From 3cb1f4d1c624f881f6424f2e895852d4c4459423 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Va=C5=A1ko?= <Matovidlo2@gmail.com>
Date: Thu, 13 Jun 2024 14:36:16 +0200
Subject: [PATCH 01/15] fix: Add mocked sandboxes API response with `app` data
 app config.

Mock response with `simpleAuth` example instead of OIDC.
---
 docker-compose.yml                    | 12 ++++++++++
 initializer.json                      | 33 +++++++++++++++++++++++++++
 provisioning/apps-proxy/dev/.air.toml |  2 +-
 3 files changed, 46 insertions(+), 1 deletion(-)
 create mode 100644 initializer.json

diff --git a/docker-compose.yml b/docker-compose.yml
index 63406f4816..0cf28758b2 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -8,6 +8,7 @@ services:
     links:
       - etcd
       - redis
+      - sandboxesMock
     volumes:
       - ./:/code:z
       - cache:/tmp/cache
@@ -102,5 +103,16 @@ services:
       - K6_USERS
       - K6_DURATION
 
+  sandboxesMock:
+      image: mockserver/mockserver:latest
+      ports:
+        - 1080:1080
+      environment:
+        MOCKSERVER_WATCH_INITIALIZATION_JSON: "true"
+        MOCKSERVER_PROPERTY_FILE: /config/mockserver.properties
+        MOCKSERVER_INITIALIZATION_JSON_PATH: /config/initializerJson.json
+      volumes:
+        - ./initializer.json:/config/initializerJson.json:Z
+
 volumes:
   cache:
diff --git a/initializer.json b/initializer.json
new file mode 100644
index 0000000000..8fbfcd009b
--- /dev/null
+++ b/initializer.json
@@ -0,0 +1,33 @@
+[
+  {
+    "httpRequest": {
+      "method": "GET",
+      "path": "/apps/app/proxy-config"
+    },
+    "httpResponse": {
+      "body": {
+        "appId": "123",
+        "appName": "app",
+        "projectId": "11",
+        "upstreamAppUrl": "http://localhost:1235",
+        "authProviders": [
+          {
+            "type": "password",
+            "id": "simpleAuth",
+            "password": "a"
+          }
+        ],
+        "authRules": [
+          {
+            "type": "pathPrefix",
+            "value": "/",
+            "auth": [
+              "simpleAuth"
+            ]
+          }
+        ]
+      },
+      "statusCode": 200
+    }
+  }
+]
diff --git a/provisioning/apps-proxy/dev/.air.toml b/provisioning/apps-proxy/dev/.air.toml
index 8866ff9b35..4a2db21389 100644
--- a/provisioning/apps-proxy/dev/.air.toml
+++ b/provisioning/apps-proxy/dev/.air.toml
@@ -3,7 +3,7 @@ tmp_dir = "target/.watcher"
 
 [build]
   bin = "./target/apps-proxy/proxy"
-  args_bin = ["--sandboxes-api-url",  "http://localhost:1234", "--sandboxes-api-token", "my-token", "--api-public-url", "http://localhost:8000", "--cookie-secret-salt", "cookie"]
+  args_bin = ["--sandboxes-api-url",  "http://localhost:1080", "--sandboxes-api-token", "my-token", "--api-public-url", "http://localhost:8000", "--cookie-secret-salt", "cookie"]
   cmd = "make build-apps-proxy"
   delay = 2000
   exclude_dir = []

From b2512c810a83b04dae291a4b022a05bd6f0f138a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Va=C5=A1ko?= <Matovidlo2@gmail.com>
Date: Mon, 24 Jun 2024 08:26:53 +0200
Subject: [PATCH 02/15] feat: Mock basic auth provider

Include refactor of oidcprovider to work through manager of authproxies.
All providers are possible to select through selector page.
---
 .../appsproxy/dataapps/auth/provider/basic.go |  10 +
 .../dataapps/auth/provider/provider.go        |   5 +-
 .../appsproxy/dependencies/dependencies.go    |  12 +-
 .../appsproxy/proxy/apphandler/apphandler.go  |  10 +-
 .../apphandler/authproxy/basicauth/handler.go | 102 +++++++
 .../proxy/apphandler/authproxy/manager.go     |  61 ++++
 .../apphandler/authproxy/oidcproxy/config.go  | 116 ++++++++
 .../apphandler/authproxy/oidcproxy/doc.go     |   3 +
 .../apphandler/authproxy/oidcproxy/handler.go |  98 +++++++
 .../authproxy/oidcproxy/logging/writer.go     |  35 +++
 .../authproxy/oidcproxy/pagewriter.go         | 107 +++++++
 .../apphandler/authproxy/selector/handler.go  |  13 +
 .../apphandler/authproxy/selector/selector.go | 273 ++++++++++++++++++
 .../appsproxy/proxy/apphandler/manager.go     |  19 +-
 14 files changed, 838 insertions(+), 26 deletions(-)
 create mode 100644 internal/pkg/service/appsproxy/dataapps/auth/provider/basic.go
 create mode 100644 internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go
 create mode 100644 internal/pkg/service/appsproxy/proxy/apphandler/authproxy/manager.go
 create mode 100644 internal/pkg/service/appsproxy/proxy/apphandler/authproxy/oidcproxy/config.go
 create mode 100644 internal/pkg/service/appsproxy/proxy/apphandler/authproxy/oidcproxy/doc.go
 create mode 100644 internal/pkg/service/appsproxy/proxy/apphandler/authproxy/oidcproxy/handler.go
 create mode 100644 internal/pkg/service/appsproxy/proxy/apphandler/authproxy/oidcproxy/logging/writer.go
 create mode 100644 internal/pkg/service/appsproxy/proxy/apphandler/authproxy/oidcproxy/pagewriter.go
 create mode 100644 internal/pkg/service/appsproxy/proxy/apphandler/authproxy/selector/handler.go
 create mode 100644 internal/pkg/service/appsproxy/proxy/apphandler/authproxy/selector/selector.go

diff --git a/internal/pkg/service/appsproxy/dataapps/auth/provider/basic.go b/internal/pkg/service/appsproxy/dataapps/auth/provider/basic.go
new file mode 100644
index 0000000000..b3f4a8bb0e
--- /dev/null
+++ b/internal/pkg/service/appsproxy/dataapps/auth/provider/basic.go
@@ -0,0 +1,10 @@
+package provider
+
+type Basic struct {
+	Base
+	Password string `json:"password"`
+}
+
+func (p *Basic) IsAuthorized(password string) bool {
+	return p.Password == password
+}
diff --git a/internal/pkg/service/appsproxy/dataapps/auth/provider/provider.go b/internal/pkg/service/appsproxy/dataapps/auth/provider/provider.go
index 07b96bb8c7..9125c1d82b 100644
--- a/internal/pkg/service/appsproxy/dataapps/auth/provider/provider.go
+++ b/internal/pkg/service/appsproxy/dataapps/auth/provider/provider.go
@@ -9,7 +9,8 @@ import (
 )
 
 const (
-	TypeOIDC = Type("oidc")
+	TypeOIDC  Type = "oidc"
+	TypeBasic Type = "password"
 )
 
 // ID is unique identifier of the authentication provider inside a data app.
@@ -37,6 +38,8 @@ func (t Type) new() (Provider, error) {
 	switch t {
 	case TypeOIDC:
 		return OIDC{}, nil
+	case TypeBasic:
+		return Basic{}, nil
 	default:
 		return nil, errors.Errorf(`unexpected type of data app auth provider "%v"`, t)
 	}
diff --git a/internal/pkg/service/appsproxy/dependencies/dependencies.go b/internal/pkg/service/appsproxy/dependencies/dependencies.go
index 9d8a195882..801adb3023 100644
--- a/internal/pkg/service/appsproxy/dependencies/dependencies.go
+++ b/internal/pkg/service/appsproxy/dependencies/dependencies.go
@@ -28,7 +28,7 @@ import (
 	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/notify"
 	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/wakeup"
 	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/apphandler"
-	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/apphandler/oidcproxy"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/apphandler/authproxy"
 	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/apphandler/upstream"
 	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/pagewriter"
 	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/transport"
@@ -53,7 +53,7 @@ type ServiceScope interface {
 	AppConfigLoader() *appconfig.Loader
 	UpstreamTransport() http.RoundTripper
 	UpstreamManager() *upstream.Manager
-	OidcProxyManager() *oidcproxy.Manager
+	AuthProxyManager() *authproxy.Manager
 	PageWriter() *pagewriter.Writer
 	NotifyManager() *notify.Manager
 	WakeupManager() *wakeup.Manager
@@ -73,7 +73,7 @@ type serviceScope struct {
 	appHandlers       *apphandler.Manager
 	upstreamTransport http.RoundTripper
 	upstreamManager   *upstream.Manager
-	oidcProxyManager  *oidcproxy.Manager
+	authProxyManager  *authproxy.Manager
 	pageWriter        *pagewriter.Writer
 	appConfigLoader   *appconfig.Loader
 	notifyManager     *notify.Manager
@@ -154,7 +154,7 @@ func newServiceScope(ctx context.Context, parentScp parentScopes, cfg config.Con
 	d.appConfigLoader = appconfig.NewLoader(d)
 	d.notifyManager = notify.NewManager(d)
 	d.wakeupManager = wakeup.NewManager(d)
-	d.oidcProxyManager = oidcproxy.NewManager(d)
+	d.authProxyManager = authproxy.NewManager(d)
 	d.upstreamManager = upstream.NewManager(d)
 	d.appHandlers = apphandler.NewManager(d)
 
@@ -185,8 +185,8 @@ func (v *serviceScope) UpstreamManager() *upstream.Manager {
 	return v.upstreamManager
 }
 
-func (v *serviceScope) OidcProxyManager() *oidcproxy.Manager {
-	return v.oidcProxyManager
+func (v *serviceScope) AuthProxyManager() *authproxy.Manager {
+	return v.authProxyManager
 }
 
 func (v *serviceScope) PageWriter() *pagewriter.Writer {
diff --git a/internal/pkg/service/appsproxy/proxy/apphandler/apphandler.go b/internal/pkg/service/appsproxy/proxy/apphandler/apphandler.go
index 71621e2fc8..5c2ec57699 100644
--- a/internal/pkg/service/appsproxy/proxy/apphandler/apphandler.go
+++ b/internal/pkg/service/appsproxy/proxy/apphandler/apphandler.go
@@ -13,8 +13,8 @@ import (
 	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/config"
 	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/api"
 	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/auth/provider"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/selector"
 	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/apphandler/chain"
-	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/apphandler/oidcproxy"
 	"github.com/keboola/keboola-as-code/internal/pkg/service/common/ctxattr"
 	svcErrors "github.com/keboola/keboola-as-code/internal/pkg/service/common/errors"
 	"github.com/keboola/keboola-as-code/internal/pkg/service/common/httpserver/middleware"
@@ -33,7 +33,7 @@ type appHandler struct {
 
 type ruleIndex int
 
-func newAppHandler(manager *Manager, app api.AppConfig, appUpstream chain.Handler, authHandlers map[provider.ID]*oidcproxy.Handler) (http.Handler, error) {
+func newAppHandler(manager *Manager, app api.AppConfig, appUpstream chain.Handler, authHandlers map[provider.ID]selector.Handler) (http.Handler, error) {
 	handler := &appHandler{
 		manager:            manager,
 		app:                app,
@@ -45,7 +45,7 @@ func newAppHandler(manager *Manager, app api.AppConfig, appUpstream chain.Handle
 
 	// Create handler with all auth handlers, to route internal URLs
 	if len(authHandlers) > 0 {
-		if h, err := manager.oidcProxyManager.ProviderSelector().For(app, authHandlers); err == nil {
+		if h, err := manager.authProxyManager.ProviderSelector().For(app, authHandlers); err == nil {
 			handler.allAuthHandlers = h
 		} else {
 			return nil, err
@@ -78,7 +78,7 @@ func newAppHandler(manager *Manager, app api.AppConfig, appUpstream chain.Handle
 		}
 
 		// Filter authentication handlers
-		authHandlersPerRule := make(map[provider.ID]*oidcproxy.Handler)
+		authHandlersPerRule := make(map[provider.ID]selector.Handler)
 		for _, providerID := range rule.Auth {
 			if authHandler, found := authHandlers[providerID]; found {
 				authHandlersPerRule[providerID] = authHandler
@@ -88,7 +88,7 @@ func newAppHandler(manager *Manager, app api.AppConfig, appUpstream chain.Handle
 		}
 
