App to add authentication to the draft version of GOV.UK, so that only users with
a signon account - or a valid JSON web token (JWT) - can access it.
This is a Rails application that proxies requests to an upstream service, first
performing authentication using gds-sso to ensure that only authenticated
users are able to view the site. It sets an X-GOVUK-AUTHENTICATED-USER header
so that the upstream service can identify the user.
The application also supports bypassing authentication via a valid JWT token.
If the URL being requested includes a token querystring containing a valid
token encoded with the value in the JWT_AUTH_SECRET environment variable, and
that token contains a sub key, the value of that key is passed upstream in
the GOVUK_AUTH_BYPASS_ID header. NB, the sub (or “subject”) key is one of the
reserved claims of a JWT.
If a user is authenticated using gds-sso and a JWT token is also provided, both
sets of information are passed upstream. It is up to the upstream application how
to handle these cases.
In GOV.UK Docker, GOVUK_UPSTREAM_URI defaults to government-frontend. This
means that, when you request authenticating-proxy.dev.gov.uk, it should behave
the same as requesting government-frontend.dev.gov.uk.