Update auth.lua to remove KEYCLOAK_CLIENT_SECRET check and add token expiration validation

2025-06-14 09:02:49 +02:00
parent 0055ab668a
commit cde6f468bc
1 changed files with 10 additions and 5 deletions
--- a/auth.lua
+++ b/auth.lua
@@ -1,10 +1,6 @@
 local openidc = require("resty.openidc")

 local client_secret = os.getenv("KEYCLOAK_CLIENT_SECRET")
-if not client_secret then
-  ngx.log(ngx.ERR, "Missing KEYCLOAK_CLIENT_SECRET env variable")
-  ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
-end

 local opts = {
  redirect_uri_path = "/redirect_uri",
@@ -24,6 +20,15 @@ if err then
  ngx.exit(ngx.HTTP_FORBIDDEN)
 end

+-- Check if token has expired
+if res.id_token and res.id_token.exp then
+  local now = ngx.time()
+  if res.id_token.exp < now then
+    ngx.log(ngx.ERR, "Token expired")
+    ngx.exit(ngx.HTTP_UNAUTHORIZED)
+  end
+end
+
 ngx.req.set_header("X-User", res.user.preferred_username or "")
 ngx.req.set_header("X-Email", res.user.email or "")
-ngx.status = 204  -- empty but valid response to avoid ERR_INVALID_RESPONSE
+ngx.status = 204