 		// Merge authentication handlers for the rule to one selector handler
-		if h, err := manager.oidcProxyManager.ProviderSelector().For(app, authHandlersPerRule); err == nil {
+		if h, err := manager.authProxyManager.ProviderSelector().For(app, authHandlersPerRule); err == nil {
 			handler.authHandlerPerRule[index] = h
 		} else {
 			return nil, err
diff --git a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go
new file mode 100644
index 0000000000..fbf65ea36e
--- /dev/null
+++ b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go
@@ -0,0 +1,102 @@
+package basicauth
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/benbjohnson/clock"
+	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/util"
+
+	"github.com/keboola/keboola-as-code/internal/pkg/log"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/config"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/api"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/auth/provider"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/apphandler/chain"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/pagewriter"
+	"github.com/keboola/keboola-as-code/internal/pkg/utils/errors"
+)
+
+const (
+	basicAuthCookie = "proxyBasicAuth"
+	formPagePath    = config.InternalPrefix + "/form"
+)
+
+type Handler struct {
+	logger     log.Logger
+	pageWriter *pagewriter.Writer
+	clock      clock.Clock
+	app        api.AppConfig
+	basicAuth  provider.Basic
+	upstream   chain.Handler
+}
+
+func NewHandler(
+	logger log.Logger,
+	pageWriter *pagewriter.Writer,
+	clock clock.Clock,
+	app api.AppConfig,
+	auth provider.Basic,
+	upstream chain.Handler,
+) *Handler {
+	return &Handler{
+		logger:     logger,
+		pageWriter: pageWriter,
+		clock:      clock,
+		app:        app,
+		basicAuth:  auth,
+		upstream:   upstream,
+	}
+}
+
+func (h *Handler) Name() string {
+	return h.basicAuth.Name()
+}
+
+func (h *Handler) SignInPath() string {
+	return formPagePath
+}
+
+func (h *Handler) CookieExpiration() time.Duration {
+	return 5 * time.Minute
+}
+
+func (h *Handler) ServeHTTPOrError(w http.ResponseWriter, req *http.Request) error {
+	cookie, _ := req.Cookie(basicAuthCookie)
+	if _, ok := req.Form["password"]; !ok || cookie == nil {
+		h.pageWriter.WriteFormPage(w, req, http.StatusOK)
+		return nil
+	}
+
+	if req.URL.Path != formPagePath {
+		return nil
+	}
+
+	if !h.basicAuth.IsAuthorized("") {
+		return errors.New("wrong password prompted")
+	}
+
+	host, _ := util.SplitHostPort(req.Host)
+	if host == "" {
+		panic(errors.New("host cannot be empty"))
+	}
+
+	v := &http.Cookie{
+		Name:     basicAuthCookie,
+		Path:     "/",
+		Domain:   host,
+		Secure:   true,
+		HttpOnly: true,
+		SameSite: http.SameSiteStrictMode,
+	}
+
+	expires := h.CookieExpiration()
+	if expires > 0 {
+		// If there is an expiration, set it
+		v.Expires = h.clock.Now().Add(expires)
+	} else {
+		// Otherwise clear the cookie
+		v.MaxAge = -1
+	}
+
+	return h.upstream.ServeHTTPOrError(w, req)
+}
diff --git a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/manager.go b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/manager.go
new file mode 100644
index 0000000000..f3e957c95d
--- /dev/null
+++ b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/manager.go
@@ -0,0 +1,61 @@
+package authproxy
+
+import (
+	"github.com/benbjohnson/clock"
+
+	"github.com/keboola/keboola-as-code/internal/pkg/log"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/config"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/api"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/auth/provider"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/oidcproxy"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/selector"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/apphandler/chain"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/pagewriter"
+)
+
+type Manager struct {
+	logger           log.Logger
+	config           config.Config
+	pageWriter       *pagewriter.Writer
+	clock            clock.Clock
+	providerSelector *selector.Selector
+}
+
+type dependencies interface {
+	Logger() log.Logger
+	Clock() clock.Clock
+	Config() config.Config
+	PageWriter() *pagewriter.Writer
+}
+
+func NewManager(d dependencies) *Manager {
+	return &Manager{
+		logger:           d.Logger(),
+		config:           d.Config(),
+		pageWriter:       d.PageWriter(),
+		clock:            d.Clock(),
+		providerSelector: selector.New(d),
+	}
+}
+
+func (m *Manager) ProviderSelector() *selector.Selector {
+	return m.providerSelector
+}
+
+func (m *Manager) NewHandlers(app api.AppConfig, upstream chain.Handler) map[provider.ID]selector.Handler {
+	authHandlers := make(map[provider.ID]selector.Handler, len(app.AuthProviders))
+	for _, auth := range app.AuthProviders {
+		switch p := auth.(type) {
+		case provider.OIDC:
+			authHandlers[auth.ID()] = oidcproxy.NewHandler(m.logger, m.config, m.providerSelector, m.pageWriter, app, p, upstream)
+
+		case provider.Basic:
+			authHandlers[auth.ID()] = basicauth.NewHandler(m.logger, m.pageWriter, m.clock, app, p, upstream)
+
+		default:
+			panic("unknown auth provider type")
+		}
+	}
+	return authHandlers
+}
diff --git a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/oidcproxy/config.go b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/oidcproxy/config.go
new file mode 100644
index 0000000000..7725d168eb
--- /dev/null
+++ b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/oidcproxy/config.go
@@ -0,0 +1,116 @@
+package oidcproxy
+
+import (
+	"crypto/sha256"
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
+	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/validation"
+
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/config"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/api"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/auth/provider"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/selector"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/apphandler/chain"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/pagewriter"
+	"github.com/keboola/keboola-as-code/internal/pkg/utils/errors"
+)
+
+func proxyConfig(
+	cfg config.Config,
+	selector *selector.Selector,
+	pageWriter *pagewriter.Writer,
+	app api.AppConfig,
+	authProvider provider.OIDC,
+	upstream chain.Handler,
+) (*options.Options, error) {
+	// Generate unique cookies secret
+	secret, err := generateCookieSecret(cfg, app, authProvider.ID())
+	if err != nil {
+		return nil, err
+	}
+
+	proxyProvider, err := authProvider.ProxyProviderOptions()
+	if err != nil {
+		return nil, err
+	}
+
+	v := options.NewOptions()
+
+	// Connect to the app upstream
+	v.UpstreamHandler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		if err := upstream.ServeHTTPOrError(w, req); err != nil {
+			pageWriter.WriteError(w, req, &app, err)
+		}
+	})
+
+	// Render the selector page, if login is needed, it is not an internal URL
+	v.OnNeedsLogin = func(rw http.ResponseWriter, req *http.Request) (stop bool) {
+		// Bypass internal paths
+		if strings.HasPrefix(req.URL.Path, v.ProxyPrefix) {
+			return false
+		}
+
+		return selector.OnNeedsLogin(&app, pageWriter.WriteError)(rw, req)
+	}
+	// Setup
+	domain := app.CookieDomain(cfg.API.PublicURL)
+	redirectURL := cfg.API.PublicURL.Scheme + "://" + domain + config.InternalPrefix + "/callback"
+	v.Logging.RequestIDHeader = config.RequestIDHeader
+	v.Logging.RequestEnabled = false // we have log middleware for all requests
+	v.Cookie.Secret = secret
+	v.Cookie.Domains = []string{domain}
+	v.Cookie.SameSite = "strict"
+	v.ProxyPrefix = config.InternalPrefix
+	v.RawRedirectURL = redirectURL
+	v.Providers = options.Providers{proxyProvider}
+	v.SkipProviderButton = true
+	v.Session = options.SessionOptions{Type: options.CookieSessionStoreType}
+	v.EmailDomains = []string{"*"}
+	v.InjectRequestHeaders = []options.Header{
+		headerFromClaim("X-Kbc-User-Name", "name"),
+		headerFromClaim("X-Kbc-User-Email", options.OIDCEmailClaim),
+		headerFromClaim("X-Kbc-User-Roles", options.OIDCGroupsClaim),
+	}
+
+	// Cannot separate errors from info because when ErrToInfo is false (default),
+	// oauthproxy keeps forcibly setting its global error writer to os.Stderr whenever a new proxy instance is created.
+	v.Logging.ErrToInfo = true
+
+	if err := validation.Validate(v); err != nil {
+		return nil, err
+	}
+
+	return v, nil
+}
+
+// generateCookieSecret creates a unique cookie secret for each app and provider.
+// This is necessary because otherwise cookies created by provider A would also be valid in a section that requires provider B but not A.
+// To solve this we use the combination of the provider id and our salt.
+func generateCookieSecret(cfg config.Config, app api.AppConfig, providerID provider.ID) (string, error) {
+	if cfg.CookieSecretSalt == "" {
+		return "", errors.New("missing cookie secret salt")
+	}
+
+	h := sha256.New()
+	h.Write([]byte(app.ID.String() + "/" + providerID.String() + "/" + cfg.CookieSecretSalt))
+	bs := h.Sum(nil)
+
+	// Result must be 32 chars, 2 hex chars for each byte
+	return fmt.Sprintf("%x", bs[:16]), nil
+}
+
+func headerFromClaim(header, claim string) options.Header {
+	return options.Header{
+		Name: header,
+		Values: []options.HeaderValue{
+			{
+				ClaimSource: &options.ClaimSource{
+					Claim: claim,
+				},
+			},
+		},
+	}
+}
diff --git a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/oidcproxy/doc.go b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/oidcproxy/doc.go
new file mode 100644
index 0000000000..f1acc74ee2
--- /dev/null
+++ b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/oidcproxy/doc.go
@@ -0,0 +1,3 @@
+// Package oidcproxy provides factory for OAuth2Proxy library.
+// The logic is inserted before the handler from  the "upstream" package.
+package oidcproxy
diff --git a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/oidcproxy/handler.go b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/oidcproxy/handler.go
new file mode 100644
index 0000000000..7b0e18180a
--- /dev/null
+++ b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/oidcproxy/handler.go
@@ -0,0 +1,98 @@
+package oidcproxy
+
+import (
+	"fmt"
+	"net/http"
+	"time"
+
+	oauthproxy "github.com/oauth2-proxy/oauth2-proxy/v7"
+	proxyOptions "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
+
+	"github.com/keboola/keboola-as-code/internal/pkg/log"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/config"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/api"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/auth/provider"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/selector"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/apphandler/chain"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/pagewriter"
+	svcErrors "github.com/keboola/keboola-as-code/internal/pkg/service/common/errors"
+	"github.com/keboola/keboola-as-code/internal/pkg/utils/errors"
+)
+
+type Handler struct {
+	providerName string
+	proxyConfig  *proxyOptions.Options
+	proxyHandler *oauthproxy.OAuthProxy
+	initErr      error
+}
+
+func NewHandler(
+	logger log.Logger,
+	cfg config.Config,
+	selector *selector.Selector,
+	pw *pagewriter.Writer,
+	app api.AppConfig,
+	auth provider.OIDC,
+	upstream chain.Handler,
+) *Handler {
+	var err error
+	handler := &Handler{providerName: auth.Name()}
+
+	// Create proxy configuration
+	handler.proxyConfig, err = proxyConfig(cfg, selector, pw, app, auth, upstream)
+	if err != nil {
+		handler.initErr = wrapHandlerInitErr(app, auth, err)
+		return handler
+	}
+
+	// Create proxy page writer adapter
+	pageWriter, err := newPageWriter(logger, pw, app, auth, handler.proxyConfig)
+	if err != nil {
+		handler.initErr = wrapHandlerInitErr(app, auth, err)
+		return handler
+	}
+
+	// Create proxy HTTP handler
+	authValidator := func(email string) bool { return true } // there is no need to verify individual users
+	handler.proxyHandler, err = oauthproxy.NewOAuthProxyWithPageWriter(handler.proxyConfig, authValidator, pageWriter)
+	if err != nil {
+		handler.initErr = wrapHandlerInitErr(app, auth, err)
+		return handler
+	}
+
+	return handler
+}
+
+func (h *Handler) Name() string {
+	return h.providerName
+}
+
+func (h *Handler) CookieExpiration() time.Duration {
+	if h.initErr != nil {
+		return 5 * time.Minute
+	}
+	return h.proxyConfig.Cookie.Expire
+}
+
+func (h *Handler) SignInPath() string {
+	if h.initErr != nil {
+		return "/error"
+	}
+	return h.proxyHandler.SignInPath
+}
+
+func (h *Handler) ServeHTTPOrError(w http.ResponseWriter, req *http.Request) error {
+	if h.initErr != nil {
+		return h.initErr
+	}
+
+	// Pass request to OAuth2Proxy
+	h.proxyHandler.ServeHTTP(w, req) // errors are handled by the page writer
+	return nil
+}
+
+func wrapHandlerInitErr(app api.AppConfig, auth provider.Provider, err error) error {
+	return svcErrors.
+		NewServiceUnavailableError(errors.PrefixErrorf(err, `application "%s" has invalid configuration for authentication provider "%s"`, app.IdAndName(), auth.ID())).
+		WithUserMessage(fmt.Sprintf(`Application "%s" has invalid configuration for authentication provider "%s".`, app.IdAndName(), auth.ID()))
+}
diff --git a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/oidcproxy/logging/writer.go b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/oidcproxy/logging/writer.go
new file mode 100644
index 0000000000..ed451eeb4c
--- /dev/null
+++ b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/oidcproxy/logging/writer.go
@@ -0,0 +1,35 @@
+package logging
+
+import (
+	"context"
+	"io"
+
+	"github.com/keboola/keboola-as-code/internal/pkg/log"
+)
+
+type loggerWriter struct {
+	logger log.Logger
+	level  string
+	buffer []byte
+}
+
+const newLine = byte(10)
+
+func (w *loggerWriter) Write(p []byte) (n int, err error) {
+	w.buffer = append(w.buffer, p...)
+
+	if len(p) > 0 && p[len(p)-1] == newLine {
+		w.logger.Log(context.Background(), w.level, string(w.buffer))
+		w.buffer = []byte{}
+		return 1, nil
+	}
+
+	return len(p), nil
+}
+
+func NewLoggerWriter(logger log.Logger, level string) io.Writer {
+	return &loggerWriter{
+		logger: logger,
+		level:  level,
+	}
+}
diff --git a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/oidcproxy/pagewriter.go b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/oidcproxy/pagewriter.go
new file mode 100644
index 0000000000..df0248f088
--- /dev/null
+++ b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/oidcproxy/pagewriter.go
@@ -0,0 +1,107 @@
+package oidcproxy
+
+import (
+	"net/http"
+	"strings"
+
+	oauthproxy "github.com/oauth2-proxy/oauth2-proxy/v7"
+	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
+	proxypw "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/app/pagewriter"
+	"github.com/spf13/cast"
+	"go.opentelemetry.io/otel/attribute"
+	semconv "go.opentelemetry.io/otel/semconv/v1.17.0"
+
+	"github.com/keboola/keboola-as-code/internal/pkg/log"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/api"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/auth/provider"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/pagewriter"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/common/ctxattr"
+)
+
+type proxyPageWriter proxypw.Writer
+
+// pageWriter is adapter between common page writer and OAuth2Proxy specific page writer.
+type pageWriter struct {
+	proxyPageWriter
+	logger       log.Logger
+	app          api.AppConfig
+	authProvider provider.Provider
+	pageWriter   *pagewriter.Writer
+}
+
+func newPageWriter(logger log.Logger, pw *pagewriter.Writer, app api.AppConfig, authProvider provider.Provider, opts *options.Options) (*pageWriter, error) {
+	parent, err := proxypw.NewWriter(
+		proxypw.Opts{
+			TemplatesPath:    opts.Templates.Path,
+			CustomLogo:       opts.Templates.CustomLogo,
+			ProxyPrefix:      opts.ProxyPrefix,
+			Footer:           opts.Templates.Footer,
+			Version:          oauthproxy.VERSION,
+			Debug:            opts.Templates.Debug,
+			ProviderName:     opts.Providers[0].Name,
+			SignInMessage:    opts.Templates.Banner,
+			DisplayLoginForm: opts.Templates.DisplayLoginForm,
+		},
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	return &pageWriter{
+		logger:          logger.WithComponent("oauth2proxy.pw"),
+		proxyPageWriter: parent,
+		app:             app,
+		authProvider:    authProvider,
+		pageWriter:      pw,
+	}, nil
+}
+
+func (pw *pageWriter) WriteErrorPage(w http.ResponseWriter, req *http.Request, opts proxypw.ErrorPageOpts) {
+	// Convert messages to string
+	var messages []string
+	for _, msg := range opts.Messages {
+		if str := cast.ToString(msg); str != "" {
+			messages = append(messages, str)
+		}
+	}
+
+	// Default messages
+	if len(messages) == 0 {
+		switch opts.Status {
+		case http.StatusUnauthorized:
+			messages = []string{"You need to be logged in to access this resource."}
+		case http.StatusForbidden:
+			messages = []string{"You do not have permission to access this resource."}
+		case http.StatusInternalServerError:
+			messages = []string{"Oops! Something went wrong."}
+		default:
+			messages = []string{opts.AppError}
+		}
+	}
+
+	// Exception ID
+	exceptionID := pagewriter.ExceptionIDPrefix + opts.RequestID
+
+	joinedMessage := strings.Join(messages, "\n")
+	// Add attributes
+	req = req.WithContext(ctxattr.ContextWith(
+		req.Context(),
+		semconv.HTTPStatusCode(opts.Status),
+		attribute.String("exceptionId", exceptionID),
+		attribute.String("error.userMessages", joinedMessage),
+		attribute.String("error.details", opts.AppError),
+	))
+
+	// Log warning
+	pw.logger.Warn(req.Context(), strings.Join(messages, "\n")) //nolint:contextcheck // false positive
+
+	pw.pageWriter.WriteErrorPage(w, req, &pw.app, opts.Status, joinedMessage+opts.AppError, exceptionID)
+}
+
+func (pw *pageWriter) ProxyErrorHandler(w http.ResponseWriter, req *http.Request, err error) {
+	pw.pageWriter.ProxyErrorHandler(w, req, pw.app, err)
+}
+
+func (pw *pageWriter) WriteRobotsTxt(w http.ResponseWriter, req *http.Request) {
+	pw.pageWriter.WriteRobotsTxt(w, req)
+}
diff --git a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/selector/handler.go b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/selector/handler.go
new file mode 100644
index 0000000000..9d108210b8
--- /dev/null
+++ b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/selector/handler.go
@@ -0,0 +1,13 @@
+package selector
+
+import (
+	"net/http"
+	"time"
+)
+
+type Handler interface {
+	Name() string
+	ServeHTTPOrError(w http.ResponseWriter, req *http.Request) error
+	CookieExpiration() time.Duration
+	SignInPath() string
+}
diff --git a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/selector/selector.go b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/selector/selector.go
new file mode 100644
index 0000000000..ea408064e1
--- /dev/null
+++ b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/selector/selector.go
@@ -0,0 +1,273 @@
+package selector
+
+import (
+	"context"
+	"net/http"
+	"net/url"
+	"slices"
+	"strings"
+	"time"
+
+	"github.com/benbjohnson/clock"
+	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/util"
+
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/config"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/api"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/auth/provider"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/pagewriter"
+	svcErrors "github.com/keboola/keboola-as-code/internal/pkg/service/common/errors"
+	"github.com/keboola/keboola-as-code/internal/pkg/utils/errors"
+)
+
+const (
+	providerCookie             = "_oauth2_provider"
+	providerQueryParam         = "provider"
+	continueAuthQueryParam     = "continue_auth"
+	callbackQueryParam         = "rd" // value match OAuth2Proxy internals and shouldn't be modified (see AppDirector there)
+	selectionPagePath          = config.InternalPrefix + "/selection"
+	signOutPath                = config.InternalPrefix + "/sign_out"
+	proxyCallbackPath          = config.InternalPrefix + "/callback"
+	ignoreProviderCookieCtxKey = ctxKey("ignoreProviderCookieCtxKey")
+	selectorHandlerCtxKey      = ctxKey("selectorHandlerCtxKey")
+)
+
+type ctxKey string
+
+type Selector struct {
+	clock      clock.Clock
+	config     config.Config
+	pageWriter *pagewriter.Writer
+}
+
+type SelectorForAppRule struct {
+	*Selector
+	app      api.AppConfig
+	handlers map[provider.ID]Handler
+}
+
+type dependencies interface {
+	Clock() clock.Clock
+	Config() config.Config
+	PageWriter() *pagewriter.Writer
+}
+
+func New(d dependencies) *Selector {
+	return &Selector{
+		clock:      d.Clock(),
+		config:     d.Config(),
+		pageWriter: d.PageWriter(),
+	}
+}
+
+func (s *Selector) For(app api.AppConfig, handlers map[provider.ID]Handler) (*SelectorForAppRule, error) {
+	// Validate handlers count
+	if len(handlers) == 0 {
+		return nil, svcErrors.NewServiceUnavailableError(errors.New(`no authentication provider found`))
+	}
+
+	return &SelectorForAppRule{Selector: s, app: app, handlers: handlers}, nil
+}
+
+// ServeHTTPOrError renders selector page if there is more than one authentication handler,
+// and no handler is selected, or the selected handler is not allowed for the requested path (see api.AuthRule).
+//
+// The selector page is rendered:
+// 1. If it is accessed directly using selectionPagePath, the status code is StatusOK.
+// 2. If no handler is selected and the path requires authorization, the status code is StatusUnauthorized.
+func (s *SelectorForAppRule) ServeHTTPOrError(w http.ResponseWriter, req *http.Request) error {
+	// To make the same site strict cookie work we need to replace the redirect from the auth provider with a page that does the redirect.
+	if req.URL.Path == proxyCallbackPath {
+		query := req.URL.Query()
+		if query.Get(continueAuthQueryParam) != "true" {
+			query.Set(continueAuthQueryParam, "true")
+			baseURL := s.app.BaseURL(s.config.API.PublicURL)
+			redirectURL := baseURL.ResolveReference(&url.URL{Path: req.URL.Path, RawQuery: query.Encode()})
+			s.pageWriter.WriteRedirectPage(w, req, http.StatusOK, redirectURL.String())
+			return nil
+		}
+	}
+
+	// Store the selector to the context.
+	// It is used by the OnNeedsLogin callback, to render the selector page, if the provider needs login.
+	// Internal paths (it includes sing in) are bypassed, see Manager.proxyConfig for details.
+	req = req.WithContext(context.WithValue(req.Context(), selectorHandlerCtxKey, s))
+
+	// Clear cookie on logout
+	if req.URL.Path == signOutPath {
+		// This clears provider selection cookie while oauth2-proxy clears the session cookie.
+		// The user isn't logged out on the provider's side, but when redirected to the provider they're
+		// forced to select their account again because of the "select_account" flag in LoginURLParameters.
+		s.clearCookie(w, req)
+	}
+
+	// Render selector page, if it is accessed directly
+	if req.URL.Path == selectionPagePath {
+		return s.writeSelectorPage(w, req, http.StatusOK)
+	}
+
+	// Skip selector page, if there is only one provider
+	if len(s.handlers) == 1 {
+		// The handlers variable is a map, use the first handler via a for cycle
+		for id, handler := range s.handlers {
+			// Set cookie if needed
+			if providerID := s.providerIDFromCookie(req); providerID != id {
+				s.setCookie(w, req, id, handler)
+			}
+			return handler.ServeHTTPOrError(w, req)
+		}
+	}
+
+	// Ignore cookie if we have already tried this provider, but the provider requires login.
+	providerID := s.providerIDFromCookie(req)
+	if ignore, _ := req.Context().Value(ignoreProviderCookieCtxKey).(bool); ignore {
+		providerID = ""
+	}
+
+	// Identify the chosen provider by the cookie
+	if handler := s.handlers[providerID]; handler != nil {
+		return handler.ServeHTTPOrError(w, req)
+	}
+
+	// No matching handler found
+	return s.writeSelectorPage(w, req, http.StatusUnauthorized)
+}
+
+func (s *SelectorForAppRule) writeSelectorPage(w http.ResponseWriter, req *http.Request, status int) error {
+	// Mark provider selected
+	id := provider.ID(req.URL.Query().Get(providerQueryParam))
+	if selected, found := s.handlers[id]; found {
+		// Set cookie with the same expiration as other provider cookies
+		s.setCookie(w, req, id, selected)
+
+		// Get path for redirect after sign in, it must not refer to an external URL
+		query := make(url.Values)
+		callback := req.URL.Query().Get(callbackQueryParam)
+		if isAcceptedCallbackURL(callback) {
+			query.Set(callbackQueryParam, callback)
+		}
+
+		// Render sign in page, set callback after login
+		s.redirect(w, req, selected.SignInPath(), query)
+		return nil
+	}
+
+	// Render the page, if there is no cookie or the value is invalid
+	s.pageWriter.WriteSelectorPage(w, req, status, s.selectorPageData(req))
+	return nil
+}
+
+func (s *SelectorForAppRule) selectorPageData(req *http.Request) *pagewriter.SelectorPageData {
+	// Pass link back to the current page, if reasonable, otherwise the user will be redirected to /
+	var callback string
+	if req.Method == http.MethodGet {
+		callback = req.URL.Path
+	}
+
+	// Base URL for all providers
+	pageURL := s.url(req, selectionPagePath, nil)
+
+	// Generate link for each providers
+	data := &pagewriter.SelectorPageData{App: pagewriter.NewAppData(&s.app)}
+	for id, handler := range s.handlers {
+		query := make(url.Values)
+		query.Set(providerQueryParam, id.String())
+		if isAcceptedCallbackURL(callback) {
+			query.Set(callbackQueryParam, callback)
+		}
+		data.Providers = append(data.Providers, pagewriter.ProviderData{
+			Name: handler.Name(),
+			URL:  pageURL.ResolveReference(&url.URL{RawQuery: query.Encode()}).String(),
+		})
+	}
+
+	// Sort items
+	slices.SortStableFunc(data.Providers, func(a, b pagewriter.ProviderData) int {
+		return strings.Compare(a.Name, b.Name)
+	})
+
+	return data
+}
+
+func (s *Selector) OnNeedsLogin(
+	app *api.AppConfig,
+	writeErrorPage func(rw http.ResponseWriter, req *http.Request, app *api.AppConfig, err error),
+) func(rw http.ResponseWriter, req *http.Request) bool {
+	return func(w http.ResponseWriter, req *http.Request) (stop bool) {
+		// Determine, if we should render the selector page using the selector instance from the context
+		if selector, ok := req.Context().Value(selectorHandlerCtxKey).(*SelectorForAppRule); ok {
+			// If there is only one provider, continue to the sing in page
+			if len(selector.handlers) <= 1 {
+				return false
+			}
+
+			// Go back and render the selector page, ignore the cookie value
+			req = req.WithContext(context.WithValue(req.Context(), ignoreProviderCookieCtxKey, true))
+			if err := selector.ServeHTTPOrError(w, req); err != nil {
+				writeErrorPage(w, req, app, err)
+			}
+			return true
+		}
+
+		// Fallback, the selector instance is not found, it shouldn't happen.
+		// Clear the cookie and redirect to the same path, so the selector page is rendered.
+		s.clearCookie(w, req)
+		w.Header().Set("Location", req.URL.Path)
+		w.WriteHeader(http.StatusFound)
+		return true
+	}
+}
+
+func (s *Selector) redirect(w http.ResponseWriter, req *http.Request, path string, query url.Values) {
+	w.Header().Set("Location", s.url(req, path, query).String())
+	w.WriteHeader(http.StatusFound)
+}
+
+func (s *Selector) url(req *http.Request, path string, query url.Values) *url.URL {
+	return &url.URL{Scheme: s.config.API.PublicURL.Scheme, Host: req.Host, Path: path, RawQuery: query.Encode()}
+}
+
+func (s *Selector) providerIDFromCookie(req *http.Request) provider.ID {
+	if cookie, _ := req.Cookie(providerCookie); cookie != nil && cookie.Value != "" {
+		return provider.ID(cookie.Value)
+	}
+	return ""
+}
+
+func (s *Selector) clearCookie(w http.ResponseWriter, req *http.Request) {
+	http.SetCookie(w, s.cookie(req, "", -1))
+}
+
+func (s *Selector) setCookie(w http.ResponseWriter, req *http.Request, id provider.ID, handler Handler) {
+	http.SetCookie(w, s.cookie(req, id.String(), handler.CookieExpiration()))
+}
+
+func (s *Selector) cookie(req *http.Request, value string, expires time.Duration) *http.Cookie {
+	host, _ := util.SplitHostPort(req.Host)
+	if host == "" {
+		panic(errors.New("host cannot be empty"))
+	}
+
+	v := &http.Cookie{
+		Name:     providerCookie,
+		Value:    value,
+		Path:     "/",
+		Domain:   host,
+		Secure:   true,
+		HttpOnly: true,
+		SameSite: http.SameSiteStrictMode,
+	}
+
+	if expires > 0 {
+		// If there is an expiration, set it
+		v.Expires = s.clock.Now().Add(expires)
+	} else {
+		// Otherwise clear the cookie
+		v.MaxAge = -1
+	}
+
+	return v
+}
+
+func isAcceptedCallbackURL(callback string) bool {
+	return callback != "" && callback != "/" && callback != selectionPagePath && strings.HasPrefix(callback, "/")
+}
diff --git a/internal/pkg/service/appsproxy/proxy/apphandler/manager.go b/internal/pkg/service/appsproxy/proxy/apphandler/manager.go
index a22db18381..a170dec539 100644
--- a/internal/pkg/service/appsproxy/proxy/apphandler/manager.go
+++ b/internal/pkg/service/appsproxy/proxy/apphandler/manager.go
@@ -8,8 +8,7 @@ import (
 	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/config"
 	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/api"
 	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/appconfig"
-	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/auth/provider"
-	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/apphandler/oidcproxy"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/apphandler/authproxy"
 	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/apphandler/upstream"
 	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/pagewriter"
 	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/syncmap"
@@ -24,7 +23,7 @@ type Manager struct {
 	telemetry        telemetry.Telemetry
 	configLoader     *appconfig.Loader
 	upstreamManager  *upstream.Manager
-	oidcProxyManager *oidcproxy.Manager
+	authProxyManager *authproxy.Manager
 	pageWriter       *pagewriter.Writer
 	handlers         *syncmap.SyncMap[api.AppID, appHandlerWrapper]
 }
@@ -39,7 +38,7 @@ type dependencies interface {
 	Telemetry() telemetry.Telemetry
 	PageWriter() *pagewriter.Writer
 	UpstreamManager() *upstream.Manager
-	OidcProxyManager() *oidcproxy.Manager
+	AuthProxyManager() *authproxy.Manager
 	AppConfigLoader() *appconfig.Loader
 }
 
@@ -49,7 +48,7 @@ func NewManager(d dependencies) *Manager {
 		telemetry:        d.Telemetry(),
 		configLoader:     d.AppConfigLoader(),
 		upstreamManager:  d.UpstreamManager(),
-		oidcProxyManager: d.OidcProxyManager(),
+		authProxyManager: d.AuthProxyManager(),
 		pageWriter:       d.PageWriter(),
 		handlers: syncmap.New[api.AppID, appHandlerWrapper](func(api.AppID) *appHandlerWrapper {
 			return &appHandlerWrapper{lock: &sync.Mutex{}}
@@ -87,15 +86,7 @@ func (m *Manager) newHandler(ctx context.Context, app api.AppConfig) http.Handle
 	}
 
 	// Create authentication handlers
-	authHandlers := make(map[provider.ID]*oidcproxy.Handler, len(app.AuthProviders))
-	for _, auth := range app.AuthProviders {
-		switch p := auth.(type) {
-		case provider.OIDC:
-			authHandlers[auth.ID()] = m.oidcProxyManager.NewHandler(app, p, appUpstream)
-		default:
-			panic("unknown auth provider type")
-		}
-	}
+	authHandlers := m.authProxyManager.NewHandlers(app, appUpstream)
 
 	// Create root handler for application
 	handler, err := newAppHandler(m, app, appUpstream, authHandlers)

From 57c60060b96736d9be22387589a3dfc9b2779c96 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Va=C5=A1ko?= <Matovidlo2@gmail.com>
Date: Mon, 24 Jun 2024 08:27:35 +0200
Subject: [PATCH 03/15] feat: Add simple form page

---
 .../appsproxy/proxy/pagewriter/form.go        | 13 +++++++
 .../proxy/pagewriter/template/form.gohtml     | 37 +++++++++++++++++++
 2 files changed, 50 insertions(+)
 create mode 100644 internal/pkg/service/appsproxy/proxy/pagewriter/form.go
 create mode 100644 internal/pkg/service/appsproxy/proxy/pagewriter/template/form.gohtml

