mirror of
https://github.com/lukaszraczylo/traefikoidc.git
synced 2026-06-05 22:44:17 +00:00
lukaszraczylo
1b49e133da
* Fix bug affecting Azure OIDC authentication ( and most likely others ) * Fixes issue #51 * Ensure that appended roles are unique. Update the documentation. * Improvements targetting possible memory usage spikes. * Additional fixes and cleanup * Refactoring code to fix the issues identified by the users. * Modernize run * Fieldalignment * Multiple changes to improve performance and reduce complexity. - Optimise the errors and recovery. - Deduplicate code in metadata cache. - Remove unused performance monitoring code. - Simplify session management and settings handling. * Fix claims issue. * Add ability to overwrite the default scopes in the settings file * Well.. that escalated quickly. Completely forgot that Traefik uses outdated Yaegi and requires compatibility with 1.20 ( pre-generic Go code ). * Bugfix #51: Ensures that user provided scopes overrides work. * fixup! Bugfix #51: Ensures that user provided scopes overrides work. * fixup! fixup! Bugfix #51: Ensures that user provided scopes overrides work. * Abstract the provider logic into a separate package. * Additional micro fixes and cleanups. * Simplify all the things. * fixup! Simplify all the things. * fixup! fixup! Simplify all the things. * fixup! fixup! fixup! Simplify all the things. * fixup! fixup! fixup! fixup! Simplify all the things. * ... * Cleanup tests. * fixup! Cleanup tests. * fixup! fixup! fixup! Cleanup tests. * fixup! fixup! fixup! fixup! Cleanup tests. * fixup! fixup! fixup! fixup! fixup! Cleanup tests. * Issue #53: Fix CSRF token handling in reverse proxy 1. ✅ HTTPS Detection Fixed (session.go:723) - Now uses X-Forwarded-Proto header instead of r.URL.Scheme - Properly detects HTTPS in reverse proxy environments 2. ✅ SameSite Cookie Attribute Fixed - Removed automatic SameSiteStrictMode for HTTPS (would break OAuth) - Keeps SameSiteLaxMode to allow OAuth callbacks from external domains - Only uses Strict for AJAX requests which don't involve OAuth redirects 3. ✅ Cookie Domain Handling Fixed - Now respects X-Forwarded-Host header for cookie domain - Ensures cookies are set for the public domain, not internal proxy domain 4. ✅ EnhanceSessionSecurity Properly Integrated - Function is now actually called during session save - Applies security enhancements without breaking OAuth flow Why Issue #53 Failed Before: 1. Cookies were not marked Secure in HTTPS environments (browser wouldn't send them back) 2. If they had been Secure with SameSite=Strict, Azure callbacks would still fail 3. Cookie domain might have been wrong (internal vs public domain) Why It Works Now: 1. Cookies are properly marked Secure for HTTPS 2. Uses SameSite=Lax to allow OAuth provider callbacks 3. Cookie domain uses public domain from X-Forwarded-Host 4. CSRF token persists through the entire OAuth flow * Next set of enhancements together with memory usage improvements. * Memory leak fixes and optimisations. * CSRF and Cookie Domain fixes * fixup! CSRF and Cookie Domain fixes * Metadata cache leak fix + profiling * fixup! Metadata cache leak fix + profiling * Memory leaks hunting, part 1337. * Further pursue of perfection. * fixup! Further pursue of perfection. * fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * Clear race conditions * fixup! Clear race conditions * Weekend fun with memory leaks * Splitting code into multiple files with reasonable testing coverage. ``` ok github.com/lukaszraczylo/traefikoidc 117.017s coverage: 72.6% of statements ok github.com/lukaszraczylo/traefikoidc/auth 0.505s coverage: 87.1% of statements ok github.com/lukaszraczylo/traefikoidc/circuit_breaker 0.283s coverage: 99.0% of statements github.com/lukaszraczylo/traefikoidc/config coverage: 0.0% of statements ok github.com/lukaszraczylo/traefikoidc/handlers 0.349s coverage: 98.2% of statements ok github.com/lukaszraczylo/traefikoidc/internal/providers (cached) coverage: 94.3% of statements ok github.com/lukaszraczylo/traefikoidc/middleware 0.808s coverage: 78.0% of statements ok github.com/lukaszraczylo/traefikoidc/recovery 0.653s coverage: 100.0% of statements ok github.com/lukaszraczylo/traefikoidc/session/chunking (cached) coverage: 87.8% of statements ok github.com/lukaszraczylo/traefikoidc/session/core (cached) coverage: 85.6% of statements ok github.com/lukaszraczylo/traefikoidc/session/crypto (cached) coverage: 81.8% of statements ok github.com/lukaszraczylo/traefikoidc/session/storage (cached) coverage: 93.5% of statements ok github.com/lukaszraczylo/traefikoidc/session/validators (cached) coverage: 98.8% of statements ```` * fixup! Splitting code into multiple files with reasonable testing coverage. * fixup! fixup! Splitting code into multiple files with reasonable testing coverage. * Weekend fun with further optimisations. * fixup! Weekend fun with further optimisations. * fixup! fixup! Weekend fun with further optimisations. * fixup! fixup! fixup! Weekend fun with further optimisations. * fixup! fixup! fixup! fixup! Weekend fun with further optimisations. * fixup! fixup! fixup! fixup! fixup! Weekend fun with further optimisations. * Pre-release cleanup. * Enhance test coverage. * fixup! Enhance test coverage. * fixup! fixup! Enhance test coverage. * fixup! fixup! fixup! Enhance test coverage.
