverify=true,timeout=5s,lifetime=3h,cleaninterval=1s,limit=1000
+```
+
+- Secrets file
+```
+reauth:
+  authorization: true                                 # authorization bool (required) - whether to check for Authorization header,
+                                                          Authorization access token stored in 'ResultsMap' under 'client_token' key
+  endpoints                                           # endpoints array (required)
+    - name: refresh                                   # endpoint of name 'refresh' (required)
+      url: null                                       
+      path: "/access_token"
+      method: POST                                    # auth request method (required) - at the moment only POST and GET are handled (value must be in caps)
+      data:                                           # data array (required)
+        - key: grant_type
+          value: refresh_token
+        - key: refresh_token                          # object with 'refresh_token' key (required)
+          value: <refresh token to get access token>  # value (required) - holds actual refresh token to request access token with
+      cachekey: refresh_token
+      headers:
+        - key: Content-Type
+          value: "application/x-www-form-urlencoded"
+      skipverify: true
+      cookies: true
+      responsekey: jwt_token
+      failures:
+        - validation: equality                        # there are 3 types of validation, 'equality' will have auth fail if
+          key: message                                # response body value under failure object key equality failure object value
+          value: Forbidden
+          valuemessage: false
+          message: "Refresh access token failed"
+                                                      # access token is stored in 'ResultsMap' under 'refresh' key
+
+    - name: security_context                          # endpoint responses get stored in 'ResultsMap' under the name of the endpoint
+      url: https://different.example.com              # url value should be set if endpoint uses different url than one in Caddyfile
+      path: "/security_context"                       # path is concatenated after url for request 
+      method: GET                                     # request method, GET will put data params in query, POST will encode form
+      data:                                           # data needed for request
+        - key: access_token
+          value: "{client_token}"                     # surrounding keys with {}'s will have them replaced by values in 'ResultsMap'
+      cachekey: client_token                          # cache entry key
+      headers:                                        # keys and values to set on endpoint request headers
+        - key: Authorization                          
+          value: "Bearer {refresh}"                   # surrounding keys with {}'s will have them replaced by values in 'ResultsMap' 
+      skipverify: true                                # whether endpoint request should use Caddyfile skipverify configuration
+      cookies: true                                   # whether endpoint request should use Caddyfile cookies configuration
+      responsekey: null                               # if set, the key will be used to pull value from endpoint response
+      failures:
+        - validation: presence                        # 'presence' validation will have auth fail if response body has failure object key
+          key: error
+          value: ~
+          valuemessage: true                          # if valuemessage bool is true, response object value under failure object key
+          message: "Security context error: "             is concatenated to failure message
+        - validataion: status                         # 'status' validation will have auth fail if endpoint response status
+          key: ~                                          matches failure object value
+          value: 401
+          valuemessage: false
+          message: "Security context unauthorized"
+  resultkey: security_context                         # last endpoint response stored in 'ResultsMap' is passed down caddy filter chain
+                                                          in a query param with the key named after 'resultkey' value
+```
+
+
 ### GitlabCI
 
 Authenticate against Gitlab as the gitlab-ci-user for the purposes of letting the gitlab-ci access otherwise protected resources without storing credentials in gitlab or gitlab-ci.yml. Works basically like the [Upstream]#upstream backend except the username you provide is the project path

backends/backends.go

@@ -25,10 +25,10 @@
 package backends
 
 import (
-	_ "github.com/freman/caddy-reauth/backends/gitlabci"
-	_ "github.com/freman/caddy-reauth/backends/ldap"
-	_ "github.com/freman/caddy-reauth/backends/simple"
-	_ "github.com/freman/caddy-reauth/backends/upstream"
+	_ "github.com/fellou89/caddy-reauth/backends/gitlabci"
+	_ "github.com/fellou89/caddy-reauth/backends/refresh"
+	_ "github.com/fellou89/caddy-reauth/backends/simple"
+	_ "github.com/fellou89/caddy-reauth/backends/upstream"
 )
 
 // This page intentionally left blank ;)

backends/gitlabci/auth.go

@@ -34,7 +34,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/freman/caddy-reauth/backend"
+	"github.com/fellou89/caddy-reauth/backend"
 )
 
 // Backend name

backends/ldap/auth.go

@@ -34,7 +34,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/freman/caddy-reauth/backend"
+	"github.com/fellou89/caddy-reauth/backend"
 
 	ldp "gopkg.in/ldap.v2"
 )