diff --git a/internal/pkg/service/appsproxy/proxy/pagewriter/form.go b/internal/pkg/service/appsproxy/proxy/pagewriter/form.go
new file mode 100644
index 0000000000..cd53f8d108
--- /dev/null
+++ b/internal/pkg/service/appsproxy/proxy/pagewriter/form.go
@@ -0,0 +1,13 @@
+package pagewriter
+
+import "net/http"
+
+type FormPageData struct {
+	App AppData
+}
+
+func (pw *Writer) WriteFormPage(w http.ResponseWriter, req *http.Request, status int) {
+	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate;")
+	w.Header().Set("pragma", "no-cache")
+	pw.writePage(w, req, "form.gohtml", status, nil)
+}
diff --git a/internal/pkg/service/appsproxy/proxy/pagewriter/template/form.gohtml b/internal/pkg/service/appsproxy/proxy/pagewriter/template/form.gohtml
new file mode 100644
index 0000000000..66fce11790
--- /dev/null
+++ b/internal/pkg/service/appsproxy/proxy/pagewriter/template/form.gohtml
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <link rel="icon" type="image/x-icon" href="/_proxy/assets/favicon.ico">
+
+    <title>Basic Authentication</title>
+
+    <link rel="stylesheet" href="/_proxy/assets/styles.css">
+</head>
+<body>
+<header>
+    <h1>{{.App.Name}}</h1>
+    <section>
+        <div>
+            App ID: <b>{{.App.ID}}</b>
+        </div>
+        <b>,</b>
+        <div>
+            Project ID: <b>{{.App.ProjectID}}</b>
+        </div>
+    </section>
+</header>
+<main class="box">
+    <h2>Basic Authentication</h2>
+    <a href="{{.URL}}" class="link">{{.Name}}</a>
+</main>
+<footer>
+    <p>Powered By</p>
+    <svg xmlns="http://www.w3.org/2000/svg" width="100"  viewBox="0 0 132 33" fill="none">
+        <path class="icon-primary" d="M130.384 13.2579C131.49 14.3339 132 15.9206 132 17.8738V25.2386C132 26.1727 131.263 26.8812 130.327 26.8812C129.333 26.8812 128.653 26.2007 128.653 25.4364V24.8698C127.632 26.0878 126.071 27.051 123.773 27.051C120.965 27.051 118.468 25.4364 118.468 22.4339V22.3781C118.468 19.1488 120.993 17.5632 124.653 17.5632C126.327 17.5632 127.518 17.818 128.681 18.1856V17.818C128.681 15.6938 127.376 14.5608 124.965 14.5608C123.66 14.5608 122.583 14.7876 121.645 15.1552C121.447 15.2122 121.278 15.2401 121.107 15.2401C120.313 15.2401 119.66 14.6178 119.66 13.8244C119.66 13.2009 120.086 12.6634 120.596 12.4656C122.014 11.9271 123.461 11.5874 125.419 11.5874C127.66 11.5874 129.333 12.1818 130.384 13.2579ZM128.738 21.3579V20.3388C127.858 19.9991 126.695 19.7432 125.334 19.7432C123.121 19.7432 121.816 20.6785 121.816 22.2361V22.292C121.816 23.7368 123.093 24.5581 124.738 24.5581C127.007 24.5581 128.738 23.2552 128.738 21.3579ZM114.951 5.92331C115.916 5.92331 116.682 6.6876 116.682 7.62175V25.1816C116.682 26.1448 115.916 26.8812 114.951 26.8812C114.015 26.8812 113.249 26.1448 113.249 25.1816V7.62175C113.249 6.6876 113.987 5.92331 114.951 5.92331ZM103.293 11.4734C107.888 11.4734 111.264 14.9574 111.264 19.2337V19.2907C111.264 23.539 107.86 27.0789 103.236 27.0789C98.6691 27.0789 95.2927 23.5949 95.2927 19.3477V19.2907C95.2927 15.0144 98.6974 11.4734 103.293 11.4734ZM107.832 19.3477V19.2907C107.832 16.6559 105.931 14.4758 103.236 14.4758C100.485 14.4758 98.7257 16.6291 98.7257 19.2337V19.2907C98.7257 21.8965 100.626 24.0776 103.293 24.0776C106.073 24.0776 107.832 21.9244 107.832 19.3477ZM86.3575 11.4734C90.953 11.4734 94.3283 14.9574 94.3283 19.2337V19.2907C94.3283 23.539 90.9247 27.0789 86.3009 27.0789C81.7337 27.0789 78.3573 23.5949 78.3573 19.3477V19.2907C78.3573 15.0144 81.762 11.4734 86.3575 11.4734ZM90.8964 19.3477V19.2907C90.8964 16.6559 88.9959 14.4758 86.3009 14.4758C83.5493 14.4758 81.7903 16.6291 81.7903 19.2337V19.2907C81.7903 21.8965 83.6908 24.0776 86.3575 24.0776C89.1374 24.0776 90.8964 21.9244 90.8964 19.3477ZM70.3865 11.4734C73.9044 11.4734 77.3374 14.249 77.3374 19.2337V19.2907C77.3374 24.2463 73.9327 27.051 70.3865 27.051C67.8906 27.051 66.3309 25.804 65.2805 24.4173V25.1816C65.2805 26.1157 64.5153 26.8812 63.5498 26.8812C62.6138 26.8812 61.8486 26.1157 61.8486 25.1816V7.62175C61.8486 6.65855 62.5855 5.92331 63.5498 5.92331C64.5153 5.92331 65.2805 6.65855 65.2805 7.62175V14.2781C66.3875 12.7204 67.9472 11.4734 70.3865 11.4734ZM73.8478 19.2907V19.2337C73.8478 16.3452 71.8908 14.4468 69.5647 14.4468C67.2387 14.4468 65.1956 16.3732 65.1956 19.2337V19.2907C65.1956 22.1512 67.2387 24.0776 69.5647 24.0776C71.9191 24.0776 73.8478 22.2361 73.8478 19.2907ZM52.9134 11.4734C57.6787 11.4734 60.033 15.382 60.033 18.837C60.033 19.8002 59.2962 20.4796 58.4167 20.4796H49.0265C49.3955 22.9155 51.1262 24.2754 53.339 24.2754C54.7856 24.2754 55.9197 23.7659 56.8841 22.9725C57.1399 22.7747 57.3663 22.6608 57.7636 22.6608C58.5299 22.6608 59.1253 23.2552 59.1253 24.0486C59.1253 24.4732 58.9272 24.8419 58.6714 25.0967C57.3097 26.3146 55.6085 27.0789 53.2813 27.0789C48.9416 27.0789 45.5946 23.9357 45.5946 19.3186V19.2628C45.5946 14.9854 48.6292 11.4734 52.9134 11.4734ZM48.9982 18.2146H56.686C56.4585 16.0044 55.1546 14.2781 52.8851 14.2781C50.7855 14.2781 49.3106 15.8916 48.9982 18.2146ZM38.3041 15.6368L44.9992 23.9357C45.2822 24.3033 45.4814 24.643 45.4814 25.1816C45.4814 26.1448 44.7151 26.8812 43.7224 26.8812C43.041 26.8812 42.6154 26.5415 42.2476 26.0599L35.8648 17.9308L32.631 21.0461V25.1525C32.631 26.1157 31.8647 26.8812 30.9003 26.8812C29.9077 26.8812 29.1414 26.1157 29.1414 25.1525V8.50002C29.1414 7.53682 29.9077 6.77253 30.9003 6.77253C31.8647 6.77253 32.631 7.53682 32.631 8.50002V16.8838L42.0484 7.42397C42.4457 6.99824 42.8713 6.77253 43.4949 6.77253C44.4593 6.77253 45.1124 7.53682 45.1124 8.38716C45.1124 8.92463 44.8849 9.3213 44.4887 9.69004L38.3041 15.6368ZM9.6977 20.6282C5.08183 20.6282 1.55259 15.0736 1.55259 8.03853C1.55259 1.00454 4.49325 0 9.6977 0C14.9021 0 17.5881 1.00454 17.5881 8.03853C17.5881 15.0736 13.8948 20.6282 9.6977 20.6282ZM18.9532 27.0488C19.3324 27.6711 19.1173 28.4746 18.4744 28.8411C18.2582 28.964 18.0216 29.0221 17.7885 29.0221C17.3255 29.0221 16.8739 28.7919 16.6215 28.3773C16.1857 27.6644 15.7397 27.1571 15.2372 26.6934C14.7346 26.2319 14.1642 25.8185 13.511 25.3369C13.1919 25.1034 12.8738 24.9011 12.5569 24.729C12.5942 24.7961 12.6316 24.8643 12.6701 24.9346C13.5869 26.6376 14.5331 29.0008 14.5377 31.6926C14.5377 32.4145 13.9321 33 13.1851 33C12.4369 33 11.8313 32.4145 11.8313 31.6926C11.8358 29.6456 11.0933 27.6767 10.3101 26.2174C10.0565 25.7414 9.8007 25.3213 9.56979 24.9704C9.35134 25.3045 9.10911 25.7012 8.86689 26.1481C8.07117 27.6142 7.30374 29.6143 7.30827 31.6926C7.30827 32.4145 6.70271 33 5.95566 33C5.2086 33 4.60304 32.4145 4.60304 31.6926C4.60757 29.0008 5.5527 26.6376 6.47067 24.9346C6.50802 24.8643 6.54537 24.7961 6.58386 24.729C6.26579 24.9011 5.94886 25.1034 5.62967 25.3369C4.97543 25.8185 4.40496 26.2319 3.90353 26.6934C3.40097 27.1571 2.95387 27.6644 2.51809 28.3785C2.13891 29.0008 1.30923 29.2076 0.666313 28.8411C0.0222655 28.4746 -0.191662 27.6711 0.187522 27.0488C0.753469 26.118 1.38959 25.3917 2.04156 24.795C2.69467 24.1972 3.3523 23.7256 3.99069 23.2541C4.2929 23.0306 4.60304 22.825 4.91997 22.6384C4.60304 22.4518 4.2929 22.2451 3.99069 22.0216C2.53054 20.9456 1.26169 19.4941 0.187522 17.7319C-0.191662 17.1084 0.0222655 16.3061 0.666313 15.9396C1.30923 15.5731 2.13891 15.7798 2.51809 16.4022C3.44851 17.9297 4.50457 19.1119 5.62854 19.9388C6.834 20.8204 8.01797 21.2573 9.23588 21.3266C9.34681 21.3232 9.45887 21.3199 9.56979 21.3199C9.68185 21.3199 9.79278 21.3232 9.9037 21.3266C11.1216 21.2573 12.3067 20.8204 13.511 19.9388C14.635 19.1119 15.6922 17.9297 16.6215 16.4022C17.0018 15.7798 17.8304 15.5731 18.4744 15.9396C19.1173 16.3061 19.3324 17.1084 18.9532 17.7308C17.879 19.4941 16.609 20.9456 15.1489 22.0216C14.8467 22.2451 14.5365 22.4518 14.2207 22.6384C14.5365 22.825 14.8467 23.0306 15.1489 23.2541C15.7884 23.7256 16.4449 24.1972 17.0992 24.795C17.7511 25.3917 18.3861 26.118 18.9532 27.0488ZM7.79046 16.0659C7.04341 16.0659 6.43784 16.6525 6.43784 17.3744C6.43784 18.0984 7.04341 18.6839 7.79046 18.6839C8.53751 18.6839 9.14307 18.0984 9.14307 17.3744C9.14307 16.6525 8.53751 16.0659 7.79046 16.0659ZM11.3491 16.0659C10.6021 16.0659 9.99652 16.6525 9.99652 17.3744C9.99652 18.0984 10.6021 18.6839 11.3491 18.6839C12.0962 18.6839 12.7017 18.0984 12.7017 17.3744C12.7017 16.6525 12.0962 16.0659 11.3491 16.0659Z"/>
+    </svg>
+</footer>
+</body>
+</html>

From e1f9d245c152201cb3acde9f74def814ab0bc5ba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Va=C5=A1ko?= <Matovidlo2@gmail.com>
Date: Mon, 24 Jun 2024 14:38:15 +0200
Subject: [PATCH 04/15] feat: Mock up behaviour of login/logout in login page.

Change name from form->login based on design. Adjust the css so the
design is correct.
---
 .../apphandler/authproxy/basicauth/handler.go | 83 ++++++++++++++---
 .../apphandler/authproxy/selector/selector.go |  4 +-
 .../proxy/pagewriter/assets/styles.css        | 93 ++++++++++++++++++-
 .../appsproxy/proxy/pagewriter/form.go        | 13 ---
 .../appsproxy/proxy/pagewriter/login.go       | 18 ++++
 .../proxy/pagewriter/template/form.gohtml     | 37 --------
 .../proxy/pagewriter/template/login.gohtml    | 56 +++++++++++
 7 files changed, 239 insertions(+), 65 deletions(-)
 delete mode 100644 internal/pkg/service/appsproxy/proxy/pagewriter/form.go
 create mode 100644 internal/pkg/service/appsproxy/proxy/pagewriter/login.go
 delete mode 100644 internal/pkg/service/appsproxy/proxy/pagewriter/template/form.gohtml
 create mode 100644 internal/pkg/service/appsproxy/proxy/pagewriter/template/login.gohtml

diff --git a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go
index fbf65ea36e..761efdf15a 100644
--- a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go
+++ b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go
@@ -1,7 +1,10 @@
 package basicauth
 
 import (
+	"crypto/sha256"
+	"io"
 	"net/http"
+	"net/url"
 	"time"
 
 	"github.com/benbjohnson/clock"
@@ -11,12 +14,14 @@ import (
 	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/config"
 	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/api"
 	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/auth/provider"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/selector"
 	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/apphandler/chain"
 	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/pagewriter"
 	"github.com/keboola/keboola-as-code/internal/pkg/utils/errors"
 )
 
 const (
+	providerCookie  = "_oauth2_provider"
 	basicAuthCookie = "proxyBasicAuth"
 	formPagePath    = config.InternalPrefix + "/form"
 )
@@ -57,31 +62,86 @@ func (h *Handler) SignInPath() string {
 }
 
 func (h *Handler) CookieExpiration() time.Duration {
-	return 5 * time.Minute
+	return 1 * time.Hour
 }
 
 func (h *Handler) ServeHTTPOrError(w http.ResponseWriter, req *http.Request) error {
-	cookie, _ := req.Cookie(basicAuthCookie)
-	if _, ok := req.Form["password"]; !ok || cookie == nil {
-		h.pageWriter.WriteFormPage(w, req, http.StatusOK)
+	host, _ := util.SplitHostPort(req.Host)
+	if host == "" {
+		panic(errors.New("host cannot be empty"))
+	}
+
+	requestCookie, _ := req.Cookie(basicAuthCookie)
+
+	// req.Form / req.PostForm does not work
+	b, err := io.ReadAll(req.Body)
+	if err != nil {
+		return err
+	}
+
+	values, err := url.ParseQuery(string(b))
+	if err != nil {
+		return err
+	}
+
+	// Unset cookie as /_proxy/sign_out was called and enforce login
+	if requestCookie != nil && req.URL.Path == selector.SignOutPath {
+		requestCookie.Value = ""
+		h.setCookie(w, host, -1, requestCookie)
+		requestCookie = nil
+	}
+
+	// Login page
+	if !values.Has("password") && requestCookie == nil {
+		h.pageWriter.WriteLoginPage(w, req, &h.app, nil)
 		return nil
 	}
 
-	if req.URL.Path != formPagePath {
+	p := values.Get("password")
+	// Login page with unauthorized alert
+	if err := h.isAuthorized(p, requestCookie); err != nil {
+		h.logger.Warn(req.Context(), err.Error())
+		h.pageWriter.WriteLoginPage(w, req, &h.app, err)
 		return nil
 	}
 
-	if !h.basicAuth.IsAuthorized("") {
-		return errors.New("wrong password prompted")
+	expires := h.CookieExpiration()
+	// Skip generating cookie value when already set and verified
+	if requestCookie != nil {
+		h.setCookie(w, host, expires, requestCookie)
+		return h.upstream.ServeHTTPOrError(w, req)
 	}
 
-	host, _ := util.SplitHostPort(req.Host)
-	if host == "" {
-		panic(errors.New("host cannot be empty"))
+	hash := sha256.New()
+	hash.Write([]byte(p))
+	hashedValue := hash.Sum(nil)
+	v := &http.Cookie{
+		Value: string(hashedValue),
+	}
+	h.setCookie(w, host, expires, v)
+	return h.upstream.ServeHTTPOrError(w, req)
+}
+
+func (h *Handler) isAuthorized(p string, cookie *http.Cookie) error {
+	if err := cookie.Valid(); cookie != nil {
+		if err != nil {
+			return err
+		}
+
+		return nil
+	}
+
+	if !h.basicAuth.IsAuthorized(p) {
+		return errors.New("wrong password was given")
 	}
 
+	return nil
+}
+
+func (h *Handler) setCookie(w http.ResponseWriter, host string, expires time.Duration, cookie *http.Cookie) {
 	v := &http.Cookie{
 		Name:     basicAuthCookie,
+		Value:    cookie.Value,
 		Path:     "/",
 		Domain:   host,
 		Secure:   true,
@@ -89,7 +149,6 @@ func (h *Handler) ServeHTTPOrError(w http.ResponseWriter, req *http.Request) err
 		SameSite: http.SameSiteStrictMode,
 	}
 
-	expires := h.CookieExpiration()
 	if expires > 0 {
 		// If there is an expiration, set it
 		v.Expires = h.clock.Now().Add(expires)
@@ -98,5 +157,5 @@ func (h *Handler) ServeHTTPOrError(w http.ResponseWriter, req *http.Request) err
 		v.MaxAge = -1
 	}
 
-	return h.upstream.ServeHTTPOrError(w, req)
+	http.SetCookie(w, v)
 }
diff --git a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/selector/selector.go b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/selector/selector.go
index ea408064e1..1a4fe5575f 100644
--- a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/selector/selector.go
+++ b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/selector/selector.go
@@ -25,7 +25,7 @@ const (
 	continueAuthQueryParam     = "continue_auth"
 	callbackQueryParam         = "rd" // value match OAuth2Proxy internals and shouldn't be modified (see AppDirector there)
 	selectionPagePath          = config.InternalPrefix + "/selection"
-	signOutPath                = config.InternalPrefix + "/sign_out"
+	SignOutPath                = config.InternalPrefix + "/sign_out"
 	proxyCallbackPath          = config.InternalPrefix + "/callback"
 	ignoreProviderCookieCtxKey = ctxKey("ignoreProviderCookieCtxKey")
 	selectorHandlerCtxKey      = ctxKey("selectorHandlerCtxKey")
@@ -93,7 +93,7 @@ func (s *SelectorForAppRule) ServeHTTPOrError(w http.ResponseWriter, req *http.R
 	req = req.WithContext(context.WithValue(req.Context(), selectorHandlerCtxKey, s))
 
 	// Clear cookie on logout
-	if req.URL.Path == signOutPath {
+	if req.URL.Path == SignOutPath {
 		// This clears provider selection cookie while oauth2-proxy clears the session cookie.
 		// The user isn't logged out on the provider's side, but when redirected to the provider they're
 		// forced to select their account again because of the "select_account" flag in LoginURLParameters.
diff --git a/internal/pkg/service/appsproxy/proxy/pagewriter/assets/styles.css b/internal/pkg/service/appsproxy/proxy/pagewriter/assets/styles.css
index ff9627b8aa..317f3135ff 100644
--- a/internal/pkg/service/appsproxy/proxy/pagewriter/assets/styles.css
+++ b/internal/pkg/service/appsproxy/proxy/pagewriter/assets/styles.css
@@ -1,5 +1,10 @@
 :root {
     --primary: #1f8fff;
+    --secondary: #1EC71E;
+    --secondar-hover: #179b17;
+    --error: #FFE0E6;
+    --error-bold: #FFC2CC;
+    --input: #EDF0F5;
     --background: #f2f4f7;
     --white: #ffffff;
     --text: #222529;
@@ -31,7 +36,7 @@ footer {
 }
 
 header {
-    max-width: 376px;
+    max-width: 410px;
     text-align: center;
 }
 