118 lines
4.0 KiB
Go
118 lines
4.0 KiB
Go
package traefikoidc
|
|
|
|
import (
|
|
"net/http"
|
|
"sync"
|
|
"time"
|
|
)
|
|
|
|
// LazyBackgroundTask wraps BackgroundTask to provide delayed initialization.
|
|
// This prevents memory leaks from unnecessary background tasks by starting
|
|
// them only when actually needed, reducing resource usage in idle scenarios.
|
|
type LazyBackgroundTask struct {
|
|
// BackgroundTask is the underlying task implementation
|
|
*BackgroundTask
|
|
// started tracks whether the task has been activated
|
|
started bool
|
|
// startOnce ensures single initialization
|
|
startOnce sync.Once
|
|
}
|
|
|
|
// NewLazyBackgroundTask creates a background task that doesn't start immediately.
|
|
// The task will only start when explicitly activated, preventing unnecessary
|
|
// resource usage for tasks that may never be needed.
|
|
func NewLazyBackgroundTask(name string, interval time.Duration, taskFunc func(), logger *Logger, wg ...*sync.WaitGroup) *LazyBackgroundTask {
|
|
return &LazyBackgroundTask{
|
|
BackgroundTask: NewBackgroundTask(name, interval, taskFunc, logger, wg...),
|
|
started: false,
|
|
}
|
|
}
|
|
|
|
// StartIfNeeded starts the background task only if it hasn't been started yet.
|
|
// Uses sync.Once to ensure thread-safe single initialization.
|
|
func (lt *LazyBackgroundTask) StartIfNeeded() {
|
|
lt.startOnce.Do(func() {
|
|
if !lt.started {
|
|
lt.BackgroundTask.Start()
|
|
lt.started = true
|
|
}
|
|
})
|
|
}
|
|
|
|
// Stop stops the background task if it was started.
|
|
// Resets the start state to allow potential future re-initialization.
|
|
func (lt *LazyBackgroundTask) Stop() {
|
|
if lt.started {
|
|
lt.BackgroundTask.Stop()
|
|
lt.started = false
|
|
lt.startOnce = sync.Once{}
|
|
}
|
|
}
|
|
|
|
// NewLazyCacheWithLogger creates a cache that doesn't start cleanup until first use.
|
|
// This reduces memory overhead by avoiding unnecessary cleanup goroutines
|
|
// for caches that may remain empty or be used infrequently.
|
|
func NewLazyCacheWithLogger(logger *Logger) CacheInterface {
|
|
if logger == nil {
|
|
logger = GetSingletonNoOpLogger()
|
|
}
|
|
|
|
config := DefaultUnifiedCacheConfig()
|
|
config.Logger = logger
|
|
config.CleanupInterval = 10 * time.Minute
|
|
unifiedCache := NewUniversalCache(config)
|
|
return NewCacheAdapter(unifiedCache)
|
|
}
|
|
|
|
// NewLazyCache creates a cache with delayed cleanup initialization.
|
|
// Uses the default no-op logger and defers cleanup task creation.
|
|
func NewLazyCache() CacheInterface {
|
|
return NewLazyCacheWithLogger(nil)
|
|
}
|
|
|
|
// CleanupIdleConnections periodically closes idle HTTP connections to prevent memory leaks.
|
|
// Runs in a background goroutine and can be stopped via the stop channel.
|
|
// This is crucial for long-running applications to prevent connection pool exhaustion.
|
|
func CleanupIdleConnections(client *http.Client, interval time.Duration, stopChan <-chan struct{}) {
|
|
ticker := time.NewTicker(interval)
|
|
defer ticker.Stop()
|
|
|
|
for {
|
|
select {
|
|
case <-ticker.C:
|
|
if transport, ok := client.Transport.(*http.Transport); ok {
|
|
transport.CloseIdleConnections()
|
|
}
|
|
case <-stopChan:
|
|
if transport, ok := client.Transport.(*http.Transport); ok {
|
|
transport.CloseIdleConnections()
|
|
}
|
|
return
|
|
}
|
|
}
|
|
}
|
|
|
|
// OptimizedMiddlewareConfig provides configuration options for memory-optimized middleware.
|
|
// These settings help reduce memory usage and prevent leaks in resource-constrained environments.
|
|
type OptimizedMiddlewareConfig struct {
|
|
// DelayBackgroundTasks defers starting background tasks until needed
|
|
DelayBackgroundTasks bool
|
|
// ReducedCleanupIntervals uses longer intervals to reduce CPU/memory overhead
|
|
ReducedCleanupIntervals bool
|
|
// AggressiveConnectionCleanup closes idle connections more frequently
|
|
AggressiveConnectionCleanup bool
|
|
// MinimalCacheSize uses smaller cache limits to reduce memory footprint
|
|
MinimalCacheSize bool
|
|
}
|
|
|
|
// DefaultOptimizedConfig returns a configuration optimized for low memory usage.
|
|
// All optimization features are enabled to minimize memory footprint and prevent leaks.
|
|
func DefaultOptimizedConfig() *OptimizedMiddlewareConfig {
|
|
return &OptimizedMiddlewareConfig{
|
|
DelayBackgroundTasks: true,
|
|
ReducedCleanupIntervals: true,
|
|
AggressiveConnectionCleanup: true,
|
|
MinimalCacheSize: true,
|
|
}
|
|
}
|