gsc-shell-api

GoSec_Cloud/gsc-shell-api

Fork 0

Commit Graph

Author	SHA1	Message	Date
Claude	0977de3e17	fix: bump Fiber ReadBufferSize to 16 KB fasthttp defaults to a 4 KB read buffer per connection. Any request whose header line exceeds that returns a flat HTTP 431 from Fiber before the request reaches a handler — affecting clients carrying chunked NextAuth cookies, mTLS client-cert headers, or large bearer tokens. 16 KB matches the cluster ingress-nginx large_client_header_buffers allowance. Tested 4–8 KB header payloads through shell-api.gosec.internal — all return normal app responses instead of 431. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-15 16:16:02 +02:00
Claude	bd62fcb599	feat: CORS so browsers can fetch shell config cross-origin Apps run on different hostnames (crm.gosec.internal, chronos.gosec.internal, …) so the browser fetch from <AppShell> to shell-api.gosec.internal is cross-origin and was being blocked. Add Fiber's cors middleware. Allowlist: any .gosec.internal or .gosec.cloud origin (override via CORS_ORIGINS env if a tighter list is needed). Allow Authorization + Content-Type + If-None-Match on the request side; expose ETag on the response side. Methods limited to GET + OPTIONS. Image: v0.1.4 Verified: curl -X OPTIONS https://shell-api.gosec.internal/api/v1/shell/gsc-crm -H "Origin: https://crm.gosec.internal" → 204 with access-control-allow-origin: https://crm.gosec.internal Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-10 13:24:16 +02:00
Claude	7fb24e0452	feat: gsc-shell-api v0.1 — central chrome data API Tiny Go service that returns ShellConfig JSON for any registered app. Backs the runtime-loaded <AppShell> component being added to @limitless/ui (next). Endpoints: GET /api/v1/shell/{appKey} → app + branding + user + menus, ETag-cached GET /api/v1/apps → registered app inventory GET /healthz, /readyz → ops probes Auth: Keycloak Bearer JWT validated against the gosecCloud realm. Discovery URL is overridable so pods can hit Keycloak via the in-cluster service (https://keycloak.keycloak.svc.cluster.local:8443) while still validating the canonical issuer (auth.gosec.cloud). Lazy JWKS init — pod stays up if Keycloak is briefly unreachable. Data model (gsc_core.shell): apps · menu_items (zone enum: topbar/sidebar/footer/user-menu) · menu_role_grants (Keycloak realm roles, OR semantics, empty=all) · branding Seed includes the 8 gsc-crm sidebar items + topbar search + user-menu (settings/support/logout) + footer (docs). K8s: Namespace gsc-shell (ambient mesh). Deployment 2 replicas, internal-only ingress shell-api.gosec.internal, EJBCA SERVER cert. ServiceEntry for auth.gosec.cloud (vestigial — discovery now uses in-cluster path; keeping for ad-hoc curl from inside pods). Added to keycloak/allow-keycloak-clients AuthorizationPolicy out of band. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-09 20:10:22 +02:00

Author

SHA1

Message

Date

Claude

0977de3e17

fix: bump Fiber ReadBufferSize to 16 KB

fasthttp defaults to a 4 KB read buffer per connection. Any request
whose header line exceeds that returns a flat HTTP 431 from Fiber
before the request reaches a handler — affecting clients carrying
chunked NextAuth cookies, mTLS client-cert headers, or large bearer
tokens.

16 KB matches the cluster ingress-nginx large_client_header_buffers
allowance. Tested 4–8 KB header payloads through shell-api.gosec.internal
— all return normal app responses instead of 431.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-15 16:16:02 +02:00

Claude

bd62fcb599

feat: CORS so browsers can fetch shell config cross-origin

Apps run on different hostnames (crm.gosec.internal,
chronos.gosec.internal, …) so the browser fetch from <AppShell> to
shell-api.gosec.internal is cross-origin and was being blocked.

Add Fiber's cors middleware. Allowlist: any *.gosec.internal or
*.gosec.cloud origin (override via CORS_ORIGINS env if a tighter
list is needed). Allow Authorization + Content-Type + If-None-Match
on the request side; expose ETag on the response side. Methods
limited to GET + OPTIONS.

Image: v0.1.4

Verified:
  curl -X OPTIONS https://shell-api.gosec.internal/api/v1/shell/gsc-crm
    -H "Origin: https://crm.gosec.internal" → 204 with
    access-control-allow-origin: https://crm.gosec.internal

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-10 13:24:16 +02:00

Claude

7fb24e0452

feat: gsc-shell-api v0.1 — central chrome data API

Tiny Go service that returns ShellConfig JSON for any registered app.
Backs the runtime-loaded <AppShell> component being added to
@limitless/ui (next).

Endpoints:
  GET /api/v1/shell/{appKey}  → app + branding + user + menus, ETag-cached
  GET /api/v1/apps            → registered app inventory
  GET /healthz, /readyz       → ops probes

Auth:
  Keycloak Bearer JWT validated against the gosecCloud realm.
  Discovery URL is overridable so pods can hit Keycloak via the
  in-cluster service (https://keycloak.keycloak.svc.cluster.local:8443)
  while still validating the canonical issuer (auth.gosec.cloud).
  Lazy JWKS init — pod stays up if Keycloak is briefly unreachable.

Data model (gsc_core.shell):
  apps · menu_items (zone enum: topbar/sidebar/footer/user-menu) ·
  menu_role_grants (Keycloak realm roles, OR semantics, empty=all) ·
  branding

Seed includes the 8 gsc-crm sidebar items + topbar search +
user-menu (settings/support/logout) + footer (docs).

K8s:
  Namespace gsc-shell (ambient mesh).
  Deployment 2 replicas, internal-only ingress shell-api.gosec.internal,
  EJBCA SERVER cert.
  ServiceEntry for auth.gosec.cloud (vestigial — discovery now uses
  in-cluster path; keeping for ad-hoc curl from inside pods).
  Added to keycloak/allow-keycloak-clients AuthorizationPolicy out of band.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-09 20:10:22 +02:00

3 Commits