@@ -199,3 +204,89 @@ a:hover {
     padding: 10px 16px;
     margin-bottom: 16px;
 }
+
+form {
+    display: flex;
+    flex-direction: column;
+    gap: 16px;
+    margin-top: 8px;
+}
+
+form button[type='submit'] {
+    margin-top: 8px;
+}
+
+.form-group {
+    display: flex;
+    flex-direction: column;
+    gap: 4px;
+}
+
+label {
+    font-size: 14px;
+    line-height: 20px;
+    color: var(--text);
+    text-align: left;
+}
+
+input {
+    display: block;
+    color: var(--text);
+    background: var(--input);
+    border-radius: 4px;
+    padding: 10px 16px;
+    border: 1px solid rgba(255, 255, 255, 0);
+}
+
+input:focus {
+    outline: 0;
+    border: 1px solid var(--primary) !important;
+    box-shadow: 0 0 0 3px rgba(34, 141, 255, 0.25);
+}
+
+button {
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    gap: 8px;
+    font-weight: 600;
+    font-size: 12px;
+    line-height: 20px;
+    text-transform: uppercase;
+    letter-spacing: 1px;
+    padding: 10px 16px;
+    border-radius: 4px;
+    border: none;
+    cursor: pointer;
+    background: var(--secondary);
+    color: var(--white);
+}
+
+button:is(:hover, :focus):not(:disabled) {
+    background: var(--secondar-hover);
+}
+
+form:has(input:placeholder-shown) button[type='submit'] {
+    opacity: 0.4;
+    cursor: not-allowed;
+}
+
+.alert {
+    display: flex;
+    align-items: flex-start;
+    gap: 8px;
+    padding: 12px 16px;
+    margin: 8px 0 16px 0;
+    background: var(--error);
+    border: 1px solid var(--error-bold);
+    border-radius: 4px;
+}
+
+.alert p {
+    font-size: 14px;
+    line-height: 20px;
+}
+
+.alert p:last-child {
+    margin: 0;
+}
diff --git a/internal/pkg/service/appsproxy/proxy/pagewriter/form.go b/internal/pkg/service/appsproxy/proxy/pagewriter/form.go
deleted file mode 100644
index cd53f8d108..0000000000
--- a/internal/pkg/service/appsproxy/proxy/pagewriter/form.go
+++ /dev/null
@@ -1,13 +0,0 @@
-package pagewriter
-
-import "net/http"
-
-type FormPageData struct {
-	App AppData
-}
-
-func (pw *Writer) WriteFormPage(w http.ResponseWriter, req *http.Request, status int) {
-	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate;")
-	w.Header().Set("pragma", "no-cache")
-	pw.writePage(w, req, "form.gohtml", status, nil)
-}
diff --git a/internal/pkg/service/appsproxy/proxy/pagewriter/login.go b/internal/pkg/service/appsproxy/proxy/pagewriter/login.go
new file mode 100644
index 0000000000..5c3ec8bb88
--- /dev/null
+++ b/internal/pkg/service/appsproxy/proxy/pagewriter/login.go
@@ -0,0 +1,18 @@
+package pagewriter
+
+import (
+	"net/http"
+
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/api"
+)
+
+type LoginPageData struct {
+	App   AppData
+	Error error
+}
+
+func (pw *Writer) WriteLoginPage(w http.ResponseWriter, req *http.Request, app *api.AppConfig, err error) {
+	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate;")
+	w.Header().Set("pragma", "no-cache")
+	pw.writePage(w, req, "login.gohtml", http.StatusOK, &LoginPageData{App: NewAppData(app), Error: err})
+}
diff --git a/internal/pkg/service/appsproxy/proxy/pagewriter/template/form.gohtml b/internal/pkg/service/appsproxy/proxy/pagewriter/template/form.gohtml
deleted file mode 100644
index 66fce11790..0000000000
--- a/internal/pkg/service/appsproxy/proxy/pagewriter/template/form.gohtml
+++ /dev/null
@@ -1,37 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-
-<head>
-    <meta charset="UTF-8" />
-    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <link rel="icon" type="image/x-icon" href="/_proxy/assets/favicon.ico">
-
-    <title>Basic Authentication</title>
-
-    <link rel="stylesheet" href="/_proxy/assets/styles.css">
-</head>
-<body>
-<header>
-    <h1>{{.App.Name}}</h1>
-    <section>
-        <div>
-            App ID: <b>{{.App.ID}}</b>
-        </div>
-        <b>,</b>
-        <div>
-            Project ID: <b>{{.App.ProjectID}}</b>
-        </div>
-    </section>
-</header>
-<main class="box">
-    <h2>Basic Authentication</h2>
-    <a href="{{.URL}}" class="link">{{.Name}}</a>
-</main>
-<footer>
-    <p>Powered By</p>
-    <svg xmlns="http://www.w3.org/2000/svg" width="100"  viewBox="0 0 132 33" fill="none">
-        <path class="icon-primary" d="M130.384 13.2579C131.49 14.3339 132 15.9206 132 17.8738V25.2386C132 26.1727 131.263 26.8812 130.327 26.8812C129.333 26.8812 128.653 26.2007 128.653 25.4364V24.8698C127.632 26.0878 126.071 27.051 123.773 27.051C120.965 27.051 118.468 25.4364 118.468 22.4339V22.3781C118.468 19.1488 120.993 17.5632 124.653 17.5632C126.327 17.5632 127.518 17.818 128.681 18.1856V17.818C128.681 15.6938 127.376 14.5608 124.965 14.5608C123.66 14.5608 122.583 14.7876 121.645 15.1552C121.447 15.2122 121.278 15.2401 121.107 15.2401C120.313 15.2401 119.66 14.6178 119.66 13.8244C119.66 13.2009 120.086 12.6634 120.596 12.4656C122.014 11.9271 123.461 11.5874 125.419 11.5874C127.66 11.5874 129.333 12.1818 130.384 13.2579ZM128.738 21.3579V20.3388C127.858 19.9991 126.695 19.7432 125.334 19.7432C123.121 19.7432 121.816 20.6785 121.816 22.2361V22.292C121.816 23.7368 123.093 24.5581 124.738 24.5581C127.007 24.5581 128.738 23.2552 128.738 21.3579ZM114.951 5.92331C115.916 5.92331 116.682 6.6876 116.682 7.62175V25.1816C116.682 26.1448 115.916 26.8812 114.951 26.8812C114.015 26.8812 113.249 26.1448 113.249 25.1816V7.62175C113.249 6.6876 113.987 5.92331 114.951 5.92331ZM103.293 11.4734C107.888 11.4734 111.264 14.9574 111.264 19.2337V19.2907C111.264 23.539 107.86 27.0789 103.236 27.0789C98.6691 27.0789 95.2927 23.5949 95.2927 19.3477V19.2907C95.2927 15.0144 98.6974 11.4734 103.293 11.4734ZM107.832 19.3477V19.2907C107.832 16.6559 105.931 14.4758 103.236 14.4758C100.485 14.4758 98.7257 16.6291 98.7257 19.2337V19.2907C98.7257 21.8965 100.626 24.0776 103.293 24.0776C106.073 24.0776 107.832 21.9244 107.832 19.3477ZM86.3575 11.4734C90.953 11.4734 94.3283 14.9574 94.3283 19.2337V19.2907C94.3283 23.539 90.9247 27.0789 86.3009 27.0789C81.7337 27.0789 78.3573 23.5949 78.3573 19.3477V19.2907C78.3573 15.0144 81.762 11.4734 86.3575 11.4734ZM90.8964 19.3477V19.2907C90.8964 16.6559 88.9959 14.4758 86.3009 14.4758C83.5493 14.4758 81.7903 16.6291 81.7903 19.2337V19.2907C81.7903 21.8965 83.6908 24.0776 86.3575 24.0776C89.1374 24.0776 90.8964 21.9244 90.8964 19.3477ZM70.3865 11.4734C73.9044 11.4734 77.3374 14.249 77.3374 19.2337V19.2907C77.3374 24.2463 73.9327 27.051 70.3865 27.051C67.8906 27.051 66.3309 25.804 65.2805 24.4173V25.1816C65.2805 26.1157 64.5153 26.8812 63.5498 26.8812C62.6138 26.8812 61.8486 26.1157 61.8486 25.1816V7.62175C61.8486 6.65855 62.5855 5.92331 63.5498 5.92331C64.5153 5.92331 65.2805 6.65855 65.2805 7.62175V14.2781C66.3875 12.7204 67.9472 11.4734 70.3865 11.4734ZM73.8478 19.2907V19.2337C73.8478 16.3452 71.8908 14.4468 69.5647 14.4468C67.2387 14.4468 65.1956 16.3732 65.1956 19.2337V19.2907C65.1956 22.1512 67.2387 24.0776 69.5647 24.0776C71.9191 24.0776 73.8478 22.2361 73.8478 19.2907ZM52.9134 11.4734C57.6787 11.4734 60.033 15.382 60.033 18.837C60.033 19.8002 59.2962 20.4796 58.4167 20.4796H49.0265C49.3955 22.9155 51.1262 24.2754 53.339 24.2754C54.7856 24.2754 55.9197 23.7659 56.8841 22.9725C57.1399 22.7747 57.3663 22.6608 57.7636 22.6608C58.5299 22.6608 59.1253 23.2552 59.1253 24.0486C59.1253 24.4732 58.9272 24.8419 58.6714 25.0967C57.3097 26.3146 55.6085 27.0789 53.2813 27.0789C48.9416 27.0789 45.5946 23.9357 45.5946 19.3186V19.2628C45.5946 14.9854 48.6292 11.4734 52.9134 11.4734ZM48.9982 18.2146H56.686C56.4585 16.0044 55.1546 14.2781 52.8851 14.2781C50.7855 14.2781 49.3106 15.8916 48.9982 18.2146ZM38.3041 15.6368L44.9992 23.9357C45.2822 24.3033 45.4814 24.643 45.4814 25.1816C45.4814 26.1448 44.7151 26.8812 43.7224 26.8812C43.041 26.8812 42.6154 26.5415 42.2476 26.0599L35.8648 17.9308L32.631 21.0461V25.1525C32.631 26.1157 31.8647 26.8812 30.9003 26.8812C29.9077 26.8812 29.1414 26.1157 29.1414 25.1525V8.50002C29.1414 7.53682 29.9077 6.77253 30.9003 6.77253C31.8647 6.77253 32.631 7.53682 32.631 8.50002V16.8838L42.0484 7.42397C42.4457 6.99824 42.8713 6.77253 43.4949 6.77253C44.4593 6.77253 45.1124 7.53682 45.1124 8.38716C45.1124 8.92463 44.8849 9.3213 44.4887 9.69004L38.3041 15.6368ZM9.6977 20.6282C5.08183 20.6282 1.55259 15.0736 1.55259 8.03853C1.55259 1.00454 4.49325 0 9.6977 0C14.9021 0 17.5881 1.00454 17.5881 8.03853C17.5881 15.0736 13.8948 20.6282 9.6977 20.6282ZM18.9532 27.0488C19.3324 27.6711 19.1173 28.4746 18.4744 28.8411C18.2582 28.964 18.0216 29.0221 17.7885 29.0221C17.3255 29.0221 16.8739 28.7919 16.6215 28.3773C16.1857 27.6644 15.7397 27.1571 15.2372 26.6934C14.7346 26.2319 14.1642 25.8185 13.511 25.3369C13.1919 25.1034 12.8738 24.9011 12.5569 24.729C12.5942 24.7961 12.6316 24.8643 12.6701 24.9346C13.5869 26.6376 14.5331 29.0008 14.5377 31.6926C14.5377 32.4145 13.9321 33 13.1851 33C12.4369 33 11.8313 32.4145 11.8313 31.6926C11.8358 29.6456 11.0933 27.6767 10.3101 26.2174C10.0565 25.7414 9.8007 25.3213 9.56979 24.9704C9.35134 25.3045 9.10911 25.7012 8.86689 26.1481C8.07117 27.6142 7.30374 29.6143 7.30827 31.6926C7.30827 32.4145 6.70271 33 5.95566 33C5.2086 33 4.60304 32.4145 4.60304 31.6926C4.60757 29.0008 5.5527 26.6376 6.47067 24.9346C6.50802 24.8643 6.54537 24.7961 6.58386 24.729C6.26579 24.9011 5.94886 25.1034 5.62967 25.3369C4.97543 25.8185 4.40496 26.2319 3.90353 26.6934C3.40097 27.1571 2.95387 27.6644 2.51809 28.3785C2.13891 29.0008 1.30923 29.2076 0.666313 28.8411C0.0222655 28.4746 -0.191662 27.6711 0.187522 27.0488C0.753469 26.118 1.38959 25.3917 2.04156 24.795C2.69467 24.1972 3.3523 23.7256 3.99069 23.2541C4.2929 23.0306 4.60304 22.825 4.91997 22.6384C4.60304 22.4518 4.2929 22.2451 3.99069 22.0216C2.53054 20.9456 1.26169 19.4941 0.187522 17.7319C-0.191662 17.1084 0.0222655 16.3061 0.666313 15.9396C1.30923 15.5731 2.13891 15.7798 2.51809 16.4022C3.44851 17.9297 4.50457 19.1119 5.62854 19.9388C6.834 20.8204 8.01797 21.2573 9.23588 21.3266C9.34681 21.3232 9.45887 21.3199 9.56979 21.3199C9.68185 21.3199 9.79278 21.3232 9.9037 21.3266C11.1216 21.2573 12.3067 20.8204 13.511 19.9388C14.635 19.1119 15.6922 17.9297 16.6215 16.4022C17.0018 15.7798 17.8304 15.5731 18.4744 15.9396C19.1173 16.3061 19.3324 17.1084 18.9532 17.7308C17.879 19.4941 16.609 20.9456 15.1489 22.0216C14.8467 22.2451 14.5365 22.4518 14.2207 22.6384C14.5365 22.825 14.8467 23.0306 15.1489 23.2541C15.7884 23.7256 16.4449 24.1972 17.0992 24.795C17.7511 25.3917 18.3861 26.118 18.9532 27.0488ZM7.79046 16.0659C7.04341 16.0659 6.43784 16.6525 6.43784 17.3744C6.43784 18.0984 7.04341 18.6839 7.79046 18.6839C8.53751 18.6839 9.14307 18.0984 9.14307 17.3744C9.14307 16.6525 8.53751 16.0659 7.79046 16.0659ZM11.3491 16.0659C10.6021 16.0659 9.99652 16.6525 9.99652 17.3744C9.99652 18.0984 10.6021 18.6839 11.3491 18.6839C12.0962 18.6839 12.7017 18.0984 12.7017 17.3744C12.7017 16.6525 12.0962 16.0659 11.3491 16.0659Z"/>
-    </svg>
-</footer>
-</body>
-</html>
diff --git a/internal/pkg/service/appsproxy/proxy/pagewriter/template/login.gohtml b/internal/pkg/service/appsproxy/proxy/pagewriter/template/login.gohtml
new file mode 100644
index 0000000000..82e79bb330
--- /dev/null
+++ b/internal/pkg/service/appsproxy/proxy/pagewriter/template/login.gohtml
@@ -0,0 +1,56 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <link rel="icon" type="image/x-icon" href="/_proxy/assets/favicon.ico">
+
+  <title>Login</title>
+
+  <link rel="stylesheet" href="/_proxy/assets/styles.css">
+</head>
+<body>
+  <header>
+    <h1>{{.App.Name}}</h1>
+    <section>
+      <div>
+          App ID: <b>{{.App.ID}}</b>
+      </div>
+      <b>,</b>
+      <div>
+          Project ID: <b>{{.App.ProjectID}}</b>
+      </div>
+    </section>
+  </header>
+  <main class="box">
+    <h2>Basic Authentication</h2>
+    {{ if .Error }}
+    <div class="alert">
+      <svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
+        <path d="M9.99942 3C10.4432 3 10.8526 3.23437 11.0776 3.61875L17.8281 15.1187C18.0562 15.5062 18.0562 15.9844 17.8344 16.3719C17.6125 16.7594 17.1968 17 16.7499 17H3.24894C2.80203 17 2.38637 16.7594 2.16448 16.3719C1.94259 15.9844 1.94572 15.5031 2.17073 15.1187L8.92122 3.61875C9.14623 3.23437 9.55564 3 9.99942 3ZM9.99942 7C9.58377 7 9.24937 7.33437 9.24937 7.75V11.25C9.24937 11.6656 9.58377 12 9.99942 12C10.4151 12 10.7495 11.6656 10.7495 11.25V7.75C10.7495 7.33437 10.4151 7 9.99942 7ZM10.9995 14C10.9995 13.4469 10.5526 13 9.99942 13C9.44625 13 8.99935 13.4469 8.99935 14C8.99935 14.5531 9.44625 15 9.99942 15C10.5526 15 10.9995 14.5531 10.9995 14Z" fill="#E00025"/>
+      </svg>
+      <p>Please enter a correct password.</p>
+    </div>
+    {{ end }}
+    <form method="POST">
+      <div class="form-group">
+        <label for="password">Password</label>
+        <input type="password" id="password" name="password" placeholder="Password" />
+      </div>
+      <button type="submit">
+        <svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
+          <path d="M16 8C16 12.4183 12.4183 16 8 16C3.58171 16 0 12.4183 0 8C0 3.58171 3.58171 0 8 0C12.4183 0 16 3.58171 16 8ZM7.07464 12.2359L13.0101 6.30045C13.2117 6.0989 13.2117 5.7721 13.0101 5.57055L12.2802 4.84064C12.0787 4.63906 11.7519 4.63906 11.5503 4.84064L6.70968 9.68123L4.44971 7.42126C4.24816 7.21971 3.92135 7.21971 3.71977 7.42126L2.98987 8.15116C2.78832 8.35271 2.78832 8.67952 2.98987 8.88106L6.34471 12.2359C6.54629 12.4375 6.87306 12.4375 7.07464 12.2359Z" fill="white"/>
+        </svg>
+        Login
+      </button>
+    </form>
+  </main>
+  <footer>
+    <p>Powered By</p>
+    <svg xmlns="http://www.w3.org/2000/svg" width="100"  viewBox="0 0 132 33" fill="none">
+      <path d="M130.384 13.2579C131.49 14.3339 132 15.9206 132 17.8738V25.2386C132 26.1727 131.263 26.8812 130.327 26.8812C129.333 26.8812 128.653 26.2007 128.653 25.4364V24.8698C127.632 26.0878 126.071 27.051 123.773 27.051C120.965 27.051 118.468 25.4364 118.468 22.4339V22.3781C118.468 19.1488 120.993 17.5632 124.653 17.5632C126.327 17.5632 127.518 17.818 128.681 18.1856V17.818C128.681 15.6938 127.376 14.5608 124.965 14.5608C123.66 14.5608 122.583 14.7876 121.645 15.1552C121.447 15.2122 121.278 15.2401 121.107 15.2401C120.313 15.2401 119.66 14.6178 119.66 13.8244C119.66 13.2009 120.086 12.6634 120.596 12.4656C122.014 11.9271 123.461 11.5874 125.419 11.5874C127.66 11.5874 129.333 12.1818 130.384 13.2579ZM128.738 21.3579V20.3388C127.858 19.9991 126.695 19.7432 125.334 19.7432C123.121 19.7432 121.816 20.6785 121.816 22.2361V22.292C121.816 23.7368 123.093 24.5581 124.738 24.5581C127.007 24.5581 128.738 23.2552 128.738 21.3579ZM114.951 5.92331C115.916 5.92331 116.682 6.6876 116.682 7.62175V25.1816C116.682 26.1448 115.916 26.8812 114.951 26.8812C114.015 26.8812 113.249 26.1448 113.249 25.1816V7.62175C113.249 6.6876 113.987 5.92331 114.951 5.92331ZM103.293 11.4734C107.888 11.4734 111.264 14.9574 111.264 19.2337V19.2907C111.264 23.539 107.86 27.0789 103.236 27.0789C98.6691 27.0789 95.2927 23.5949 95.2927 19.3477V19.2907C95.2927 15.0144 98.6974 11.4734 103.293 11.4734ZM107.832 19.3477V19.2907C107.832 16.6559 105.931 14.4758 103.236 14.4758C100.485 14.4758 98.7257 16.6291 98.7257 19.2337V19.2907C98.7257 21.8965 100.626 24.0776 103.293 24.0776C106.073 24.0776 107.832 21.9244 107.832 19.3477ZM86.3575 11.4734C90.953 11.4734 94.3283 14.9574 94.3283 19.2337V19.2907C94.3283 23.539 90.9247 27.0789 86.3009 27.0789C81.7337 27.0789 78.3573 23.5949 78.3573 19.3477V19.2907C78.3573 15.0144 81.762 11.4734 86.3575 11.4734ZM90.8964 19.3477V19.2907C90.8964 16.6559 88.9959 14.4758 86.3009 14.4758C83.5493 14.4758 81.7903 16.6291 81.7903 19.2337V19.2907C81.7903 21.8965 83.6908 24.0776 86.3575 24.0776C89.1374 24.0776 90.8964 21.9244 90.8964 19.3477ZM70.3865 11.4734C73.9044 11.4734 77.3374 14.249 77.3374 19.2337V19.2907C77.3374 24.2463 73.9327 27.051 70.3865 27.051C67.8906 27.051 66.3309 25.804 65.2805 24.4173V25.1816C65.2805 26.1157 64.5153 26.8812 63.5498 26.8812C62.6138 26.8812 61.8486 26.1157 61.8486 25.1816V7.62175C61.8486 6.65855 62.5855 5.92331 63.5498 5.92331C64.5153 5.92331 65.2805 6.65855 65.2805 7.62175V14.2781C66.3875 12.7204 67.9472 11.4734 70.3865 11.4734ZM73.8478 19.2907V19.2337C73.8478 16.3452 71.8908 14.4468 69.5647 14.4468C67.2387 14.4468 65.1956 16.3732 65.1956 19.2337V19.2907C65.1956 22.1512 67.2387 24.0776 69.5647 24.0776C71.9191 24.0776 73.8478 22.2361 73.8478 19.2907ZM52.9134 11.4734C57.6787 11.4734 60.033 15.382 60.033 18.837C60.033 19.8002 59.2962 20.4796 58.4167 20.4796H49.0265C49.3955 22.9155 51.1262 24.2754 53.339 24.2754C54.7856 24.2754 55.9197 23.7659 56.8841 22.9725C57.1399 22.7747 57.3663 22.6608 57.7636 22.6608C58.5299 22.6608 59.1253 23.2552 59.1253 24.0486C59.1253 24.4732 58.9272 24.8419 58.6714 25.0967C57.3097 26.3146 55.6085 27.0789 53.2813 27.0789C48.9416 27.0789 45.5946 23.9357 45.5946 19.3186V19.2628C45.5946 14.9854 48.6292 11.4734 52.9134 11.4734ZM48.9982 18.2146H56.686C56.4585 16.0044 55.1546 14.2781 52.8851 14.2781C50.7855 14.2781 49.3106 15.8916 48.9982 18.2146ZM38.3041 15.6368L44.9992 23.9357C45.2822 24.3033 45.4814 24.643 45.4814 25.1816C45.4814 26.1448 44.7151 26.8812 43.7224 26.8812C43.041 26.8812 42.6154 26.5415 42.2476 26.0599L35.8648 17.9308L32.631 21.0461V25.1525C32.631 26.1157 31.8647 26.8812 30.9003 26.8812C29.9077 26.8812 29.1414 26.1157 29.1414 25.1525V8.50002C29.1414 7.53682 29.9077 6.77253 30.9003 6.77253C31.8647 6.77253 32.631 7.53682 32.631 8.50002V16.8838L42.0484 7.42397C42.4457 6.99824 42.8713 6.77253 43.4949 6.77253C44.4593 6.77253 45.1124 7.53682 45.1124 8.38716C45.1124 8.92463 44.8849 9.3213 44.4887 9.69004L38.3041 15.6368ZM9.6977 20.6282C5.08183 20.6282 1.55259 15.0736 1.55259 8.03853C1.55259 1.00454 4.49325 0 9.6977 0C14.9021 0 17.5881 1.00454 17.5881 8.03853C17.5881 15.0736 13.8948 20.6282 9.6977 20.6282ZM18.9532 27.0488C19.3324 27.6711 19.1173 28.4746 18.4744 28.8411C18.2582 28.964 18.0216 29.0221 17.7885 29.0221C17.3255 29.0221 16.8739 28.7919 16.6215 28.3773C16.1857 27.6644 15.7397 27.1571 15.2372 26.6934C14.7346 26.2319 14.1642 25.8185 13.511 25.3369C13.1919 25.1034 12.8738 24.9011 12.5569 24.729C12.5942 24.7961 12.6316 24.8643 12.6701 24.9346C13.5869 26.6376 14.5331 29.0008 14.5377 31.6926C14.5377 32.4145 13.9321 33 13.1851 33C12.4369 33 11.8313 32.4145 11.8313 31.6926C11.8358 29.6456 11.0933 27.6767 10.3101 26.2174C10.0565 25.7414 9.8007 25.3213 9.56979 24.9704C9.35134 25.3045 9.10911 25.7012 8.86689 26.1481C8.07117 27.6142 7.30374 29.6143 7.30827 31.6926C7.30827 32.4145 6.70271 33 5.95566 33C5.2086 33 4.60304 32.4145 4.60304 31.6926C4.60757 29.0008 5.5527 26.6376 6.47067 24.9346C6.50802 24.8643 6.54537 24.7961 6.58386 24.729C6.26579 24.9011 5.94886 25.1034 5.62967 25.3369C4.97543 25.8185 4.40496 26.2319 3.90353 26.6934C3.40097 27.1571 2.95387 27.6644 2.51809 28.3785C2.13891 29.0008 1.30923 29.2076 0.666313 28.8411C0.0222655 28.4746 -0.191662 27.6711 0.187522 27.0488C0.753469 26.118 1.38959 25.3917 2.04156 24.795C2.69467 24.1972 3.3523 23.7256 3.99069 23.2541C4.2929 23.0306 4.60304 22.825 4.91997 22.6384C4.60304 22.4518 4.2929 22.2451 3.99069 22.0216C2.53054 20.9456 1.26169 19.4941 0.187522 17.7319C-0.191662 17.1084 0.0222655 16.3061 0.666313 15.9396C1.30923 15.5731 2.13891 15.7798 2.51809 16.4022C3.44851 17.9297 4.50457 19.1119 5.62854 19.9388C6.834 20.8204 8.01797 21.2573 9.23588 21.3266C9.34681 21.3232 9.45887 21.3199 9.56979 21.3199C9.68185 21.3199 9.79278 21.3232 9.9037 21.3266C11.1216 21.2573 12.3067 20.8204 13.511 19.9388C14.635 19.1119 15.6922 17.9297 16.6215 16.4022C17.0018 15.7798 17.8304 15.5731 18.4744 15.9396C19.1173 16.3061 19.3324 17.1084 18.9532 17.7308C17.879 19.4941 16.609 20.9456 15.1489 22.0216C14.8467 22.2451 14.5365 22.4518 14.2207 22.6384C14.5365 22.825 14.8467 23.0306 15.1489 23.2541C15.7884 23.7256 16.4449 24.1972 17.0992 24.795C17.7511 25.3917 18.3861 26.118 18.9532 27.0488ZM7.79046 16.0659C7.04341 16.0659 6.43784 16.6525 6.43784 17.3744C6.43784 18.0984 7.04341 18.6839 7.79046 18.6839C8.53751 18.6839 9.14307 18.0984 9.14307 17.3744C9.14307 16.6525 8.53751 16.0659 7.79046 16.0659ZM11.3491 16.0659C10.6021 16.0659 9.99652 16.6525 9.99652 17.3744C9.99652 18.0984 10.6021 18.6839 11.3491 18.6839C12.0962 18.6839 12.7017 18.0984 12.7017 17.3744C12.7017 16.6525 12.0962 16.0659 11.3491 16.0659Z"/>
+    </svg>
+  </footer>
+</body>
+</html>

From 95ed37f0ccceaed7c5e8dee13e64d9d786c6cc12 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Va=C5=A1ko?= <Matovidlo2@gmail.com>
Date: Wed, 26 Jun 2024 10:00:56 +0200
Subject: [PATCH 05/15] feat: Add new basic auth tests.

---
 .../apphandler/authproxy/basicauth/handler.go |   8 ++
 .../pkg/service/appsproxy/proxy/proxy_test.go | 123 ++++++++++++++++++
 2 files changed, 131 insertions(+)

diff --git a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go
index 761efdf15a..ca1b435af5 100644
--- a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go
+++ b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go
@@ -2,6 +2,7 @@ package basicauth
 
 import (
 	"crypto/sha256"
+	"fmt"
 	"io"
 	"net/http"
 	"net/url"
@@ -73,6 +74,13 @@ func (h *Handler) ServeHTTPOrError(w http.ResponseWriter, req *http.Request) err
 
 	requestCookie, _ := req.Cookie(basicAuthCookie)
 
+	err := req.ParseForm()
+	if err != nil {
+		return err
+	}
+
+	fmt.Println(req.FormValue("password"))
+
 	// req.Form / req.PostForm does not work
 	b, err := io.ReadAll(req.Body)
 	if err != nil {
diff --git a/internal/pkg/service/appsproxy/proxy/proxy_test.go b/internal/pkg/service/appsproxy/proxy/proxy_test.go
index b902fd67bb..f18f98dcca 100644
--- a/internal/pkg/service/appsproxy/proxy/proxy_test.go
+++ b/internal/pkg/service/appsproxy/proxy/proxy_test.go
@@ -2,6 +2,7 @@
 package proxy_test
 
 import (
+	"bytes"
 	"context"
 	"crypto/rand"
 	"fmt"
@@ -1980,6 +1981,104 @@ func TestAppProxyRouter(t *testing.T) {
 			expectedNotifications: map[string]int{},
 			expectedWakeUps:       map[string]int{},
 		},
+		{
+			name: "public-basic-auth-wrong-login",
+			run: func(t *testing.T, client *http.Client, m []*mockoidc.MockOIDC, appServer *testutil.AppServer, service *testutil.DataAppsAPI, dnsServer *dnsmock.Server) {
+				// Request public basic auth app
+				request, err := http.NewRequestWithContext(context.Background(), http.MethodGet, "https://basic-auth.hub.keboola.local/", nil)
+				require.NoError(t, err)
+				response, err := client.Do(request)
+				require.NoError(t, err)
+				require.Equal(t, http.StatusOK, response.StatusCode)
+				body, err := io.ReadAll(response.Body)
+				require.NoError(t, err)
+				assert.Contains(t, string(body), "Basic Authentication")
+
+				// Fill wrong password into form
+				request, err = http.NewRequestWithContext(context.Background(), http.MethodPost, "https://basic-auth.hub.keboola.local/", bytes.NewBuffer([]byte("password=def")))
+				require.NoError(t, err)
+				response, err = client.Do(request)
+				require.NoError(t, err)
+				require.Equal(t, http.StatusOK, response.StatusCode)
+				body, err = io.ReadAll(response.Body)
+				require.NoError(t, err)
+				assert.Contains(t, string(body), "Please enter a correct password.")
+			},
+			expectedNotifications: map[string]int{},
+			expectedWakeUps:       map[string]int{},
+		},
+		{
+			name: "public-basic-auth-correct-login",
+			run: func(t *testing.T, client *http.Client, m []*mockoidc.MockOIDC, appServer *testutil.AppServer, service *testutil.DataAppsAPI, dnsServer *dnsmock.Server) {
+				// Request public basic auth app
+				//				request, err := http.NewRequestWithContext(context.Background(), http.MethodGet, "https://basic-auth.hub.keboola.local/", nil)
+				//				require.NoError(t, err)
+				//				response, err := client.Do(request)
+				//				require.NoError(t, err)
+				//				require.Equal(t, http.StatusOK, response.StatusCode)
+				//				body, err := io.ReadAll(response.Body)
+				//				require.NoError(t, err)
+				//				assert.Contains(t, string(body), "Basic Authentication")
+
+				// Fill wrong password into form
+				request, err := http.NewRequestWithContext(context.Background(), http.MethodPost, "https://basic-auth.hub.keboola.local/", bytes.NewBuffer([]byte("password=abc")))
+				request.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+				require.NoError(t, err)
+				response, err := client.Do(request)
+				require.NoError(t, err)
+				require.Equal(t, http.StatusOK, response.StatusCode)
+				body, err := io.ReadAll(response.Body)
+				require.NoError(t, err)
+				assert.Contains(t, string(body), "Hello, client")
+				// Check that cookies were set
+				cookies := response.Cookies()
+				if assert.Len(t, cookies, 1) {
+					assert.Equal(t, "proxyBasicAuth", cookies[0].Name)
+					assert.Equal(t, "xAA@]#aza", cookies[0].Value)
+					assert.Equal(t, "/", cookies[0].Path)
+					assert.Equal(t, "basic-auth.hub.keboola.local", cookies[0].Domain)
+					assert.True(t, cookies[0].HttpOnly)
+					assert.True(t, cookies[0].Secure)
+					assert.Equal(t, http.SameSiteStrictMode, cookies[0].SameSite)
+				}
+			},
+			expectedNotifications: map[string]int{
+				"auth": 1,
+			},
+			expectedWakeUps: map[string]int{},
+		},
+		{
+			name: "public-basic-auth-expired-cookie",
+			run: func(t *testing.T, client *http.Client, m []*mockoidc.MockOIDC, appServer *testutil.AppServer, service *testutil.DataAppsAPI, dnsServer *dnsmock.Server) {
+				// Access with expired cookie
+				request, err := http.NewRequestWithContext(context.Background(), http.MethodPost, "https://basic-auth.hub.keboola.local/", nil)
+				client.Jar.SetCookies(
+					&url.URL{
+						Scheme: "https",
+						Host:   "oidc.hub.keboola.local",
+					},
+					[]*http.Cookie{
+						{
+							Name:   "_oauth2_proxy_csrf",
+							Value:  "",
+							Path:   "/",
+							Domain: "oidc.hub.keboola.local",
+						},
+					},
+				)
+				require.NoError(t, err)
+				response, err := client.Do(request)
+				require.NoError(t, err)
+				require.Equal(t, http.StatusOK, response.StatusCode)
+				body, err := io.ReadAll(response.Body)
+				require.NoError(t, err)
+				assert.Contains(t, string(body), "Hello, client")
+			},
+			expectedNotifications: map[string]int{
+				"auth": 1,
+			},
+			expectedWakeUps: map[string]int{},
+		},
 	}
 
 	publicAppTestCaseFactory := func(method string) testCase {
@@ -2453,6 +2552,30 @@ func testDataApps(upstream *url.URL, m []*mockoidc.MockOIDC) []api.AppConfig {
 				},
 			},
 		},
+		{
+			ID:             "auth",
+			ProjectID:      "123",
+			UpstreamAppURL: upstream.String(),
+			AppSlug:        ptr.Ptr("basic"), //basic-auth.hub.keboola.local
+			AuthProviders: provider.Providers{
+				provider.Basic{
+					Base: provider.Base{
+						Info: provider.Info{
+							ID:   "basic",
+							Type: provider.TypeBasic,
+						},
+					},
+					Password: "abc",
+				},
+			},
+			AuthRules: []api.Rule{
+				{
+					Type:  api.RulePathPrefix,
+					Value: "/",
+					Auth:  []provider.ID{"basic"},
+				},
+			},
+		},
 	}
 }
 

From 21c460e2538ea65d8c6aa55441fed30a8b587454 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Va=C5=A1ko?= <Matovidlo2@gmail.com>
Date: Wed, 26 Jun 2024 13:15:31 +0200
Subject: [PATCH 06/15] fix: Cookie value comparation with config.

