OpenRailAssociation · Khoyo · Nov 7, 2024 · Nov 6, 2024
@@ -123,8 +123,7 @@ editoast_common::schemas! {
 pub enum Authentication {
     /// The issuer of the request did not provide any authentication information.
     Unauthenticated,
-    /// The issuer of the request provided the 'x-remote-user' header, which contains the
-    /// identity and name of the user.
+    /// The issuer of the request provided the 'x-remote-user-identity' header.
     Authenticated(Authorizer<PgAuthDriver<BuiltinRole>>),
     /// The requests comes from a Core instance. All requests are considered safe.
     Core,
@@ -172,17 +171,23 @@ async fn authenticate(
             PgAuthDriver::<BuiltinRole>::new(db_pool),
         )));
     }
-    let Some(header) = headers.get("x-remote-user") else {
+    let Some(identity) = headers.get("x-remote-user-identity") else {
         if headers.contains_key("x-osrd-core") {
             return Ok(Authentication::Core);
         }
         return Ok(Authentication::Unauthenticated);
     };
-    let (identity, name) = header
+    let identity = identity
         .to_str()
-        .expect("unexpected non-ascii characters in x-remote-user")
-        .split_once('/') // FIXME: the gateway should inject two headers instead
-        .expect("odd x-remote-user format");
+        .expect("unexpected non-ascii characters in x-remote-user-identity");
+
+    let name = match headers.get("x-remote-user-name") {
+        Some(name) => name
+            .to_str()
+            .expect("unexpected non-ascii characters in x-remote-user-name"),
+        None => "",
+    };
+
     let authorizer = Authorizer::try_initialize(
         UserInfo {
             identity: identity.to_owned(),

@@ -2,26 +2,34 @@ use actix_auth::{AuthStatus, RequestAuth, RequestAuthExt};
 use actix_proxy::{ClientRequest, HeaderName, HeaderValue, WebsocketsRequest};
 use actix_web::error::ErrorForbidden;
 
-fn check_auth(request_auth: &RequestAuth) -> Result<String, actix_web::Error> {
+struct UserInformation {
+    identity: String,
+    name: String,
+}
+
+fn check_auth(request_auth: &RequestAuth) -> Result<UserInformation, actix_web::Error> {
     match request_auth.status() {
         AuthStatus::Unknown => Err(ErrorForbidden("authentication required")),
         AuthStatus::Error(_) => Err(ErrorForbidden("authentication error")),
         AuthStatus::Known {
             provider_handler,
             user_id,
-            ..
+            username,
         } => {
             let provider_id = request_auth.context().get_provider_id(*provider_handler);
-            let remote_user = format!("{provider_id}/{user_id}");
-            Ok(remote_user)
+            Ok(UserInformation {
+                identity: format!("{provider_id}/{user_id}"),
+                name: username.clone().unwrap_or_default(),
+            })
         }
     }
 }
 
 #[derive(Clone)]
 pub struct ProxyAuthAdapter;
 
-static AUTH_USER_ID: HeaderName = HeaderName::from_static("x-remote-user");
+static AUTH_USER_ID: HeaderName = HeaderName::from_static("x-remote-user-identity");
+static AUTH_USER_NAME: HeaderName = HeaderName::from_static("x-remote-user-name");
 
 impl actix_proxy::RequestModifier for ProxyAuthAdapter {
     fn modify_http_request(
@@ -34,7 +42,15 @@ impl actix_proxy::RequestModifier for ProxyAuthAdapter {
         };
         let remote_user = check_auth(&request_auth)?;
         let headers = back_request.headers_mut();
-        headers.insert(AUTH_USER_ID.clone(), HeaderValue::from_str(&remote_user)?);
+        headers.insert(
+            AUTH_USER_ID.clone(),
+            HeaderValue::from_str(&remote_user.identity)?,
+        );
+        headers.insert(
+            AUTH_USER_NAME.clone(),
+            HeaderValue::from_str(&remote_user.name)?,
+        );
+
         Ok(())
     }
 
@@ -47,6 +63,8 @@ impl actix_proxy::RequestModifier for ProxyAuthAdapter {
             return Err(ErrorForbidden("missing authentication data"));
         };
         let remote_user = check_auth(&request_auth)?;
-        Ok(back_request.set_header(AUTH_USER_ID.clone(), remote_user))
+        Ok(back_request
+            .set_header(AUTH_USER_ID.clone(), remote_user.identity)
+            .set_header(AUTH_USER_NAME.clone(), remote_user.name))
     }
 }