Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions gateway/gateway-controller/pkg/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,11 @@ import (
"github.com/wso2/api-platform/gateway/gateway-controller/pkg/constants"
)

import (
"encoding/json"
"os"
)

const (
// EnvPrefix is the prefix for environment variables used to configure the gateway-controller
EnvPrefix = "APIP_GW_"
Expand Down Expand Up @@ -390,6 +395,10 @@ func LoadConfig(configPath string) (*Config, error) {
return nil, fmt.Errorf("failed to load environment variables: %w", err)
}

if err := loadBasicAuthUsersFromEnv(k); err != nil {
return nil, err
}

// Unmarshal into Config struct with DecodeHook for duration strings
if err := k.UnmarshalWithConf("", cfg, koanf.UnmarshalConf{
DecoderConfig: &mapstructure.DecoderConfig{
Expand All @@ -410,6 +419,26 @@ func LoadConfig(configPath string) (*Config, error) {
return cfg, nil
}

func loadBasicAuthUsersFromEnv(k *koanf.Koanf) error {
envKey := EnvPrefix + "GATEWAY_CONTROLLER_AUTH_BASIC_USERS_JSON"

raw := os.Getenv(envKey)
if strings.TrimSpace(raw) == "" {
return nil // env var not set - do nothing
}

var users []AuthUser
if err := json.Unmarshal([]byte(raw), &users); err != nil {
return fmt.Errorf(
"invalid JSON in %s: %w", envKey, err,
)
Comment on lines +422 to +434
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Find the AuthUser struct definition
rg -A 5 "type AuthUser struct" gateway/

Repository: wso2/api-platform

Length of output: 884


🏁 Script executed:

# Find the loadBasicAuthUsersFromEnv function
rg -B 2 -A 15 "func loadBasicAuthUsersFromEnv" gateway/

Repository: wso2/api-platform

Length of output: 1359


🏁 Script executed:

# Check the full context of the configuration file around the mentioned lines
sed -n '420,450p' gateway/gateway-controller/pkg/config/config.go

Repository: wso2/api-platform

Length of output: 851


🏁 Script executed:

# Look for where AuthUser is defined in the codebase
fd "config.go" gateway/ | xargs grep -l "type AuthUser"

Repository: wso2/api-platform

Length of output: 108


🏁 Script executed:

# Verify the EnvPrefix value to confirm the environment variable name
rg -B 2 -A 2 "EnvPrefix\s*=" gateway/gateway-controller/pkg/config/config.go | head -20

Repository: wso2/api-platform

Length of output: 190


🏁 Script executed:

# Check if there are any tests for loadBasicAuthUsersFromEnv that might reveal the expected behavior
rg -l "loadBasicAuthUsersFromEnv" gateway/ --type go

Repository: wso2/api-platform

Length of output: 108


🏁 Script executed:

# Verify the file is in the right path for the guideline
fd "config.go" gateway/gateway-controller/

Repository: wso2/api-platform

Length of output: 163


Add JSON tags so password_hashed is honored in env JSON.

encoding/json.Unmarshal is case-sensitive and ignores koanf tags. Without json tags, snake_case keys like password_hashed won't map to the PasswordHashed field, causing it to silently default to false. This breaks hashed password authentication when users are loaded from APIP_GW_GATEWAY_CONTROLLER_AUTH_BASIC_USERS_JSON. Add json tags to AuthUser to maintain snake_case compatibility.

🔧 Proposed fix (add JSON tags to AuthUser)
 type AuthUser struct {
-	Username       string   `koanf:"username"`
-	Password       string   `koanf:"password"`        // plain or hashed value depending on PasswordHashed
-	PasswordHashed bool     `koanf:"password_hashed"` // true when Password is a bcrypt hash
-	Roles          []string `koanf:"roles"`
+	Username       string   `koanf:"username" json:"username"`
+	Password       string   `koanf:"password" json:"password"`                // plain or hashed value depending on PasswordHashed
+	PasswordHashed bool     `koanf:"password_hashed" json:"password_hashed"`  // true when Password is a bcrypt hash
+	Roles          []string `koanf:"roles" json:"roles"`
 }

After merging, rebuild Docker images using cd gateway && make build-local.

🤖 Prompt for AI Agents
In `@gateway/gateway-controller/pkg/config/config.go` around lines 422 - 434, The
AuthUser struct fields used by loadBasicAuthUsersFromEnv are missing
encoding/json tags so snake_case keys (e.g. password_hashed) in the
APIP_GW_GATEWAY_CONTROLLER_AUTH_BASIC_USERS_JSON env JSON are ignored; update
the AuthUser type to add appropriate json tags (e.g. map Username, Password,
PasswordHashed to "username", "password", "password_hashed") so json.Unmarshal
in loadBasicAuthUsersFromEnv correctly sets PasswordHashed and preserves
hashed-password auth behavior.

}

//Override the users array directly in Koanf
k.Set("gateway_controller.auth.basic.users", users)
return nil
}

// defaultConfig returns a Config struct with default configuration values
func defaultConfig() *Config {
return &Config{
Expand Down