Add cookies tests and sign out one. Coverage 90%
---
 .../apphandler/authproxy/basicauth/handler.go | 50 ++++------
 .../proxy/pagewriter/template/login.gohtml    |  4 +-
 .../pkg/service/appsproxy/proxy/proxy_test.go | 93 +++++++++++++------
 3 files changed, 85 insertions(+), 62 deletions(-)

diff --git a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go
index ca1b435af5..6b87b727e6 100644
--- a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go
+++ b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go
@@ -2,10 +2,8 @@ package basicauth
 
 import (
 	"crypto/sha256"
-	"fmt"
-	"io"
+	"encoding/hex"
 	"net/http"
-	"net/url"
 	"time"
 
 	"github.com/benbjohnson/clock"
@@ -22,7 +20,6 @@ import (
 )
 
 const (
-	providerCookie  = "_oauth2_provider"
 	basicAuthCookie = "proxyBasicAuth"
 	formPagePath    = config.InternalPrefix + "/form"
 )
@@ -72,27 +69,15 @@ func (h *Handler) ServeHTTPOrError(w http.ResponseWriter, req *http.Request) err
 		panic(errors.New("host cannot be empty"))
 	}
 
-	requestCookie, _ := req.Cookie(basicAuthCookie)
-
-	err := req.ParseForm()
-	if err != nil {
+	if err := req.ParseForm(); err != nil {
 		return err
 	}
 
-	fmt.Println(req.FormValue("password"))
-
-	// req.Form / req.PostForm does not work
-	b, err := io.ReadAll(req.Body)
-	if err != nil {
-		return err
-	}
-
-	values, err := url.ParseQuery(string(b))
-	if err != nil {
-		return err
-	}
+	// Unset content length as we do not want to push req.Body to upstream
+	req.ContentLength = 0
 
 	// Unset cookie as /_proxy/sign_out was called and enforce login
+	requestCookie, _ := req.Cookie(basicAuthCookie)
 	if requestCookie != nil && req.URL.Path == selector.SignOutPath {
 		requestCookie.Value = ""
 		h.setCookie(w, host, -1, requestCookie)
@@ -100,12 +85,12 @@ func (h *Handler) ServeHTTPOrError(w http.ResponseWriter, req *http.Request) err
 	}
 
 	// Login page
-	if !values.Has("password") && requestCookie == nil {
+	if !req.Form.Has("password") && requestCookie == nil {
 		h.pageWriter.WriteLoginPage(w, req, &h.app, nil)
 		return nil
 	}
 
-	p := values.Get("password")
+	p := req.Form.Get("password")
 	// Login page with unauthorized alert
 	if err := h.isAuthorized(p, requestCookie); err != nil {
 		h.logger.Warn(req.Context(), err.Error())
@@ -124,23 +109,28 @@ func (h *Handler) ServeHTTPOrError(w http.ResponseWriter, req *http.Request) err
 	hash.Write([]byte(p))
 	hashedValue := hash.Sum(nil)
 	v := &http.Cookie{
-		Value: string(hashedValue),
+		Value: hex.EncodeToString(hashedValue),
 	}
 	h.setCookie(w, host, expires, v)
 	return h.upstream.ServeHTTPOrError(w, req)
 }
 
 func (h *Handler) isAuthorized(p string, cookie *http.Cookie) error {
-	if err := cookie.Valid(); cookie != nil {
-		if err != nil {
-			return err
-		}
+	if p != "" && !h.basicAuth.IsAuthorized(p) {
+		return errors.New("Please enter a correct password.")
+	}
 
-		return nil
+	if err := cookie.Valid(); cookie != nil && err != nil {
+		return err
 	}
 
-	if !h.basicAuth.IsAuthorized(p) {
-		return errors.New("wrong password was given")
+	if cookie != nil {
+		hash := sha256.New()
+		hash.Write([]byte(h.basicAuth.Password))
+		hashedValue := hash.Sum(nil)
+		if hex.EncodeToString(hashedValue) != cookie.Value {
+			return errors.New("Cookie not set correctly.")
+		}
 	}
 
 	return nil
diff --git a/internal/pkg/service/appsproxy/proxy/pagewriter/template/login.gohtml b/internal/pkg/service/appsproxy/proxy/pagewriter/template/login.gohtml
index 82e79bb330..6d53468e6e 100644
--- a/internal/pkg/service/appsproxy/proxy/pagewriter/template/login.gohtml
+++ b/internal/pkg/service/appsproxy/proxy/pagewriter/template/login.gohtml
@@ -30,7 +30,7 @@
       <svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
         <path d="M9.99942 3C10.4432 3 10.8526 3.23437 11.0776 3.61875L17.8281 15.1187C18.0562 15.5062 18.0562 15.9844 17.8344 16.3719C17.6125 16.7594 17.1968 17 16.7499 17H3.24894C2.80203 17 2.38637 16.7594 2.16448 16.3719C1.94259 15.9844 1.94572 15.5031 2.17073 15.1187L8.92122 3.61875C9.14623 3.23437 9.55564 3 9.99942 3ZM9.99942 7C9.58377 7 9.24937 7.33437 9.24937 7.75V11.25C9.24937 11.6656 9.58377 12 9.99942 12C10.4151 12 10.7495 11.6656 10.7495 11.25V7.75C10.7495 7.33437 10.4151 7 9.99942 7ZM10.9995 14C10.9995 13.4469 10.5526 13 9.99942 13C9.44625 13 8.99935 13.4469 8.99935 14C8.99935 14.5531 9.44625 15 9.99942 15C10.5526 15 10.9995 14.5531 10.9995 14Z" fill="#E00025"/>
       </svg>
-      <p>Please enter a correct password.</p>
+      <p>{{.Error}}</p>
     </div>
     {{ end }}
     <form method="POST">
@@ -38,7 +38,7 @@
         <label for="password">Password</label>
         <input type="password" id="password" name="password" placeholder="Password" />
       </div>
-      <button type="submit">
+      <button type="submit" name="submit">
         <svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
           <path d="M16 8C16 12.4183 12.4183 16 8 16C3.58171 16 0 12.4183 0 8C0 3.58171 3.58171 0 8 0C12.4183 0 16 3.58171 16 8ZM7.07464 12.2359L13.0101 6.30045C13.2117 6.0989 13.2117 5.7721 13.0101 5.57055L12.2802 4.84064C12.0787 4.63906 11.7519 4.63906 11.5503 4.84064L6.70968 9.68123L4.44971 7.42126C4.24816 7.21971 3.92135 7.21971 3.71977 7.42126L2.98987 8.15116C2.78832 8.35271 2.78832 8.67952 2.98987 8.88106L6.34471 12.2359C6.54629 12.4375 6.87306 12.4375 7.07464 12.2359Z" fill="white"/>
         </svg>
diff --git a/internal/pkg/service/appsproxy/proxy/proxy_test.go b/internal/pkg/service/appsproxy/proxy/proxy_test.go
index f18f98dcca..6cd60e8942 100644
--- a/internal/pkg/service/appsproxy/proxy/proxy_test.go
+++ b/internal/pkg/service/appsproxy/proxy/proxy_test.go
@@ -1996,6 +1996,7 @@ func TestAppProxyRouter(t *testing.T) {
 
 				// Fill wrong password into form
 				request, err = http.NewRequestWithContext(context.Background(), http.MethodPost, "https://basic-auth.hub.keboola.local/", bytes.NewBuffer([]byte("password=def")))
+				request.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 				require.NoError(t, err)
 				response, err = client.Do(request)
 				require.NoError(t, err)
@@ -2011,30 +2012,30 @@ func TestAppProxyRouter(t *testing.T) {
 			name: "public-basic-auth-correct-login",
 			run: func(t *testing.T, client *http.Client, m []*mockoidc.MockOIDC, appServer *testutil.AppServer, service *testutil.DataAppsAPI, dnsServer *dnsmock.Server) {
 				// Request public basic auth app
-				//				request, err := http.NewRequestWithContext(context.Background(), http.MethodGet, "https://basic-auth.hub.keboola.local/", nil)
-				//				require.NoError(t, err)
-				//				response, err := client.Do(request)
-				//				require.NoError(t, err)
-				//				require.Equal(t, http.StatusOK, response.StatusCode)
-				//				body, err := io.ReadAll(response.Body)
-				//				require.NoError(t, err)
-				//				assert.Contains(t, string(body), "Basic Authentication")
-
-				// Fill wrong password into form
-				request, err := http.NewRequestWithContext(context.Background(), http.MethodPost, "https://basic-auth.hub.keboola.local/", bytes.NewBuffer([]byte("password=abc")))
-				request.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+				request, err := http.NewRequestWithContext(context.Background(), http.MethodGet, "https://basic-auth.hub.keboola.local/", nil)
 				require.NoError(t, err)
 				response, err := client.Do(request)
 				require.NoError(t, err)
 				require.Equal(t, http.StatusOK, response.StatusCode)
 				body, err := io.ReadAll(response.Body)
 				require.NoError(t, err)
+				assert.Contains(t, string(body), "Basic Authentication")
+
+				// Fill correct password into form
+				request, err = http.NewRequestWithContext(context.Background(), http.MethodPost, "https://basic-auth.hub.keboola.local/", bytes.NewBuffer([]byte("password=abc")))
+				request.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+				require.NoError(t, err)
+				response, err = client.Do(request)
+				require.NoError(t, err)
+				require.Equal(t, http.StatusOK, response.StatusCode)
+				body, err = io.ReadAll(response.Body)
+				require.NoError(t, err)
 				assert.Contains(t, string(body), "Hello, client")
 				// Check that cookies were set
 				cookies := response.Cookies()
 				if assert.Len(t, cookies, 1) {
 					assert.Equal(t, "proxyBasicAuth", cookies[0].Name)
-					assert.Equal(t, "xAA@]#aza", cookies[0].Value)
+					assert.Equal(t, "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad", cookies[0].Value)
 					assert.Equal(t, "/", cookies[0].Path)
 					assert.Equal(t, "basic-auth.hub.keboola.local", cookies[0].Domain)
 					assert.True(t, cookies[0].HttpOnly)
@@ -2048,24 +2049,28 @@ func TestAppProxyRouter(t *testing.T) {
 			expectedWakeUps: map[string]int{},
 		},
 		{
-			name: "public-basic-auth-expired-cookie",
+			name: "public-basic-auth-wrong-cookie",
 			run: func(t *testing.T, client *http.Client, m []*mockoidc.MockOIDC, appServer *testutil.AppServer, service *testutil.DataAppsAPI, dnsServer *dnsmock.Server) {
-				// Access with expired cookie
+				// Access with cookie
 				request, err := http.NewRequestWithContext(context.Background(), http.MethodPost, "https://basic-auth.hub.keboola.local/", nil)
-				client.Jar.SetCookies(
-					&url.URL{
-						Scheme: "https",
-						Host:   "oidc.hub.keboola.local",
-					},
-					[]*http.Cookie{
-						{
-							Name:   "_oauth2_proxy_csrf",
-							Value:  "",
-							Path:   "/",
-							Domain: "oidc.hub.keboola.local",
-						},
-					},
-				)
+				request.AddCookie(&http.Cookie{Name: "proxyBasicAuth", Value: "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015a"})
+				require.NoError(t, err)
+				response, err := client.Do(request)
+				require.NoError(t, err)
+				require.Equal(t, http.StatusOK, response.StatusCode)
+				body, err := io.ReadAll(response.Body)
+				require.NoError(t, err)
+				assert.Contains(t, string(body), "Cookie not set correctly")
+			},
+			expectedNotifications: map[string]int{},
+			expectedWakeUps:       map[string]int{},
+		},
+		{
+			name: "public-basic-auth-cookie",
+			run: func(t *testing.T, client *http.Client, m []*mockoidc.MockOIDC, appServer *testutil.AppServer, service *testutil.DataAppsAPI, dnsServer *dnsmock.Server) {
+				// Access with cookie
+				request, err := http.NewRequestWithContext(context.Background(), http.MethodPost, "https://basic-auth.hub.keboola.local/", nil)
+				request.AddCookie(&http.Cookie{Name: "proxyBasicAuth", Value: "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad"})
 				require.NoError(t, err)
 				response, err := client.Do(request)
 				require.NoError(t, err)
@@ -2073,12 +2078,40 @@ func TestAppProxyRouter(t *testing.T) {
 				body, err := io.ReadAll(response.Body)
 				require.NoError(t, err)
 				assert.Contains(t, string(body), "Hello, client")
+				require.Len(t, response.Cookies(), 2)
 			},
 			expectedNotifications: map[string]int{
 				"auth": 1,
 			},
 			expectedWakeUps: map[string]int{},
 		},
+		{
+			name: "public-basic-auth-sign-out",
+			run: func(t *testing.T, client *http.Client, m []*mockoidc.MockOIDC, appServer *testutil.AppServer, service *testutil.DataAppsAPI, dnsServer *dnsmock.Server) {
+				// Access with cookie
+				request, err := http.NewRequestWithContext(context.Background(), http.MethodPost, "https://basic-auth.hub.keboola.local/_proxy/sign_out", nil)
+				request.AddCookie(&http.Cookie{Name: "proxyBasicAuth", Value: "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad"})
+				require.NoError(t, err)
+				response, err := client.Do(request)
+				require.NoError(t, err)
+				require.Equal(t, http.StatusOK, response.StatusCode)
+				body, err := io.ReadAll(response.Body)
+				require.NoError(t, err)
+				assert.Contains(t, string(body), "Basic Authentication")
+				if assert.Len(t, response.Cookies(), 3) {
+					c := response.Cookies()[2]
+					assert.Equal(t, "proxyBasicAuth", c.Name)
+					assert.Equal(t, "", c.Value)
+					assert.Equal(t, "/", c.Path)
+					assert.Equal(t, "basic-auth.hub.keboola.local", c.Domain)
+					assert.True(t, c.HttpOnly)
+					assert.True(t, c.Secure)
+					assert.Equal(t, http.SameSiteStrictMode, c.SameSite)
+				}
+			},
+			expectedNotifications: map[string]int{},
+			expectedWakeUps:       map[string]int{},
+		},
 	}
 
 	publicAppTestCaseFactory := func(method string) testCase {
@@ -2556,7 +2589,7 @@ func testDataApps(upstream *url.URL, m []*mockoidc.MockOIDC) []api.AppConfig {
 			ID:             "auth",
 			ProjectID:      "123",
 			UpstreamAppURL: upstream.String(),
-			AppSlug:        ptr.Ptr("basic"), //basic-auth.hub.keboola.local
+			AppSlug:        ptr.Ptr("basic"), // basic-auth.hub.keboola.local
 			AuthProviders: provider.Providers{
 				provider.Basic{
 					Base: provider.Base{

From 1537966ee45fef65bf292d45f22d3b5e9260469d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Va=C5=A1ko?= <Matovidlo2@gmail.com>
Date: Thu, 27 Jun 2024 08:28:42 +0200
Subject: [PATCH 07/15] fix: Move files that creates dev environment under
 provisioning

---
 docker-compose.yml                                          | 6 +++---
 .../apps-proxy/dev/sandboxesMock.json                       | 0
 redis.conf => provisioning/common/redis/redis.conf          | 0
 3 files changed, 3 insertions(+), 3 deletions(-)
 rename initializer.json => provisioning/apps-proxy/dev/sandboxesMock.json (100%)
 rename redis.conf => provisioning/common/redis/redis.conf (100%)

diff --git a/docker-compose.yml b/docker-compose.yml
index 0cf28758b2..3e212d62d5 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -72,7 +72,7 @@ services:
       ports:
         - "6379:6379"
       volumes:
-        - ./redis.conf:/etc/redis/redis.conf
+        - ./provisioning/common/redis/redis.conf:/etc/redis/redis.conf
       environment:
         REDIS_PORT: 6379
   # Same etcd is used for all services, but with different namespace
@@ -110,9 +110,9 @@ services:
       environment:
         MOCKSERVER_WATCH_INITIALIZATION_JSON: "true"
         MOCKSERVER_PROPERTY_FILE: /config/mockserver.properties
-        MOCKSERVER_INITIALIZATION_JSON_PATH: /config/initializerJson.json
+        MOCKSERVER_INITIALIZATION_JSON_PATH: /config/sandboxesMock.json
       volumes:
-        - ./initializer.json:/config/initializerJson.json:Z
+        - ./provisioning/apps-proxy/dev/sandboxesMock.json:/config/sandboxesMock.json:Z
 
 volumes:
   cache:
diff --git a/initializer.json b/provisioning/apps-proxy/dev/sandboxesMock.json
similarity index 100%
rename from initializer.json
rename to provisioning/apps-proxy/dev/sandboxesMock.json
diff --git a/redis.conf b/provisioning/common/redis/redis.conf
similarity index 100%
rename from redis.conf
rename to provisioning/common/redis/redis.conf

From 01e81f205440840ccb6cbe283fa15943764cc1d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Va=C5=A1ko?= <Matovidlo2@gmail.com>
Date: Thu, 27 Jun 2024 08:45:09 +0200
Subject: [PATCH 08/15] fix: Add sensitive tag for not exposing passowrd in
 logs.

Update p -> password, do not panic in handler.
Change error message when host:port cannot be splitted. The error is
just internal for client. We have spans in DD to locate the issue.
---
 .../pkg/service/appsproxy/dataapps/auth/provider/basic.go   | 2 +-
 .../proxy/apphandler/authproxy/basicauth/handler.go         | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/internal/pkg/service/appsproxy/dataapps/auth/provider/basic.go b/internal/pkg/service/appsproxy/dataapps/auth/provider/basic.go
index b3f4a8bb0e..e3ab974f37 100644
--- a/internal/pkg/service/appsproxy/dataapps/auth/provider/basic.go
+++ b/internal/pkg/service/appsproxy/dataapps/auth/provider/basic.go
@@ -2,7 +2,7 @@ package provider
 
 type Basic struct {
 	Base
-	Password string `json:"password"`
+	Password string `json:"password" sensitive:"true"`
 }
 
 func (p *Basic) IsAuthorized(password string) bool {
diff --git a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go
index 6b87b727e6..9bb9e998d0 100644
--- a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go
+++ b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go
@@ -66,7 +66,7 @@ func (h *Handler) CookieExpiration() time.Duration {
 func (h *Handler) ServeHTTPOrError(w http.ResponseWriter, req *http.Request) error {
 	host, _ := util.SplitHostPort(req.Host)
 	if host == "" {
-		panic(errors.New("host cannot be empty"))
+		return errors.New("internal server error")
 	}
 
 	if err := req.ParseForm(); err != nil {
@@ -115,8 +115,8 @@ func (h *Handler) ServeHTTPOrError(w http.ResponseWriter, req *http.Request) err
 	return h.upstream.ServeHTTPOrError(w, req)
 }
 
-func (h *Handler) isAuthorized(p string, cookie *http.Cookie) error {
-	if p != "" && !h.basicAuth.IsAuthorized(p) {
+func (h *Handler) isAuthorized(password string, cookie *http.Cookie) error {
+	if password != "" && !h.basicAuth.IsAuthorized(password) {
 		return errors.New("Please enter a correct password.")
 	}
 

From 33532b0716aeeaf50abefe6c53abc4316a1cb5de Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Va=C5=A1ko?= <Matovidlo2@gmail.com>
Date: Thu, 27 Jun 2024 11:17:31 +0200
Subject: [PATCH 09/15] fix: Enhance security of app cookies.

Prevent copy of cookie to another app with same password. The appID
should prevent to generate same hash as in other app. Therefore the
cookies could be way to do enumerative attack.
---
 .../appsproxy/proxy/apphandler/authproxy/basicauth/handler.go | 4 ++--
 internal/pkg/service/appsproxy/proxy/proxy_test.go            | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go
index 9bb9e998d0..9fa8b4ce29 100644
--- a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go
+++ b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go
@@ -106,7 +106,7 @@ func (h *Handler) ServeHTTPOrError(w http.ResponseWriter, req *http.Request) err
 	}
 
 	hash := sha256.New()
-	hash.Write([]byte(p))
+	hash.Write([]byte(p + string(h.app.ID)))
 	hashedValue := hash.Sum(nil)
 	v := &http.Cookie{
 		Value: hex.EncodeToString(hashedValue),
@@ -126,7 +126,7 @@ func (h *Handler) isAuthorized(password string, cookie *http.Cookie) error {
 
 	if cookie != nil {
 		hash := sha256.New()
-		hash.Write([]byte(h.basicAuth.Password))
+		hash.Write([]byte(h.basicAuth.Password + string(h.app.ID)))
 		hashedValue := hash.Sum(nil)
 		if hex.EncodeToString(hashedValue) != cookie.Value {
 			return errors.New("Cookie not set correctly.")
diff --git a/internal/pkg/service/appsproxy/proxy/proxy_test.go b/internal/pkg/service/appsproxy/proxy/proxy_test.go
index 6cd60e8942..f92a881604 100644
--- a/internal/pkg/service/appsproxy/proxy/proxy_test.go
+++ b/internal/pkg/service/appsproxy/proxy/proxy_test.go
@@ -2035,7 +2035,7 @@ func TestAppProxyRouter(t *testing.T) {
 				cookies := response.Cookies()
 				if assert.Len(t, cookies, 1) {
 					assert.Equal(t, "proxyBasicAuth", cookies[0].Name)
-					assert.Equal(t, "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad", cookies[0].Value)
+					assert.Equal(t, "bfd0255218cceb44fec106d13875be3b7120b304b97df9bfccbeb9aab19019fa", cookies[0].Value)
 					assert.Equal(t, "/", cookies[0].Path)
 					assert.Equal(t, "basic-auth.hub.keboola.local", cookies[0].Domain)
 					assert.True(t, cookies[0].HttpOnly)
@@ -2070,7 +2070,7 @@ func TestAppProxyRouter(t *testing.T) {
 			run: func(t *testing.T, client *http.Client, m []*mockoidc.MockOIDC, appServer *testutil.AppServer, service *testutil.DataAppsAPI, dnsServer *dnsmock.Server) {
 				// Access with cookie
 				request, err := http.NewRequestWithContext(context.Background(), http.MethodPost, "https://basic-auth.hub.keboola.local/", nil)
-				request.AddCookie(&http.Cookie{Name: "proxyBasicAuth", Value: "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad"})
+				request.AddCookie(&http.Cookie{Name: "proxyBasicAuth", Value: "bfd0255218cceb44fec106d13875be3b7120b304b97df9bfccbeb9aab19019fa"})
 				require.NoError(t, err)
 				response, err := client.Do(request)
 				require.NoError(t, err)

From db5cff8fb40c18457b6357017a0d8f3c2762a1c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Va=C5=A1ko?= <Matovidlo2@gmail.com>
Date: Thu, 27 Jun 2024 13:40:55 +0200
Subject: [PATCH 10/15] fix: Remove old oidcproxy package.

