Can traefik's forwardAuth middleware be used to secure a browser page (not an api)?

Question

I need to secure a web page with a token stored in a cookie or url param. All examples I can find for using forwardAuth middleware seems to be for securing an API, as it's easy to supply headers in an API request. Sending custom headers isn't an option w/ the browser, so I need to used cookies.

I would like to have the auth token passed in through a query string arg, eg ?token=ABCDEFG, then stored in a cookie for future requests. Here's what the workflow looks like:

I've tried experimenting with forwardAuth to see how I can do this. The auth endpoint reads the Authorization header, but I need something that reads the cookie in the request and transforms that to an Authorization header.

Is there any way this can be done with Traefik?

Answer 1

It looks like the answer is yes. Originally I had thought traefik wouldn't forward cookies, but it does in fact appear to forward cookies.

I ended up creating a "sidecar" auth container on the same host as traefik so that auth requests would be faster.

The auth function looks like this (node/express):

app.get('/auth', (req, res) => {
  logger.info('CHECKING AUTH');

  const url = new URL(`${req.headers['x-forwarded-proto']}://` +
                      `${req.headers['x-forwarded-host']}` +
                      `${req.headers['x-forwarded-uri']}`);

  const urlAuthToken = url.searchParams.get('token');

  if (urlAuthToken) {
    url.searchParams.delete('token');
    const domain = BASE_DOMAIN;
    const sameSite = false;
    const secure = url.protocol === 'https:';
    return res
        .cookie('auth-token', urlAuthToken, {domain, sameSite, secure})
        .redirect(url.toString());
  }

  // Simulate credentials check
  if (req.cookies['auth-token'] === 'my-little-secret') {
    return res.status(200).send();
  }

  return res.status(401).send('<h1>401: Unauthorized</h1>');
});