App to add authentication to the draft version of GOV.UK, so that only users with a signon account - or a valid JSON web token (JWT) - can access it.
This is a Rails application that proxies requests to an upstream service, first
performing authentication using gds-sso to ensure that only authenticated
users are able to view the site. It sets an X-GOVUK-AUTHENTICATED-USER header
so that the upstream service can identify the user.
The application also supports bypassing authentication via a valid JWT token.
If the URL being requested includes a token querystring containing a valid
token encoded with the value in the JWT_AUTH_SECRET environment variable, and
that token contains a sub key, the value of that key is passed upstream in
the GOVUK_AUTH_BYPASS_ID header. NB, the sub (or "subject") key is one of the
reserved claims of a JWT.
If a user is authenticated using gds-sso and a JWT token is also provided, both sets of information are passed upstream. It is up to the upstream application how to handle these cases.
Some of the thinking behind this is documented in RFC 13.
In GOV.UK Docker, GOVUK_UPSTREAM_URI defaults to government-frontend. This
means that, when you request authenticating-proxy.dev.gov.uk, it should behave
the same as requesting government-frontend.dev.gov.uk.
bundle exec rake
Check the docs/ directory.