---
 .../proxy/apphandler/oidcproxy/config.go      | 129 ----------
 .../proxy/apphandler/oidcproxy/doc.go         |   3 -
 .../proxy/apphandler/oidcproxy/handler.go     | 125 ---------
 .../apphandler/oidcproxy/logging/writer.go    |  35 ---
 .../proxy/apphandler/oidcproxy/pagewriter.go  | 107 --------
 .../proxy/apphandler/oidcproxy/selector.go    | 238 ------------------
 .../pkg/service/appsproxy/proxy/proxy_test.go |   2 +-
 .../pkg/service/appsproxy/proxy/server.go     |   2 +-
 8 files changed, 2 insertions(+), 639 deletions(-)
 delete mode 100644 internal/pkg/service/appsproxy/proxy/apphandler/oidcproxy/config.go
 delete mode 100644 internal/pkg/service/appsproxy/proxy/apphandler/oidcproxy/doc.go
 delete mode 100644 internal/pkg/service/appsproxy/proxy/apphandler/oidcproxy/handler.go
 delete mode 100644 internal/pkg/service/appsproxy/proxy/apphandler/oidcproxy/logging/writer.go
 delete mode 100644 internal/pkg/service/appsproxy/proxy/apphandler/oidcproxy/pagewriter.go
 delete mode 100644 internal/pkg/service/appsproxy/proxy/apphandler/oidcproxy/selector.go

diff --git a/internal/pkg/service/appsproxy/proxy/apphandler/oidcproxy/config.go b/internal/pkg/service/appsproxy/proxy/apphandler/oidcproxy/config.go
deleted file mode 100644
index 181ac034f5..0000000000
--- a/internal/pkg/service/appsproxy/proxy/apphandler/oidcproxy/config.go
+++ /dev/null
@@ -1,129 +0,0 @@
-package oidcproxy
-
-import (
-	"context"
-	"crypto/sha256"
-	"fmt"
-	"net/http"
-	"strings"
-
-	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
-	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/validation"
-
-	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/config"
-	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/api"
-	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/auth/provider"
-	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/apphandler/chain"
-	"github.com/keboola/keboola-as-code/internal/pkg/utils/errors"
-)
-
-func (m *Manager) proxyConfig(app api.AppConfig, authProvider provider.OIDC, upstream chain.Handler) (*options.Options, error) {
-	// Generate unique cookies secret
-	secret, err := m.generateCookieSecret(app, authProvider.ID())
-	if err != nil {
-		return nil, err
-	}
-
-	proxyProvider, err := authProvider.ProxyProviderOptions()
-	if err != nil {
-		return nil, err
-	}
-
-	v := options.NewOptions()
-
-	// Connect to the app upstream
-	v.UpstreamHandler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-		if err := upstream.ServeHTTPOrError(w, req); err != nil {
-			m.pageWriter.WriteError(w, req, &app, err)
-		}
-	})
-
-	// Render the selector page, if login is needed, it is not an internal URL
-	v.OnNeedsLogin = func(w http.ResponseWriter, req *http.Request) (stop bool) {
-		// Bypass internal paths
-		if strings.HasPrefix(req.URL.Path, v.ProxyPrefix) {
-			return false
-		}
-
-		// Determine, if we should render the selector page using the selector instance from the context
-		if selector, ok := req.Context().Value(selectorHandlerCtxKey).(*SelectorForAppRule); ok {
-			// If there is only one provider, continue to the sing in page
-			if len(selector.handlers) <= 1 {
-				return false
-			}
-
-			// Go back and render the selector page, ignore the cookie value
-			req = req.WithContext(context.WithValue(req.Context(), ignoreProviderCookieCtxKey, true))
-			if err := selector.ServeHTTPOrError(w, req); err != nil {
-				m.pageWriter.WriteError(w, req, &app, err)
-			}
-			return true
-		}
-
-		// Fallback, the selector instance is not found, it shouldn't happen.
-		// Clear the cookie and redirect to the same path, so the selector page is rendered.
-		m.providerSelector.clearCookie(w, req)
-		w.Header().Set("Location", req.URL.Path)
-		w.WriteHeader(http.StatusFound)
-		return true
-	}
-
-	// Setup
-	domain := app.CookieDomain(m.config.API.PublicURL)
-	redirectURL := m.config.API.PublicURL.Scheme + "://" + domain + config.InternalPrefix + "/callback"
-	v.Logging.RequestIDHeader = config.RequestIDHeader
-	v.Logging.RequestEnabled = false // we have log middleware for all requests
-	v.Cookie.Secret = secret
-	v.Cookie.Domains = []string{domain}
-	v.Cookie.SameSite = "strict"
-	v.ProxyPrefix = config.InternalPrefix
-	v.RawRedirectURL = redirectURL
-	v.Providers = options.Providers{proxyProvider}
-	v.SkipProviderButton = true
-	v.Session = options.SessionOptions{Type: options.CookieSessionStoreType}
-	v.EmailDomains = []string{"*"}
-	v.InjectRequestHeaders = []options.Header{
-		headerFromClaim("X-Kbc-User-Name", "name"),
-		headerFromClaim("X-Kbc-User-Email", options.OIDCEmailClaim),
-		headerFromClaim("X-Kbc-User-Roles", options.OIDCGroupsClaim),
-	}
-
-	// Cannot separate errors from info because when ErrToInfo is false (default),
-	// oauthproxy keeps forcibly setting its global error writer to os.Stderr whenever a new proxy instance is created.
-	v.Logging.ErrToInfo = true
-
-	if err := validation.Validate(v); err != nil {
-		return nil, err
-	}
-
-	return v, nil
-}
-
-// generateCookieSecret creates a unique cookie secret for each app and provider.
-// This is necessary because otherwise cookies created by provider A would also be valid in a section that requires provider B but not A.
-// To solve this we use the combination of the provider id and our salt.
-func (m *Manager) generateCookieSecret(app api.AppConfig, providerID provider.ID) (string, error) {
-	if m.config.CookieSecretSalt == "" {
-		return "", errors.New("missing cookie secret salt")
-	}
-
-	h := sha256.New()
-	h.Write([]byte(app.ID.String() + "/" + providerID.String() + "/" + m.config.CookieSecretSalt))
-	bs := h.Sum(nil)
-
-	// Result must be 32 chars, 2 hex chars for each byte
-	return fmt.Sprintf("%x", bs[:16]), nil
-}
-
-func headerFromClaim(header, claim string) options.Header {
-	return options.Header{
-		Name: header,
-		Values: []options.HeaderValue{
-			{
-				ClaimSource: &options.ClaimSource{
-					Claim: claim,
-				},
-			},
-		},
-	}
-}
diff --git a/internal/pkg/service/appsproxy/proxy/apphandler/oidcproxy/doc.go b/internal/pkg/service/appsproxy/proxy/apphandler/oidcproxy/doc.go
deleted file mode 100644
index f1acc74ee2..0000000000
--- a/internal/pkg/service/appsproxy/proxy/apphandler/oidcproxy/doc.go
+++ /dev/null
@@ -1,3 +0,0 @@
-// Package oidcproxy provides factory for OAuth2Proxy library.
-// The logic is inserted before the handler from  the "upstream" package.
-package oidcproxy
diff --git a/internal/pkg/service/appsproxy/proxy/apphandler/oidcproxy/handler.go b/internal/pkg/service/appsproxy/proxy/apphandler/oidcproxy/handler.go
deleted file mode 100644
index e50ca9078f..0000000000
--- a/internal/pkg/service/appsproxy/proxy/apphandler/oidcproxy/handler.go
+++ /dev/null
@@ -1,125 +0,0 @@
-package oidcproxy
-
-import (
-	"fmt"
-	"net/http"
-	"time"
-
-	"github.com/benbjohnson/clock"
-	oauthproxy "github.com/oauth2-proxy/oauth2-proxy/v7"
-	proxyOptions "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
-
-	"github.com/keboola/keboola-as-code/internal/pkg/log"
-	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/config"
-	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/api"
-	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/auth/provider"
-	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/apphandler/chain"
-	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/pagewriter"
-	svcErrors "github.com/keboola/keboola-as-code/internal/pkg/service/common/errors"
-	"github.com/keboola/keboola-as-code/internal/pkg/utils/errors"
-)
-
-type Manager struct {
-	logger           log.Logger
-	config           config.Config
-	pageWriter       *pagewriter.Writer
-	providerSelector *Selector
-}
-
-type Handler struct {
-	provider     provider.Provider
-	proxyConfig  *proxyOptions.Options
-	proxyHandler *oauthproxy.OAuthProxy
-	initErr      error
-}
-
-type dependencies interface {
-	Logger() log.Logger
-	Clock() clock.Clock
-	Config() config.Config
-	PageWriter() *pagewriter.Writer
-}
-
-func NewManager(d dependencies) *Manager {
-	return &Manager{
-		logger:           d.Logger(),
-		config:           d.Config(),
-		pageWriter:       d.PageWriter(),
-		providerSelector: newSelector(d),
-	}
-}
-
-func (m *Manager) ProviderSelector() *Selector {
-	return m.providerSelector
-}
-
-func (m *Manager) NewHandler(app api.AppConfig, auth provider.OIDC, upstream chain.Handler) *Handler {
-	var err error
-	handler := &Handler{provider: auth}
-
-	// Create proxy configuration
-	handler.proxyConfig, err = m.proxyConfig(app, auth, upstream)
-	if err != nil {
-		handler.initErr = wrapHandlerInitErr(app, auth, err)
-		return handler
-	}
-
-	// Create proxy page writer adapter
-	pw, err := m.newPageWriter(m.logger, app, auth, handler.proxyConfig)
-	if err != nil {
-		handler.initErr = wrapHandlerInitErr(app, auth, err)
-		return handler
-	}
-
-	// Create proxy HTTP handler
-	authValidator := func(email string) bool { return true } // there is no need to verify individual users
-	handler.proxyHandler, err = oauthproxy.NewOAuthProxyWithPageWriter(handler.proxyConfig, authValidator, pw)
-	if err != nil {
-		handler.initErr = wrapHandlerInitErr(app, auth, err)
-		return handler
-	}
-
-	return handler
-}
-
-func (h *Handler) ID() provider.ID {
-	return h.provider.ID()
-}
-
-func (h *Handler) Name() string {
-	return h.provider.Name()
-}
-
-func (h *Handler) Provider() provider.Provider {
-	return h.provider
-}
-
-func (h *Handler) CookieExpiration() time.Duration {
-	if h.initErr != nil {
-		return 5 * time.Minute
-	}
-	return h.proxyConfig.Cookie.Expire
-}
-
-func (h *Handler) SignInPath() string {
-	if h.initErr != nil {
-		return "/error"
-	}
-	return h.proxyHandler.SignInPath
-}
-
-func (h *Handler) ServeHTTPOrError(w http.ResponseWriter, req *http.Request) error {
-	if h.initErr != nil {
-		return h.initErr
-	}
-
-	// Pass request to OAuth2Proxy
-	h.proxyHandler.ServeHTTP(w, req) // errors are handled by the page writer
-	return nil
-}
-
-func wrapHandlerInitErr(app api.AppConfig, auth provider.Provider, err error) error {
-	return svcErrors.
-		NewServiceUnavailableError(errors.PrefixErrorf(err, `application "%s" has invalid configuration for authentication provider "%s"`, app.IdAndName(), auth.ID())).
-		WithUserMessage(fmt.Sprintf(`Application "%s" has invalid configuration for authentication provider "%s".`, app.IdAndName(), auth.ID()))
-}
diff --git a/internal/pkg/service/appsproxy/proxy/apphandler/oidcproxy/logging/writer.go b/internal/pkg/service/appsproxy/proxy/apphandler/oidcproxy/logging/writer.go
deleted file mode 100644
index ed451eeb4c..0000000000
--- a/internal/pkg/service/appsproxy/proxy/apphandler/oidcproxy/logging/writer.go
+++ /dev/null
@@ -1,35 +0,0 @@
-package logging
-
-import (
-	"context"
-	"io"
-
-	"github.com/keboola/keboola-as-code/internal/pkg/log"
-)
-
-type loggerWriter struct {
-	logger log.Logger
-	level  string
-	buffer []byte
-}
-
-const newLine = byte(10)
-
-func (w *loggerWriter) Write(p []byte) (n int, err error) {
-	w.buffer = append(w.buffer, p...)
-
-	if len(p) > 0 && p[len(p)-1] == newLine {
-		w.logger.Log(context.Background(), w.level, string(w.buffer))
-		w.buffer = []byte{}
-		return 1, nil
-	}
-
-	return len(p), nil
-}
-
-func NewLoggerWriter(logger log.Logger, level string) io.Writer {
-	return &loggerWriter{
-		logger: logger,
-		level:  level,
-	}
-}
diff --git a/internal/pkg/service/appsproxy/proxy/apphandler/oidcproxy/pagewriter.go b/internal/pkg/service/appsproxy/proxy/apphandler/oidcproxy/pagewriter.go
deleted file mode 100644
index 4a10e9f328..0000000000
--- a/internal/pkg/service/appsproxy/proxy/apphandler/oidcproxy/pagewriter.go
+++ /dev/null
@@ -1,107 +0,0 @@
-package oidcproxy
-
-import (
-	"net/http"
-	"strings"
-
-	oauthproxy "github.com/oauth2-proxy/oauth2-proxy/v7"
-	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
-	proxypw "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/app/pagewriter"
-	"github.com/spf13/cast"
-	"go.opentelemetry.io/otel/attribute"
-	semconv "go.opentelemetry.io/otel/semconv/v1.17.0"
-
-	"github.com/keboola/keboola-as-code/internal/pkg/log"
-	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/api"
-	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/auth/provider"
-	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/pagewriter"
-	"github.com/keboola/keboola-as-code/internal/pkg/service/common/ctxattr"
-)
-
-type proxyPageWriter proxypw.Writer
-
-// pageWriter is adapter between common page writer and OAuth2Proxy specific page writer.
-type pageWriter struct {
-	proxyPageWriter
-	logger       log.Logger
-	app          api.AppConfig
-	authProvider provider.Provider
-	pageWriter   *pagewriter.Writer
-}
-
-func (m *Manager) newPageWriter(logger log.Logger, app api.AppConfig, authProvider provider.Provider, opts *options.Options) (*pageWriter, error) {
-	parent, err := proxypw.NewWriter(
-		proxypw.Opts{
-			TemplatesPath:    opts.Templates.Path,
-			CustomLogo:       opts.Templates.CustomLogo,
-			ProxyPrefix:      opts.ProxyPrefix,
-			Footer:           opts.Templates.Footer,
-			Version:          oauthproxy.VERSION,
-			Debug:            opts.Templates.Debug,
-			ProviderName:     opts.Providers[0].Name,
-			SignInMessage:    opts.Templates.Banner,
-			DisplayLoginForm: opts.Templates.DisplayLoginForm,
-		},
-	)
-	if err != nil {
-		return nil, err
-	}
-
-	return &pageWriter{
-		logger:          logger.WithComponent("oauth2proxy.pw"),
-		proxyPageWriter: parent,
-		app:             app,
-		authProvider:    authProvider,
-		pageWriter:      m.pageWriter,
-	}, nil
-}
-
-func (pw *pageWriter) WriteErrorPage(w http.ResponseWriter, req *http.Request, opts proxypw.ErrorPageOpts) {
-	// Convert messages to string
-	var messages []string
-	for _, msg := range opts.Messages {
-		if str := cast.ToString(msg); str != "" {
-			messages = append(messages, str)
-		}
-	}
-
-	// Default messages
-	if len(messages) == 0 {
-		switch opts.Status {
-		case http.StatusUnauthorized:
-			messages = []string{"You need to be logged in to access this resource."}
-		case http.StatusForbidden:
-			messages = []string{"You do not have permission to access this resource."}
-		case http.StatusInternalServerError:
-			messages = []string{"Oops! Something went wrong."}
-		default:
-			messages = []string{opts.AppError}
-		}
-	}
-
-	// Exception ID
-	exceptionID := pagewriter.ExceptionIDPrefix + opts.RequestID
-
-	joinedMessage := strings.Join(messages, "\n")
-	// Add attributes
-	req = req.WithContext(ctxattr.ContextWith(
-		req.Context(),
-		semconv.HTTPStatusCode(opts.Status),
-		attribute.String("exceptionId", exceptionID),
-		attribute.String("error.userMessages", joinedMessage),
-		attribute.String("error.details", opts.AppError),
-	))
-
-	// Log warning
-	pw.logger.Warn(req.Context(), strings.Join(messages, "\n")) //nolint:contextcheck // false positive
-
-	pw.pageWriter.WriteErrorPage(w, req, &pw.app, opts.Status, joinedMessage+opts.AppError, exceptionID)
-}
-
-func (pw *pageWriter) ProxyErrorHandler(w http.ResponseWriter, req *http.Request, err error) {
-	pw.pageWriter.ProxyErrorHandler(w, req, pw.app, err)
-}
-
-func (pw *pageWriter) WriteRobotsTxt(w http.ResponseWriter, req *http.Request) {
-	pw.pageWriter.WriteRobotsTxt(w, req)
-}
diff --git a/internal/pkg/service/appsproxy/proxy/apphandler/oidcproxy/selector.go b/internal/pkg/service/appsproxy/proxy/apphandler/oidcproxy/selector.go
deleted file mode 100644
index aa799e529c..0000000000
--- a/internal/pkg/service/appsproxy/proxy/apphandler/oidcproxy/selector.go
+++ /dev/null
@@ -1,238 +0,0 @@
-package oidcproxy
-
-import (
-	"context"
-	"net/http"
-	"net/url"
-	"slices"
-	"strings"
-	"time"
-
-	"github.com/benbjohnson/clock"
-	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/util"
-
-	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/config"
-	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/api"
-	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/auth/provider"
-	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/pagewriter"
-	svcErrors "github.com/keboola/keboola-as-code/internal/pkg/service/common/errors"
-	"github.com/keboola/keboola-as-code/internal/pkg/utils/errors"
-)
-
-const (
-	providerCookie             = "_oauth2_provider"
-	providerQueryParam         = "provider"
-	continueAuthQueryParam     = "continue_auth"
-	callbackQueryParam         = "rd" // value match OAuth2Proxy internals and shouldn't be modified (see AppDirector there)
-	selectionPagePath          = config.InternalPrefix + "/selection"
-	signOutPath                = config.InternalPrefix + "/sign_out"
-	proxyCallbackPath          = config.InternalPrefix + "/callback"
-	ignoreProviderCookieCtxKey = ctxKey("ignoreProviderCookieCtxKey")
-	selectorHandlerCtxKey      = ctxKey("selectorHandlerCtxKey")
-)
-
-type ctxKey string
-
-type Selector struct {
-	clock      clock.Clock
-	config     config.Config
-	pageWriter *pagewriter.Writer
-}
-
-type SelectorForAppRule struct {
-	*Selector
-	app      api.AppConfig
-	handlers map[provider.ID]*Handler
-}
-
-func newSelector(d dependencies) *Selector {
-	return &Selector{
-		clock:      d.Clock(),
-		config:     d.Config(),
-		pageWriter: d.PageWriter(),
-	}
-}
-
-func (s *Selector) For(app api.AppConfig, handlers map[provider.ID]*Handler) (*SelectorForAppRule, error) {
-	// Validate handlers count
-	if len(handlers) == 0 {
-		return nil, svcErrors.NewServiceUnavailableError(errors.New(`no authentication provider found`))
-	}
-
-	return &SelectorForAppRule{Selector: s, app: app, handlers: handlers}, nil
-}
-
-// ServeHTTPOrError renders selector page if there is more than one authentication handler,
-// and no handler is selected, or the selected handler is not allowed for the requested path (see api.AuthRule).
-//
-// The selector page is rendered:
-// 1. If it is accessed directly using selectionPagePath, the status code is StatusOK.
-// 2. If no handler is selected and the path requires authorization, the status code is StatusUnauthorized.
-func (s *SelectorForAppRule) ServeHTTPOrError(w http.ResponseWriter, req *http.Request) error {
-	// To make the same site strict cookie work we need to replace the redirect from the auth provider with a page that does the redirect.
-	if req.URL.Path == proxyCallbackPath {
-		query := req.URL.Query()
-		if query.Get(continueAuthQueryParam) != "true" {
-			query.Set(continueAuthQueryParam, "true")
-			baseURL := s.app.BaseURL(s.config.API.PublicURL)
-			redirectURL := baseURL.ResolveReference(&url.URL{Path: req.URL.Path, RawQuery: query.Encode()})
-			s.pageWriter.WriteRedirectPage(w, req, http.StatusOK, redirectURL.String())
-			return nil
-		}
-	}
-
-	// Store the selector to the context.
-	// It is used by the OnNeedsLogin callback, to render the selector page, if the provider needs login.
-	// Internal paths (it includes sing in) are bypassed, see Manager.proxyConfig for details.
-	req = req.WithContext(context.WithValue(req.Context(), selectorHandlerCtxKey, s))
-
-	// Clear cookie on logout
-	if req.URL.Path == signOutPath {
-		// This clears provider selection cookie while oauth2-proxy clears the session cookie.
-		// The user isn't logged out on the provider's side, but when redirected to the provider they're
-		// forced to select their account again because of the "select_account" flag in LoginURLParameters.
-		s.clearCookie(w, req)
-	}
-
-	// Render selector page, if it is accessed directly
-	if req.URL.Path == selectionPagePath {
-		return s.writeSelectorPage(w, req, http.StatusOK)
-	}
-
-	// Skip selector page, if there is only one provider
-	if len(s.handlers) == 1 {
-		// The handlers variable is a map, use the first handler via a for cycle
-		for _, handler := range s.handlers {
-			// Set cookie if needed
-			if providerID := s.providerIDFromCookie(req); providerID != handler.Provider().ID() {
-				s.setCookie(w, req, handler)
-			}
-			return handler.ServeHTTPOrError(w, req)
-		}
-	}
-
-	// Ignore cookie if we have already tried this provider, but the provider requires login.
-	providerID := s.providerIDFromCookie(req)
-	if ignore, _ := req.Context().Value(ignoreProviderCookieCtxKey).(bool); ignore {
-		providerID = ""
-	}
-
-	// Identify the chosen provider by the cookie
-	if handler := s.handlers[providerID]; handler != nil {
-		return handler.ServeHTTPOrError(w, req)
-	}
-
-	// No matching handler found
-	return s.writeSelectorPage(w, req, http.StatusUnauthorized)
-}
-
-func (s *SelectorForAppRule) writeSelectorPage(w http.ResponseWriter, req *http.Request, status int) error {
-	// Mark provider selected
-	id := provider.ID(req.URL.Query().Get(providerQueryParam))
-	if selected, found := s.handlers[id]; found {
-		// Set cookie with the same expiration as other provider cookies
-		s.setCookie(w, req, selected)
-
-		// Get path for redirect after sign in, it must not refer to an external URL
-		query := make(url.Values)
-		callback := req.URL.Query().Get(callbackQueryParam)
-		if isAcceptedCallbackURL(callback) {
-			query.Set(callbackQueryParam, callback)
-		}
-
-		// Render sign in page, set callback after login
-		s.redirect(w, req, selected.SignInPath(), query)
-		return nil
-	}
-
-	// Render the page, if there is no cookie or the value is invalid
-	s.pageWriter.WriteSelectorPage(w, req, status, s.selectorPageData(req))
-	return nil
-}
-
-func (s *SelectorForAppRule) selectorPageData(req *http.Request) *pagewriter.SelectorPageData {
-	// Pass link back to the current page, if reasonable, otherwise the user will be redirected to /
-	var callback string
-	if req.Method == http.MethodGet {
-		callback = req.URL.Path
-	}
-
-	// Base URL for all providers
-	pageURL := s.url(req, selectionPagePath, nil)
-
-	// Generate link for each providers
-	data := &pagewriter.SelectorPageData{App: pagewriter.NewAppData(&s.app)}
-	for _, handler := range s.handlers {
-		query := make(url.Values)
-		query.Set(providerQueryParam, handler.ID().String())
-		if isAcceptedCallbackURL(callback) {
-			query.Set(callbackQueryParam, callback)
-		}
-		data.Providers = append(data.Providers, pagewriter.ProviderData{
-			Name: handler.Name(),
-			URL:  pageURL.ResolveReference(&url.URL{RawQuery: query.Encode()}).String(),
-		})
-	}
-
-	// Sort items
-	slices.SortStableFunc(data.Providers, func(a, b pagewriter.ProviderData) int {
-		return strings.Compare(a.Name, b.Name)
-	})
-
-	return data
-}
-
-func (s *Selector) redirect(w http.ResponseWriter, req *http.Request, path string, query url.Values) {
-	w.Header().Set("Location", s.url(req, path, query).String())
-	w.WriteHeader(http.StatusFound)
-}
-
-func (s *Selector) url(req *http.Request, path string, query url.Values) *url.URL {
-	return &url.URL{Scheme: s.config.API.PublicURL.Scheme, Host: req.Host, Path: path, RawQuery: query.Encode()}
-}
-
-func (s *Selector) providerIDFromCookie(req *http.Request) provider.ID {
-	if cookie, _ := req.Cookie(providerCookie); cookie != nil && cookie.Value != "" {
-		return provider.ID(cookie.Value)
-	}
-	return ""
-}
-
-func (s *Selector) clearCookie(w http.ResponseWriter, req *http.Request) {
-	http.SetCookie(w, s.cookie(req, "", -1))
-}
-
-func (s *Selector) setCookie(w http.ResponseWriter, req *http.Request, handler *Handler) {
-	http.SetCookie(w, s.cookie(req, handler.ID().String(), handler.CookieExpiration()))
-}
-
-func (s *Selector) cookie(req *http.Request, value string, expires time.Duration) *http.Cookie {
-	host, _ := util.SplitHostPort(req.Host)
-	if host == "" {
-		panic(errors.New("host cannot be empty"))
-	}
-
-	v := &http.Cookie{
-		Name:     providerCookie,
-		Value:    value,
-		Path:     "/",
-		Domain:   host,
-		Secure:   true,
-		HttpOnly: true,
-		SameSite: http.SameSiteStrictMode,
-	}
-
-	if expires > 0 {
-		// If there is an expiration, set it
-		v.Expires = s.clock.Now().Add(expires)
-	} else {
-		// Otherwise clear the cookie
-		v.MaxAge = -1
-	}
-
-	return v
-}
-
-func isAcceptedCallbackURL(callback string) bool {
-	return callback != "" && callback != "/" && callback != selectionPagePath && strings.HasPrefix(callback, "/")
-}
diff --git a/internal/pkg/service/appsproxy/proxy/proxy_test.go b/internal/pkg/service/appsproxy/proxy/proxy_test.go
index f92a881604..c2854852f1 100644
--- a/internal/pkg/service/appsproxy/proxy/proxy_test.go
+++ b/internal/pkg/service/appsproxy/proxy/proxy_test.go
@@ -41,7 +41,7 @@ import (
 	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/auth/provider"
 	proxyDependencies "github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dependencies"
 	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy"
-	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/apphandler/oidcproxy/logging"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/oidcproxy/logging"
 	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/pagewriter"
 	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/testutil"
 	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/transport/dns/dnsmock"
diff --git a/internal/pkg/service/appsproxy/proxy/server.go b/internal/pkg/service/appsproxy/proxy/server.go
index 2e6c4e7df9..4d593c2e8e 100644
--- a/internal/pkg/service/appsproxy/proxy/server.go
+++ b/internal/pkg/service/appsproxy/proxy/server.go
@@ -14,7 +14,7 @@ import (
 	"github.com/keboola/keboola-as-code/internal/pkg/log"
 	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/config"
 	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dependencies"
-	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/apphandler/oidcproxy/logging"
+	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/oidcproxy/logging"
 	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/proxy/approuter"
 	"github.com/keboola/keboola-as-code/internal/pkg/service/common/httpserver/middleware"
 	"github.com/keboola/keboola-as-code/internal/pkg/service/common/servicectx"

