proxy: use internal/httputil for error handling (#36)

- General formatting and comment cleanup.
- Inject pomerium version at compiletime via template package.

authenticate/authenticate.go

@@ -47,16 +47,13 @@ type Options struct {
 
 	SessionLifetimeTTL time.Duration `envconfig:"SESSION_LIFETIME_TTL"`
 
-	// Authentication provider configuration vars
+	// Authentication provider configuration variables as specified by RFC6749
 	// See: https://openid.net/specs/openid-connect-basic-1_0.html#RFC6749
-	ClientID     string `envconfig:"IDP_CLIENT_ID"`
-	ClientSecret string `envconfig:"IDP_CLIENT_SECRET"`
-	Provider     string `envconfig:"IDP_PROVIDER"`
-	ProviderURL  string `envconfig:"IDP_PROVIDER_URL"`
-	// Scopes is an optional setting corresponding to OAuth 2.0 specification's access scopes
-	// issuing an Access Token. Named providers are already set with good defaults.
-	// Most likely only overrides if using the generic OIDC provider.
-	Scopes []string `envconfig:"IDP_SCOPE"`
+	ClientID     string   `envconfig:"IDP_CLIENT_ID"`
+	ClientSecret string   `envconfig:"IDP_CLIENT_SECRET"`
+	Provider     string   `envconfig:"IDP_PROVIDER"`
+	ProviderURL  string   `envconfig:"IDP_PROVIDER_URL"`
+	Scopes       []string `envconfig:"IDP_SCOPE"`
 }
 
 // OptionsFromEnvConfig builds the authentication service's configuration

authenticate/handlers.go

@@ -52,7 +52,7 @@ func (p *Authenticate) Handler() http.Handler {
 		middleware.ValidateSignature(p.SharedKey),
 		middleware.ValidateRedirectURI(p.ProxyRootDomains))
 
-	validateClientSecret := stdMiddleware.Append(middleware.ValidateClientSecret(p.SharedKey))
+	validateClientSecretMiddleware := stdMiddleware.Append(middleware.ValidateClientSecret(p.SharedKey))
 
 	mux := http.NewServeMux()
 	mux.Handle("/robots.txt", stdMiddleware.ThenFunc(p.RobotsTxt))
@@ -61,11 +61,11 @@ func (p *Authenticate) Handler() http.Handler {
 	mux.Handle("/oauth2/callback", stdMiddleware.ThenFunc(p.OAuthCallback))
 	// authenticate-server endpoints
 	mux.Handle("/sign_in", validateSignatureMiddleware.ThenFunc(p.SignIn))
-	mux.Handle("/sign_out", validateSignatureMiddleware.ThenFunc(p.SignOut)) // "GET", "POST"
-	mux.Handle("/profile", validateClientSecret.ThenFunc(p.GetProfile))      // GET
-	mux.Handle("/validate", validateClientSecret.ThenFunc(p.ValidateToken))  // GET
-	mux.Handle("/redeem", validateClientSecret.ThenFunc(p.Redeem))           // POST
-	mux.Handle("/refresh", validateClientSecret.ThenFunc(p.Refresh))         //POST
+	mux.Handle("/sign_out", validateSignatureMiddleware.ThenFunc(p.SignOut))          // "GET", "POST"
+	mux.Handle("/profile", validateClientSecretMiddleware.ThenFunc(p.GetProfile))     // GET
+	mux.Handle("/validate", validateClientSecretMiddleware.ThenFunc(p.ValidateToken)) // GET
+	mux.Handle("/redeem", validateClientSecretMiddleware.ThenFunc(p.Redeem))          // POST
+	mux.Handle("/refresh", validateClientSecretMiddleware.ThenFunc(p.Refresh))        //POST
 
 	return mux
 }
@@ -431,7 +431,7 @@ func (p *Authenticate) getOAuthCallback(w http.ResponseWriter, r *http.Request)
 	// - for p.provider.ValidateGroup see providers/google.go#ValidateGroup for more info
 	if !p.Validator(session.Email) {
 		log.FromRequest(r).Error().Err(err).Str("email", session.Email).Msg("invalid email permissions denied")
-		return "", httputil.HTTPError{Code: http.StatusForbidden, Message: "Invalid Account"}
+		return "", httputil.HTTPError{Code: http.StatusForbidden, Message: "You don't have access"}
 	}
 	log.FromRequest(r).Info().Str("email", session.Email).Msg("authentication complete")
 	err = p.sessionStore.SaveSession(w, r, session)