Temporary diagnostic for triaging token-verification 401s. On verify
failure (signature mismatch / expired / kid not in JWKS / wrong aud),
log the underlying error plus a whitelisted decode of the JWT header
(kid, alg, typ) and payload (iss, aud, azp, sub, exp, iat) so the
cause is distinguishable from the log alone.
Only fires on failure — successful requests stay unlogged. The
decodeJWTPart helper whitelists safe metadata fields and never
returns the signature segment.
Remove once the current realm-config drift is settled.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
fasthttp defaults to a 4 KB read buffer per connection. Any request
whose header line exceeds that returns a flat HTTP 431 from Fiber
before the request reaches a handler — affecting clients carrying
chunked NextAuth cookies, mTLS client-cert headers, or large bearer
tokens.
16 KB matches the cluster ingress-nginx large_client_header_buffers
allowance. Tested 4–8 KB header payloads through shell-api.gosec.internal
— all return normal app responses instead of 431.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
When KEYCLOAK_DISCOVERY_URL is set, internal/auth/keycloak.go builds
a custom http.Client whose Transport has no Proxy field. The fresh
provider then uses that client for both discovery (internal URL,
fine) AND the subsequent JWKS fetch from jwks_uri — which the
discovery doc still emits as https://auth.gosec.cloud/... (the
canonical issuer URL). With no Proxy on the custom transport, JWKS
hit default-deny-external and the verifier never gets a key, so
every signed token returned 401 with the empty fallback ShellConfig
propagating to consumer apps (empty sidebar/footer/user-menu in
gscCRM).
Fall through to go-oidc's default client. http.DefaultTransport.Proxy
is http.ProxyFromEnvironment so HTTP_PROXY/HTTPS_PROXY are honored
for both discovery (auth.gosec.cloud via Squid) and JWKS.
Trade-off: discovery now goes out and back through web-proxy instead
of hitting the in-cluster Keycloak service directly. Adds a few ms
once; result is cached for CACHE_TTL_SECONDS=60. Worth it to actually
validate tokens.
A code-side fix would set Proxy: http.ProxyFromEnvironment on the
custom transport, but that requires a shell-api rebuild + push.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
KEYCLOAK_DISCOVERY_URL targets the in-cluster Keycloak service, but
the discovery doc returns jwks_uri pointing at auth.gosec.cloud (the
canonical issuer claim). JWKS lookup hung 10s and every bearer-token
validation returned 401, so consumer apps got the empty fallback
ShellConfig — empty sidebar/footer/user-menu.
Cluster convention:
- Label pod template egress-internet=true (allow-web-proxy
GlobalNetworkPolicy already opens TCP/3128 to the Squid proxy).
- HTTP_PROXY / HTTPS_PROXY / NO_PROXY env. Go's
http.ProxyFromEnvironment honors these natively — no code change.
Repro: gscCRM /en/dashboard renders with chrome but empty menus
because fetchShellConfig falls back when shell-api 401s.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Apps run on different hostnames (crm.gosec.internal,
chronos.gosec.internal, …) so the browser fetch from <AppShell> to
shell-api.gosec.internal is cross-origin and was being blocked.
Add Fiber's cors middleware. Allowlist: any *.gosec.internal or
*.gosec.cloud origin (override via CORS_ORIGINS env if a tighter
list is needed). Allow Authorization + Content-Type + If-None-Match
on the request side; expose ETag on the response side. Methods
limited to GET + OPTIONS.
Image: v0.1.4
Verified:
curl -X OPTIONS https://shell-api.gosec.internal/api/v1/shell/gsc-crm
-H "Origin: https://crm.gosec.internal" → 204 with
access-control-allow-origin: https://crm.gosec.internal
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Tiny Go service that returns ShellConfig JSON for any registered app.
Backs the runtime-loaded <AppShell> component being added to
@limitless/ui (next).
Endpoints:
GET /api/v1/shell/{appKey} → app + branding + user + menus, ETag-cached
GET /api/v1/apps → registered app inventory
GET /healthz, /readyz → ops probes
Auth:
Keycloak Bearer JWT validated against the gosecCloud realm.
Discovery URL is overridable so pods can hit Keycloak via the
in-cluster service (https://keycloak.keycloak.svc.cluster.local:8443)
while still validating the canonical issuer (auth.gosec.cloud).
Lazy JWKS init — pod stays up if Keycloak is briefly unreachable.
Data model (gsc_core.shell):
apps · menu_items (zone enum: topbar/sidebar/footer/user-menu) ·
menu_role_grants (Keycloak realm roles, OR semantics, empty=all) ·
branding
Seed includes the 8 gsc-crm sidebar items + topbar search +
user-menu (settings/support/logout) + footer (docs).
K8s:
Namespace gsc-shell (ambient mesh).
Deployment 2 replicas, internal-only ingress shell-api.gosec.internal,
EJBCA SERVER cert.
ServiceEntry for auth.gosec.cloud (vestigial — discovery now uses
in-cluster path; keeping for ad-hoc curl from inside pods).
Added to keycloak/allow-keycloak-clients AuthorizationPolicy out of band.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