From 286b8177e066ce664a55490e4490c594d04debf4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Va=C5=A1ko?= <Matovidlo2@gmail.com>
Date: Tue, 2 Jul 2024 10:50:40 +0200
Subject: [PATCH 11/15] fix: Redirect when cookie is setup.

Fix sign_out to do redirection instead of passing request further and unseting cookies.
Remove loop when being on `_proxy/sign_out` to not pass through form
when providing password.
The correct behaviour is, when going on `_proxy/sign_out` redirects
automatically to `h.SignInPath()` so to `_proxy/form`.
---
 .../apphandler/authproxy/basicauth/handler.go | 50 ++++++++++++++-----
 .../proxy/apphandler/authproxy/manager.go     |  2 +-
 .../pkg/service/appsproxy/proxy/proxy_test.go | 38 +++++++++-----
 3 files changed, 64 insertions(+), 26 deletions(-)

diff --git a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go
index 9fa8b4ce29..dd9e600a39 100644
--- a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go
+++ b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go
@@ -4,6 +4,7 @@ import (
 	"crypto/sha256"
 	"encoding/hex"
 	"net/http"
+	"net/url"
 	"time"
 
 	"github.com/benbjohnson/clock"
@@ -20,14 +21,16 @@ import (
 )
 
 const (
-	basicAuthCookie = "proxyBasicAuth"
-	formPagePath    = config.InternalPrefix + "/form"
+	basicAuthCookie    = "proxyBasicAuth"
+	callbackQueryParam = "rd" // value match OAuth2Proxy internals and shouldn't be modified (see AppDirector there)
+	formPagePath       = config.InternalPrefix + "/form"
 )
 
 type Handler struct {
 	logger     log.Logger
 	pageWriter *pagewriter.Writer
 	clock      clock.Clock
+	publicURL  *url.URL
 	app        api.AppConfig
 	basicAuth  provider.Basic
 	upstream   chain.Handler
@@ -37,6 +40,7 @@ func NewHandler(
 	logger log.Logger,
 	pageWriter *pagewriter.Writer,
 	clock clock.Clock,
+	publicURL *url.URL,
 	app api.AppConfig,
 	auth provider.Basic,
 	upstream chain.Handler,
@@ -45,6 +49,7 @@ func NewHandler(
 		logger:     logger,
 		pageWriter: pageWriter,
 		clock:      clock,
+		publicURL:  publicURL,
 		app:        app,
 		basicAuth:  auth,
 		upstream:   upstream,
@@ -69,19 +74,21 @@ func (h *Handler) ServeHTTPOrError(w http.ResponseWriter, req *http.Request) err
 		return errors.New("internal server error")
 	}
 
-	if err := req.ParseForm(); err != nil {
-		return err
+	requestCookie, _ := req.Cookie(basicAuthCookie)
+	// Pass request to upstream when cookie have been set
+	if requestCookie != nil && req.URL.Path != selector.SignOutPath && h.isCookieAuthorized(requestCookie) == nil {
+		h.setCookie(w, host, h.CookieExpiration(), requestCookie)
+		return h.upstream.ServeHTTPOrError(w, req)
 	}
 
-	// Unset content length as we do not want to push req.Body to upstream
-	req.ContentLength = 0
-
-	// Unset cookie as /_proxy/sign_out was called and enforce login
-	requestCookie, _ := req.Cookie(basicAuthCookie)
+	// Unset cookie as /_proxy/sign_out was called and enforce login by redirecting to SignInPath
 	if requestCookie != nil && req.URL.Path == selector.SignOutPath {
-		requestCookie.Value = ""
-		h.setCookie(w, host, -1, requestCookie)
-		requestCookie = nil
+		h.signOut(host, requestCookie, w, req)
+		return nil
+	}
+
+	if err := req.ParseForm(); err != nil {
+		return err
 	}
 
 	// Login page
@@ -120,6 +127,10 @@ func (h *Handler) isAuthorized(password string, cookie *http.Cookie) error {
 		return errors.New("Please enter a correct password.")
 	}
 
+	return h.isCookieAuthorized(cookie)
+}
+
+func (h *Handler) isCookieAuthorized(cookie *http.Cookie) error {
 	if err := cookie.Valid(); cookie != nil && err != nil {
 		return err
 	}
@@ -129,13 +140,26 @@ func (h *Handler) isAuthorized(password string, cookie *http.Cookie) error {
 		hash.Write([]byte(h.basicAuth.Password + string(h.app.ID)))
 		hashedValue := hash.Sum(nil)
 		if hex.EncodeToString(hashedValue) != cookie.Value {
-			return errors.New("Cookie not set correctly.")
+			return errors.New("Cookie has expired.")
 		}
 	}
 
 	return nil
 }
 
+func (h *Handler) signOut(host string, cookie *http.Cookie, w http.ResponseWriter, req *http.Request) {
+	cookie.Value = ""
+	h.setCookie(w, host, -1, cookie)
+	cookie = nil
+	redirectUrl := &url.URL{
+		Scheme: h.publicURL.Scheme,
+		Host:   req.Host,
+		Path:   h.SignInPath(),
+	}
+	w.Header().Set("Location", redirectUrl.String())
+	w.WriteHeader(http.StatusFound)
+}
+
 func (h *Handler) setCookie(w http.ResponseWriter, host string, expires time.Duration, cookie *http.Cookie) {
 	v := &http.Cookie{
 		Name:     basicAuthCookie,
diff --git a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/manager.go b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/manager.go
index f3e957c95d..4d7c134d93 100644
--- a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/manager.go
+++ b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/manager.go
@@ -51,7 +51,7 @@ func (m *Manager) NewHandlers(app api.AppConfig, upstream chain.Handler) map[pro
 			authHandlers[auth.ID()] = oidcproxy.NewHandler(m.logger, m.config, m.providerSelector, m.pageWriter, app, p, upstream)
 
 		case provider.Basic:
-			authHandlers[auth.ID()] = basicauth.NewHandler(m.logger, m.pageWriter, m.clock, app, p, upstream)
+			authHandlers[auth.ID()] = basicauth.NewHandler(m.logger, m.pageWriter, m.clock, m.config.API.PublicURL, app, p, upstream)
 
 		default:
 			panic("unknown auth provider type")
diff --git a/internal/pkg/service/appsproxy/proxy/proxy_test.go b/internal/pkg/service/appsproxy/proxy/proxy_test.go
index c2854852f1..83e34fcc7c 100644
--- a/internal/pkg/service/appsproxy/proxy/proxy_test.go
+++ b/internal/pkg/service/appsproxy/proxy/proxy_test.go
@@ -2042,6 +2042,19 @@ func TestAppProxyRouter(t *testing.T) {
 					assert.True(t, cookies[0].Secure)
 					assert.Equal(t, http.SameSiteStrictMode, cookies[0].SameSite)
 				}
+
+				location := response.Header.Get("Location")
+				// All config.InternalPrefix are redirected to `/`
+				assert.Contains(t, location, "https://basic-auth.hub.keboola.local/")
+
+				// Request to proxy location
+				request, err = http.NewRequestWithContext(context.Background(), http.MethodGet, location, nil)
+				require.NoError(t, err)
+				response, err = client.Do(request)
+				require.NoError(t, err)
+				body, err = io.ReadAll(response.Body)
+				require.NoError(t, err)
+				assert.Contains(t, string(body), "Hello, client")
 			},
 			expectedNotifications: map[string]int{
 				"auth": 1,
@@ -2060,7 +2073,7 @@ func TestAppProxyRouter(t *testing.T) {
 				require.Equal(t, http.StatusOK, response.StatusCode)
 				body, err := io.ReadAll(response.Body)
 				require.NoError(t, err)
-				assert.Contains(t, string(body), "Cookie not set correctly")
+				assert.Contains(t, string(body), "Cookie has expired")
 			},
 			expectedNotifications: map[string]int{},
 			expectedWakeUps:       map[string]int{},
@@ -2094,20 +2107,21 @@ func TestAppProxyRouter(t *testing.T) {
 				require.NoError(t, err)
 				response, err := client.Do(request)
 				require.NoError(t, err)
-				require.Equal(t, http.StatusOK, response.StatusCode)
+				require.Equal(t, http.StatusFound, response.StatusCode)
 				body, err := io.ReadAll(response.Body)
 				require.NoError(t, err)
+				location := response.Header.Get("Location")
+				assert.Contains(t, location, "https://basic-auth.hub.keboola.local/")
+
+				// Request to proxy location
+				request, err = http.NewRequestWithContext(context.Background(), http.MethodGet, location, nil)
+				require.NoError(t, err)
+				response, err = client.Do(request)
+				require.NoError(t, err)
+				body, err = io.ReadAll(response.Body)
+				require.NoError(t, err)
 				assert.Contains(t, string(body), "Basic Authentication")
-				if assert.Len(t, response.Cookies(), 3) {
-					c := response.Cookies()[2]
-					assert.Equal(t, "proxyBasicAuth", c.Name)
-					assert.Equal(t, "", c.Value)
-					assert.Equal(t, "/", c.Path)
-					assert.Equal(t, "basic-auth.hub.keboola.local", c.Domain)
-					assert.True(t, c.HttpOnly)
-					assert.True(t, c.Secure)
-					assert.Equal(t, http.SameSiteStrictMode, c.SameSite)
-				}
+				require.Len(t, response.Cookies(), 0)
 			},
 			expectedNotifications: map[string]int{},
 			expectedWakeUps:       map[string]int{},

From ef20d415c0ec070b9ddf0447401587cdccba51fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Va=C5=A1ko?= <Matovidlo2@gmail.com>
Date: Tue, 2 Jul 2024 10:53:15 +0200
Subject: [PATCH 12/15] fix: Redirect to `/` or `rd` when user has url set on
 upstream

Do not pass to upstream instead do StatusMovedPermanently, which
discards previous form request that was used to verify password.
`rd` stores various url paths except that are prefixed with config.InternalPrefix.
This prevents of staying on `_proxy` pages and typically goes to `/`.
---
 .../apphandler/authproxy/basicauth/handler.go | 26 ++++----
 .../apphandler/authproxy/selector/selector.go |  9 ++-
 .../pkg/service/appsproxy/proxy/proxy_test.go | 59 ++++++++++++++++---
 3 files changed, 75 insertions(+), 19 deletions(-)

diff --git a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go
index dd9e600a39..30577414e6 100644
--- a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go
+++ b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go
@@ -105,21 +105,28 @@ func (h *Handler) ServeHTTPOrError(w http.ResponseWriter, req *http.Request) err
 		return nil
 	}
 
-	expires := h.CookieExpiration()
-	// Skip generating cookie value when already set and verified
-	if requestCookie != nil {
-		h.setCookie(w, host, expires, requestCookie)
-		return h.upstream.ServeHTTPOrError(w, req)
+	// Redirect to page that user comes from
+	path := req.Header.Get(callbackQueryParam)
+	if path == "" {
+		path = "/"
 	}
 
+	redirectURL := &url.URL{
+		Scheme: h.publicURL.Scheme,
+		Host:   req.Host,
+		Path:   path,
+	}
 	hash := sha256.New()
 	hash.Write([]byte(p + string(h.app.ID)))
 	hashedValue := hash.Sum(nil)
 	v := &http.Cookie{
 		Value: hex.EncodeToString(hashedValue),
 	}
-	h.setCookie(w, host, expires, v)
-	return h.upstream.ServeHTTPOrError(w, req)
+	h.setCookie(w, host, h.CookieExpiration(), v)
+	// Redirect to upstream
+	w.Header().Set("Location", redirectURL.String())
+	w.WriteHeader(http.StatusMovedPermanently)
+	return nil
 }
 
 func (h *Handler) isAuthorized(password string, cookie *http.Cookie) error {
@@ -150,13 +157,12 @@ func (h *Handler) isCookieAuthorized(cookie *http.Cookie) error {
 func (h *Handler) signOut(host string, cookie *http.Cookie, w http.ResponseWriter, req *http.Request) {
 	cookie.Value = ""
 	h.setCookie(w, host, -1, cookie)
-	cookie = nil
-	redirectUrl := &url.URL{
+	redirectURL := &url.URL{
 		Scheme: h.publicURL.Scheme,
 		Host:   req.Host,
 		Path:   h.SignInPath(),
 	}
-	w.Header().Set("Location", redirectUrl.String())
+	w.Header().Set("Location", redirectURL.String())
 	w.WriteHeader(http.StatusFound)
 }
 
diff --git a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/selector/selector.go b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/selector/selector.go
index 1a4fe5575f..e34a2d06a9 100644
--- a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/selector/selector.go
+++ b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/selector/selector.go
@@ -113,6 +113,13 @@ func (s *SelectorForAppRule) ServeHTTPOrError(w http.ResponseWriter, req *http.R
 			if providerID := s.providerIDFromCookie(req); providerID != id {
 				s.setCookie(w, req, id, handler)
 			}
+
+			// Get path for redirect after sign in, it must not refer to an external URL
+			callback := req.URL.Path
+			if isAcceptedCallbackURL(callback) {
+				req.Header.Set(callbackQueryParam, callback)
+			}
+
 			return handler.ServeHTTPOrError(w, req)
 		}
 	}
@@ -269,5 +276,5 @@ func (s *Selector) cookie(req *http.Request, value string, expires time.Duration
 }
 
 func isAcceptedCallbackURL(callback string) bool {
-	return callback != "" && callback != "/" && callback != selectionPagePath && strings.HasPrefix(callback, "/")
+	return callback != "" && callback != "/" && !strings.HasPrefix(callback, config.InternalPrefix)
 }
diff --git a/internal/pkg/service/appsproxy/proxy/proxy_test.go b/internal/pkg/service/appsproxy/proxy/proxy_test.go
index 83e34fcc7c..8e568ee753 100644
--- a/internal/pkg/service/appsproxy/proxy/proxy_test.go
+++ b/internal/pkg/service/appsproxy/proxy/proxy_test.go
@@ -2009,10 +2009,10 @@ func TestAppProxyRouter(t *testing.T) {
 			expectedWakeUps:       map[string]int{},
 		},
 		{
-			name: "public-basic-auth-correct-login",
+			name: "public-basic-auth-correct-app-url",
 			run: func(t *testing.T, client *http.Client, m []*mockoidc.MockOIDC, appServer *testutil.AppServer, service *testutil.DataAppsAPI, dnsServer *dnsmock.Server) {
 				// Request public basic auth app
-				request, err := http.NewRequestWithContext(context.Background(), http.MethodGet, "https://basic-auth.hub.keboola.local/", nil)
+				request, err := http.NewRequestWithContext(context.Background(), http.MethodGet, "https://basic-auth.hub.keboola.local/app/url", nil)
 				require.NoError(t, err)
 				response, err := client.Do(request)
 				require.NoError(t, err)
@@ -2021,16 +2021,61 @@ func TestAppProxyRouter(t *testing.T) {
 				require.NoError(t, err)
 				assert.Contains(t, string(body), "Basic Authentication")
 
-				// Fill correct password into form
-				request, err = http.NewRequestWithContext(context.Background(), http.MethodPost, "https://basic-auth.hub.keboola.local/", bytes.NewBuffer([]byte("password=abc")))
+				request, err = http.NewRequestWithContext(context.Background(), http.MethodPost, "https://basic-auth.hub.keboola.local/app/url", bytes.NewBuffer([]byte("password=abc")))
 				request.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 				require.NoError(t, err)
 				response, err = client.Do(request)
 				require.NoError(t, err)
-				require.Equal(t, http.StatusOK, response.StatusCode)
+				require.Equal(t, http.StatusMovedPermanently, response.StatusCode)
+				// Check that cookies were set
+				cookies := response.Cookies()
+				if assert.Len(t, cookies, 1) {
+					assert.Equal(t, "proxyBasicAuth", cookies[0].Name)
+					assert.Equal(t, "bfd0255218cceb44fec106d13875be3b7120b304b97df9bfccbeb9aab19019fa", cookies[0].Value)
+					assert.Equal(t, "/", cookies[0].Path)
+					assert.Equal(t, "basic-auth.hub.keboola.local", cookies[0].Domain)
+					assert.True(t, cookies[0].HttpOnly)
+					assert.True(t, cookies[0].Secure)
+					assert.Equal(t, http.SameSiteStrictMode, cookies[0].SameSite)
+				}
+
+				location := response.Header.Get("Location")
+				assert.Contains(t, location, "https://basic-auth.hub.keboola.local/app/url")
+
+				// Request to proxy location
+				request, err = http.NewRequestWithContext(context.Background(), http.MethodGet, location, nil)
+				require.NoError(t, err)
+				response, err = client.Do(request)
+				require.NoError(t, err)
 				body, err = io.ReadAll(response.Body)
 				require.NoError(t, err)
 				assert.Contains(t, string(body), "Hello, client")
+			},
+			expectedNotifications: map[string]int{
+				"auth": 1,
+			},
+			expectedWakeUps: map[string]int{},
+		},
+		{
+			name: "public-basic-auth-correct-login",
+			run: func(t *testing.T, client *http.Client, m []*mockoidc.MockOIDC, appServer *testutil.AppServer, service *testutil.DataAppsAPI, dnsServer *dnsmock.Server) {
+				// Request public basic auth app
+				request, err := http.NewRequestWithContext(context.Background(), http.MethodGet, "https://basic-auth.hub.keboola.local/_proxy/form", nil)
+				require.NoError(t, err)
+				response, err := client.Do(request)
+				require.NoError(t, err)
+				require.Equal(t, http.StatusOK, response.StatusCode)
+				body, err := io.ReadAll(response.Body)
+				require.NoError(t, err)
+				assert.Contains(t, string(body), "Basic Authentication")
+
+				// Fill correct password into form
+				request, err = http.NewRequestWithContext(context.Background(), http.MethodPost, "https://basic-auth.hub.keboola.local/_proxy/form", bytes.NewBuffer([]byte("password=abc")))
+				request.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+				require.NoError(t, err)
+				response, err = client.Do(request)
+				require.NoError(t, err)
+				require.Equal(t, http.StatusMovedPermanently, response.StatusCode)
 				// Check that cookies were set
 				cookies := response.Cookies()
 				if assert.Len(t, cookies, 1) {
@@ -2108,8 +2153,6 @@ func TestAppProxyRouter(t *testing.T) {
 				response, err := client.Do(request)
 				require.NoError(t, err)
 				require.Equal(t, http.StatusFound, response.StatusCode)
-				body, err := io.ReadAll(response.Body)
-				require.NoError(t, err)
 				location := response.Header.Get("Location")
 				assert.Contains(t, location, "https://basic-auth.hub.keboola.local/")
 
@@ -2118,7 +2161,7 @@ func TestAppProxyRouter(t *testing.T) {
 				require.NoError(t, err)
 				response, err = client.Do(request)
 				require.NoError(t, err)
-				body, err = io.ReadAll(response.Body)
+				body, err := io.ReadAll(response.Body)
 				require.NoError(t, err)
 				assert.Contains(t, string(body), "Basic Authentication")
 				require.Len(t, response.Cookies(), 0)

From d85406cc36e177275df59f66148ca5a47ca080c8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Va=C5=A1ko?= <Matovidlo2@gmail.com>
Date: Tue, 2 Jul 2024 14:06:58 +0200
Subject: [PATCH 13/15] feat: Add CSRF token protection on basicAuth handler on
 `/` route

Should protect input form, including escaping, new required configurable salt for CSRF token generator.
---
 .../pkg/service/appsproxy/config/config.go    |  1 +
 .../service/appsproxy/dependencies/mocked.go  |  3 +
 .../apphandler/authproxy/basicauth/handler.go | 57 ++++++++++++-------
 .../proxy/apphandler/authproxy/manager.go     |  2 +-
 .../appsproxy/proxy/pagewriter/login.go       | 10 ++--
 .../proxy/pagewriter/template/login.gohtml    |  1 +
 .../pkg/service/appsproxy/proxy/proxy_test.go |  5 ++
 .../service/appsproxy/proxy/server_test.go    |  1 +
 provisioning/apps-proxy/dev/.air.toml         |  2 +-
 9 files changed, 55 insertions(+), 27 deletions(-)

diff --git a/internal/pkg/service/appsproxy/config/config.go b/internal/pkg/service/appsproxy/config/config.go
index 44531d9f8f..223dbda26a 100644
--- a/internal/pkg/service/appsproxy/config/config.go
+++ b/internal/pkg/service/appsproxy/config/config.go
@@ -23,6 +23,7 @@ type Config struct {
 	CookieSecretSalt string            `configKey:"cookieSecretSalt" configUsage:"Cookie secret needed by OAuth 2 Proxy." validate:"required" sensitive:"true"`
 	Upstream         Upstream          `configKey:"-" configUsage:"Configuration options for upstream"`
 	SandboxesAPI     SandboxesAPI      `configKey:"sandboxesAPI"`
+	CsrfTokenSalt    string            `configKey:"csrfTokenSalt" configUsage:"Salt used for generating CSRF tokens" validate:"required" sensitive:"true"`
 }
 
 type API struct {
diff --git a/internal/pkg/service/appsproxy/dependencies/mocked.go b/internal/pkg/service/appsproxy/dependencies/mocked.go
index 41ba56e834..ac3ba17d67 100644
--- a/internal/pkg/service/appsproxy/dependencies/mocked.go
+++ b/internal/pkg/service/appsproxy/dependencies/mocked.go
@@ -41,6 +41,9 @@ func NewMockedServiceScope(t *testing.T, cfg config.Config, opts ...dependencies
 	if cfg.CookieSecretSalt == "" {
 		cfg.CookieSecretSalt = "foo"
 	}
+	if cfg.CsrfTokenSalt == "" {
+		cfg.CsrfTokenSalt = "bar"
+	}
 	if cfg.SandboxesAPI.URL == "" {
 		cfg.SandboxesAPI.URL = "http://sandboxes-service-api.default.svc.cluster.local"
 	}
diff --git a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go
index 30577414e6..bd455dcf74 100644
--- a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go
+++ b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go
@@ -3,12 +3,15 @@ package basicauth
 import (
 	"crypto/sha256"
 	"encoding/hex"
+	"fmt"
+	"html/template"
 	"net/http"
 	"net/url"
 	"time"
 
 	"github.com/benbjohnson/clock"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/util"
+	"golang.org/x/net/xsrftoken"
 
 	"github.com/keboola/keboola-as-code/internal/pkg/log"
 	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/config"
@@ -24,35 +27,39 @@ const (
 	basicAuthCookie    = "proxyBasicAuth"
 	callbackQueryParam = "rd" // value match OAuth2Proxy internals and shouldn't be modified (see AppDirector there)
 	formPagePath       = config.InternalPrefix + "/form"
+	csrfTokenKey       = "_csrf"
+	csrfTokenMaxAge    = 15 * time.Minute
 )
 
 type Handler struct {
-	logger     log.Logger
-	pageWriter *pagewriter.Writer
-	clock      clock.Clock
-	publicURL  *url.URL
-	app        api.AppConfig
-	basicAuth  provider.Basic
-	upstream   chain.Handler
+	logger        log.Logger
+	clock         clock.Clock
+	pageWriter    *pagewriter.Writer
+	csrfTokenSalt string
+	publicURL     *url.URL
+	app           api.AppConfig
+	basicAuth     provider.Basic
+	upstream      chain.Handler
 }
 
 func NewHandler(
 	logger log.Logger,
-	pageWriter *pagewriter.Writer,
+	config config.Config,
 	clock clock.Clock,
-	publicURL *url.URL,
+	pageWriter *pagewriter.Writer,
 	app api.AppConfig,
 	auth provider.Basic,
 	upstream chain.Handler,
 ) *Handler {
 	return &Handler{
-		logger:     logger,
-		pageWriter: pageWriter,
-		clock:      clock,
-		publicURL:  publicURL,
-		app:        app,
-		basicAuth:  auth,
-		upstream:   upstream,
+		logger:        logger,
+		clock:         clock,
+		pageWriter:    pageWriter,
+		csrfTokenSalt: config.CsrfTokenSalt,
+		publicURL:     config.API.PublicURL,
+		app:           app,
+		basicAuth:     auth,
+		upstream:      upstream,
 	}
 }
 
@@ -91,17 +98,25 @@ func (h *Handler) ServeHTTPOrError(w http.ResponseWriter, req *http.Request) err
 		return err
 	}
 
-	// Login page
+	// CSRF token validation
+	if key := req.Form.Get(csrfTokenKey); key != "" && !xsrftoken.ValidFor(key, csrfTokenKey, h.csrfTokenSalt, "/", csrfTokenMaxAge) {
+		h.pageWriter.WriteErrorPage(w, req, &h.app, http.StatusForbidden, "Session expired, reload page", pagewriter.ExceptionIDPrefix+key)
+		return nil
+	}
+
+	// Login page first access
+	csrfToken := xsrftoken.Generate(csrfTokenKey, h.csrfTokenSalt, "/")
+	fragment := fmt.Sprintf(`<input type="hidden" name="%s" value="%s">`, template.HTMLEscapeString(csrfTokenKey), template.HTMLEscapeString(csrfToken))
 	if !req.Form.Has("password") && requestCookie == nil {
-		h.pageWriter.WriteLoginPage(w, req, &h.app, nil)
+		h.pageWriter.WriteLoginPage(w, req, &h.app, template.HTML(fragment), nil) // #nosec G203
 		return nil
 	}
 
-	p := req.Form.Get("password")
 	// Login page with unauthorized alert
+	p := req.Form.Get("password")
 	if err := h.isAuthorized(p, requestCookie); err != nil {
 		h.logger.Warn(req.Context(), err.Error())
-		h.pageWriter.WriteLoginPage(w, req, &h.app, err)
+		h.pageWriter.WriteLoginPage(w, req, &h.app, template.HTML(fragment), err) // #nosec G203
 		return nil
 	}
 
@@ -123,7 +138,7 @@ func (h *Handler) ServeHTTPOrError(w http.ResponseWriter, req *http.Request) err
 		Value: hex.EncodeToString(hashedValue),
 	}
 	h.setCookie(w, host, h.CookieExpiration(), v)
-	// Redirect to upstream
+	// Redirect to upstream (Same handler)
 	w.Header().Set("Location", redirectURL.String())
 	w.WriteHeader(http.StatusMovedPermanently)
 	return nil
diff --git a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/manager.go b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/manager.go
index 4d7c134d93..31cacab369 100644
--- a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/manager.go
+++ b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/manager.go
@@ -51,7 +51,7 @@ func (m *Manager) NewHandlers(app api.AppConfig, upstream chain.Handler) map[pro
 			authHandlers[auth.ID()] = oidcproxy.NewHandler(m.logger, m.config, m.providerSelector, m.pageWriter, app, p, upstream)
 
 		case provider.Basic:
-			authHandlers[auth.ID()] = basicauth.NewHandler(m.logger, m.pageWriter, m.clock, m.config.API.PublicURL, app, p, upstream)
+			authHandlers[auth.ID()] = basicauth.NewHandler(m.logger, m.config, m.clock, m.pageWriter, app, p, upstream)
 
 		default:
 			panic("unknown auth provider type")
diff --git a/internal/pkg/service/appsproxy/proxy/pagewriter/login.go b/internal/pkg/service/appsproxy/proxy/pagewriter/login.go
index 5c3ec8bb88..ed7f0016f6 100644
--- a/internal/pkg/service/appsproxy/proxy/pagewriter/login.go
+++ b/internal/pkg/service/appsproxy/proxy/pagewriter/login.go
@@ -1,18 +1,20 @@
 package pagewriter
 
 import (
+	"html/template"
 	"net/http"
 
 	"github.com/keboola/keboola-as-code/internal/pkg/service/appsproxy/dataapps/api"
 )
 
 type LoginPageData struct {
-	App   AppData
-	Error error
+	App       AppData
+	CsrfField template.HTML
+	Error     error
 }
 
-func (pw *Writer) WriteLoginPage(w http.ResponseWriter, req *http.Request, app *api.AppConfig, err error) {
+func (pw *Writer) WriteLoginPage(w http.ResponseWriter, req *http.Request, app *api.AppConfig, csrfField template.HTML, err error) {
 	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate;")
 	w.Header().Set("pragma", "no-cache")
-	pw.writePage(w, req, "login.gohtml", http.StatusOK, &LoginPageData{App: NewAppData(app), Error: err})
+	pw.writePage(w, req, "login.gohtml", http.StatusOK, &LoginPageData{App: NewAppData(app), CsrfField: csrfField, Error: err})
 }
diff --git a/internal/pkg/service/appsproxy/proxy/pagewriter/template/login.gohtml b/internal/pkg/service/appsproxy/proxy/pagewriter/template/login.gohtml
index 6d53468e6e..5fda348d9a 100644
--- a/internal/pkg/service/appsproxy/proxy/pagewriter/template/login.gohtml
+++ b/internal/pkg/service/appsproxy/proxy/pagewriter/template/login.gohtml
@@ -38,6 +38,7 @@
         <label for="password">Password</label>
         <input type="password" id="password" name="password" placeholder="Password" />
       </div>
+      {{ .CsrfField }}
       <button type="submit" name="submit">
         <svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
           <path d="M16 8C16 12.4183 12.4183 16 8 16C3.58171 16 0 12.4183 0 8C0 3.58171 3.58171 0 8 0C12.4183 0 16 3.58171 16 8ZM7.07464 12.2359L13.0101 6.30045C13.2117 6.0989 13.2117 5.7721 13.0101 5.57055L12.2802 4.84064C12.0787 4.63906 11.7519 4.63906 11.5503 4.84064L6.70968 9.68123L4.44971 7.42126C4.24816 7.21971 3.92135 7.21971 3.71977 7.42126L2.98987 8.15116C2.78832 8.35271 2.78832 8.67952 2.98987 8.88106L6.34471 12.2359C6.54629 12.4375 6.87306 12.4375 7.07464 12.2359Z" fill="white"/>
diff --git a/internal/pkg/service/appsproxy/proxy/proxy_test.go b/internal/pkg/service/appsproxy/proxy/proxy_test.go
index 8e568ee753..495d74fd31 100644
--- a/internal/pkg/service/appsproxy/proxy/proxy_test.go
+++ b/internal/pkg/service/appsproxy/proxy/proxy_test.go
@@ -2676,9 +2676,14 @@ func createDependencies(t *testing.T, sandboxesAPIURL string) (proxyDependencies
 	_, err := rand.Read(secret)
 	require.NoError(t, err)
 
+	csrfSecret := make([]byte, 32)
+	_, err = rand.Read(csrfSecret)
+	require.NoError(t, err)
+
 	cfg := config.New()
 	cfg.API.PublicURL, _ = url.Parse("https://hub.keboola.local")
 	cfg.CookieSecretSalt = string(secret)
+	cfg.CsrfTokenSalt = string(csrfSecret)
 	cfg.SandboxesAPI.URL = sandboxesAPIURL
 
 	return proxyDependencies.NewMockedServiceScope(t, cfg, dependencies.WithRealHTTPClient())
diff --git a/internal/pkg/service/appsproxy/proxy/server_test.go b/internal/pkg/service/appsproxy/proxy/server_test.go
index 49d1090b18..565fcc1dfb 100644
--- a/internal/pkg/service/appsproxy/proxy/server_test.go
+++ b/internal/pkg/service/appsproxy/proxy/server_test.go
@@ -39,6 +39,7 @@ func TestAppProxyHandler(t *testing.T) {
 	cfg := config.New()
 	cfg.API.PublicURL, _ = url.Parse("https://hub.keboola.local")
 	cfg.SandboxesAPI.URL = appsAPI.URL
+	cfg.CsrfTokenSalt = "abc"
 
 	// Create dependencies
 	d, mocked := proxyDependencies.NewMockedServiceScope(t, cfg, dependencies.WithRealHTTPClient())
diff --git a/provisioning/apps-proxy/dev/.air.toml b/provisioning/apps-proxy/dev/.air.toml
index 4a2db21389..3c618a332d 100644
--- a/provisioning/apps-proxy/dev/.air.toml
+++ b/provisioning/apps-proxy/dev/.air.toml
@@ -3,7 +3,7 @@ tmp_dir = "target/.watcher"
 
 [build]
   bin = "./target/apps-proxy/proxy"
-  args_bin = ["--sandboxes-api-url",  "http://localhost:1080", "--sandboxes-api-token", "my-token", "--api-public-url", "http://localhost:8000", "--cookie-secret-salt", "cookie"]
+  args_bin = ["--sandboxes-api-url",  "http://localhost:1080", "--sandboxes-api-token", "my-token", "--api-public-url", "http://localhost:8000", "--cookie-secret-salt", "cookie", "--csrf-token-salt", "bcc3add3bf72e628149fbfbc11932329de7f375db3d8503ef0e32b336adf46c4"]
   cmd = "make build-apps-proxy"
   delay = 2000
   exclude_dir = []

From 679976adf89297e79a5d85213e6abc7b5fd8c1bd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Va=C5=A1ko?= <Matovidlo2@gmail.com>
Date: Wed, 3 Jul 2024 11:18:28 +0200
Subject: [PATCH 14/15] feat: Add generation of csrf token salt into
 provisioning of apps proxy

---
 provisioning/apps-proxy/common.sh                     | 11 +++++++++--
 .../kubernetes/templates/proxy/csrf-salt.yaml         | 10 ++++++++++
 .../kubernetes/templates/proxy/deployment.yaml        |  5 +++++
 .../apps-proxy/kubernetes/templates/proxy/salt.yaml   |  2 +-
 4 files changed, 25 insertions(+), 3 deletions(-)
 create mode 100644 provisioning/apps-proxy/kubernetes/templates/proxy/csrf-salt.yaml

diff --git a/provisioning/apps-proxy/common.sh b/provisioning/apps-proxy/common.sh
index e89a116463..19da456254 100644
--- a/provisioning/apps-proxy/common.sh
+++ b/provisioning/apps-proxy/common.sh
@@ -26,12 +26,19 @@ export NAMESPACE="apps-proxy"
 kubectl apply -f ./kubernetes/deploy/namespace.yaml
 
 if ! kubectl get secret apps-proxy-salt --namespace apps-proxy > /dev/null 2>&1; then
-  COOKIE_SECRET_SALT=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 128)
-  export COOKIE_SECRET_SALT
+  APPS_PROXY_COOKIE_SECRET_SALT=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 128)
+  export APPS_PROXY_COOKIE_SECRET_SALT
   envsubst < kubernetes/templates/proxy/salt.yaml > kubernetes/deploy/proxy/salt.yaml
   kubectl apply -f ./kubernetes/deploy/proxy/salt.yaml
 fi
 
+if ! kubectl get secret apps-proxy-csrf-token-salt --namespace apps-proxy > /dev/null 2>&1; then
+  APPS_PROXY_CSRF_TOKEN_SALT=$(head -c 32 /dev/urandom | openssl enc | xxd -p -c 32)
+  export APPS_PROXY_CSRF_TOKEN_SALT
+  envsubst < kubernetes/templates/proxy/csrf-salt.yaml > kubernetes/deploy/proxy/csrf-salt.yaml
+  kubectl apply -f ./kubernetes/deploy/proxy/csrf-salt.yaml
+fi
+
 # Proxy
 kubectl apply -f ./kubernetes/deploy/proxy/token.yaml
 kubectl apply -f ./kubernetes/deploy/proxy/config-map.yaml
diff --git a/provisioning/apps-proxy/kubernetes/templates/proxy/csrf-salt.yaml b/provisioning/apps-proxy/kubernetes/templates/proxy/csrf-salt.yaml
new file mode 100644
index 0000000000..07053efa4a
--- /dev/null
+++ b/provisioning/apps-proxy/kubernetes/templates/proxy/csrf-salt.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: apps-proxy-csrf-token-salt
+  namespace: $NAMESPACE
+  labels:
+    app: apps-proxy
+stringData:
+  csrfTokenSalt: "$APPS_PROXY_CSRF_TOKEN_SALT"
diff --git a/provisioning/apps-proxy/kubernetes/templates/proxy/deployment.yaml b/provisioning/apps-proxy/kubernetes/templates/proxy/deployment.yaml
index 3e319e44f8..7a2bdff599 100644
--- a/provisioning/apps-proxy/kubernetes/templates/proxy/deployment.yaml
+++ b/provisioning/apps-proxy/kubernetes/templates/proxy/deployment.yaml
@@ -74,6 +74,11 @@ spec:
                 secretKeyRef:
                   name: apps-proxy-salt
                   key: cookieSecretSalt
+            - name: APPS_PROXY_CSRF_TOKEN_SALT
+              valueFrom:
+                secretKeyRef:
+                  name: apps-proxy-csrf-token-salt
+                  key: csrfTokenSalt
             - name: DD_AGENT_HOST
               valueFrom:
                 fieldRef:
diff --git a/provisioning/apps-proxy/kubernetes/templates/proxy/salt.yaml b/provisioning/apps-proxy/kubernetes/templates/proxy/salt.yaml
index 301d9cda32..00482acb9d 100644
--- a/provisioning/apps-proxy/kubernetes/templates/proxy/salt.yaml
+++ b/provisioning/apps-proxy/kubernetes/templates/proxy/salt.yaml
@@ -7,4 +7,4 @@ metadata:
   labels:
     app: apps-proxy
 stringData:
-  cookieSecretSalt: "$COOKIE_SECRET_SALT"
+  cookieSecretSalt: "$APPS_PROXY_COOKIE_SECRET_SALT"

From 11a17dda4e09be8ba78e7c7740ed21403bb16c93 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Va=C5=A1ko?= <Matovidlo2@gmail.com>
Date: Mon, 8 Jul 2024 09:50:56 +0200
Subject: [PATCH 15/15] fix: Add different method for hashing password in
 cookie

Add comments for gosec G203
---
 go.mod                                        |  2 +-
 .../apphandler/authproxy/basicauth/handler.go | 22 +++++++++----------
 .../pkg/service/appsproxy/proxy/proxy_test.go |  7 +++---
 3 files changed, 15 insertions(+), 16 deletions(-)

diff --git a/go.mod b/go.mod
index f83a414608..45899041c1 100644
--- a/go.mod
+++ b/go.mod
@@ -123,7 +123,7 @@ require (
 	github.com/tinylib/msgp v1.1.8 // indirect
 	go.uber.org/atomic v1.11.0
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/crypto v0.24.0 // indirect
+	golang.org/x/crypto v0.24.0
 	golang.org/x/mod v0.18.0 // indirect
 	golang.org/x/net v0.26.0
 	golang.org/x/sys v0.21.0
diff --git a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go
index bd455dcf74..389ec078e3 100644
--- a/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go
+++ b/internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go
@@ -1,8 +1,6 @@
 package basicauth
 
 import (
-	"crypto/sha256"
-	"encoding/hex"
 	"fmt"
 	"html/template"
 	"net/http"
@@ -11,6 +9,7 @@ import (
 
 	"github.com/benbjohnson/clock"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/util"
+	"golang.org/x/crypto/bcrypt"
 	"golang.org/x/net/xsrftoken"
 
 	"github.com/keboola/keboola-as-code/internal/pkg/log"
@@ -108,7 +107,7 @@ func (h *Handler) ServeHTTPOrError(w http.ResponseWriter, req *http.Request) err
 	csrfToken := xsrftoken.Generate(csrfTokenKey, h.csrfTokenSalt, "/")
 	fragment := fmt.Sprintf(`<input type="hidden" name="%s" value="%s">`, template.HTMLEscapeString(csrfTokenKey), template.HTMLEscapeString(csrfToken))
 	if !req.Form.Has("password") && requestCookie == nil {
-		h.pageWriter.WriteLoginPage(w, req, &h.app, template.HTML(fragment), nil) // #nosec G203
+		h.pageWriter.WriteLoginPage(w, req, &h.app, template.HTML(fragment), nil) // #nosec G203 The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities
 		return nil
 	}
 
@@ -116,7 +115,7 @@ func (h *Handler) ServeHTTPOrError(w http.ResponseWriter, req *http.Request) err
 	p := req.Form.Get("password")
 	if err := h.isAuthorized(p, requestCookie); err != nil {
 		h.logger.Warn(req.Context(), err.Error())
-		h.pageWriter.WriteLoginPage(w, req, &h.app, template.HTML(fragment), err) // #nosec G203
+		h.pageWriter.WriteLoginPage(w, req, &h.app, template.HTML(fragment), err) // #nosec G203 The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities
 		return nil
 	}
 
@@ -131,11 +130,13 @@ func (h *Handler) ServeHTTPOrError(w http.ResponseWriter, req *http.Request) err
 		Host:   req.Host,
 		Path:   path,
 	}
-	hash := sha256.New()
-	hash.Write([]byte(p + string(h.app.ID)))
-	hashedValue := hash.Sum(nil)
+	hash, err := bcrypt.GenerateFromPassword([]byte(p+string(h.app.ID)), bcrypt.DefaultCost)
+	if err != nil {
+		return err
+	}
+
 	v := &http.Cookie{
-		Value: hex.EncodeToString(hashedValue),
+		Value: string(hash),
 	}
 	h.setCookie(w, host, h.CookieExpiration(), v)
 	// Redirect to upstream (Same handler)
@@ -158,10 +159,7 @@ func (h *Handler) isCookieAuthorized(cookie *http.Cookie) error {
 	}
 
 	if cookie != nil {
-		hash := sha256.New()
-		hash.Write([]byte(h.basicAuth.Password + string(h.app.ID)))
-		hashedValue := hash.Sum(nil)
-		if hex.EncodeToString(hashedValue) != cookie.Value {
+		if err := bcrypt.CompareHashAndPassword([]byte(cookie.Value), []byte(h.basicAuth.Password+string(h.app.ID))); err != nil {
 			return errors.New("Cookie has expired.")
 		}
 	}
diff --git a/internal/pkg/service/appsproxy/proxy/proxy_test.go b/internal/pkg/service/appsproxy/proxy/proxy_test.go
index 495d74fd31..c2b10ce806 100644
--- a/internal/pkg/service/appsproxy/proxy/proxy_test.go
+++ b/internal/pkg/service/appsproxy/proxy/proxy_test.go
@@ -2031,7 +2031,7 @@ func TestAppProxyRouter(t *testing.T) {
 				cookies := response.Cookies()
 				if assert.Len(t, cookies, 1) {
 					assert.Equal(t, "proxyBasicAuth", cookies[0].Name)
-					assert.Equal(t, "bfd0255218cceb44fec106d13875be3b7120b304b97df9bfccbeb9aab19019fa", cookies[0].Value)
+					assert.Contains(t, cookies[0].Value, "$2a$10$")
 					assert.Equal(t, "/", cookies[0].Path)
 					assert.Equal(t, "basic-auth.hub.keboola.local", cookies[0].Domain)
 					assert.True(t, cookies[0].HttpOnly)
@@ -2080,7 +2080,7 @@ func TestAppProxyRouter(t *testing.T) {
 				cookies := response.Cookies()
 				if assert.Len(t, cookies, 1) {
 					assert.Equal(t, "proxyBasicAuth", cookies[0].Name)
-					assert.Equal(t, "bfd0255218cceb44fec106d13875be3b7120b304b97df9bfccbeb9aab19019fa", cookies[0].Value)
+					assert.Contains(t, cookies[0].Value, "$2a$10$")
 					assert.Equal(t, "/", cookies[0].Path)
 					assert.Equal(t, "basic-auth.hub.keboola.local", cookies[0].Domain)
 					assert.True(t, cookies[0].HttpOnly)
@@ -2095,6 +2095,7 @@ func TestAppProxyRouter(t *testing.T) {
 				// Request to proxy location
 				request, err = http.NewRequestWithContext(context.Background(), http.MethodGet, location, nil)
 				require.NoError(t, err)
+				request.AddCookie(&http.Cookie{Name: "proxyBasicAuth", Value: cookies[0].Value})
 				response, err = client.Do(request)
 				require.NoError(t, err)
 				body, err = io.ReadAll(response.Body)
@@ -2128,7 +2129,7 @@ func TestAppProxyRouter(t *testing.T) {
 			run: func(t *testing.T, client *http.Client, m []*mockoidc.MockOIDC, appServer *testutil.AppServer, service *testutil.DataAppsAPI, dnsServer *dnsmock.Server) {
 				// Access with cookie
 				request, err := http.NewRequestWithContext(context.Background(), http.MethodPost, "https://basic-auth.hub.keboola.local/", nil)
-				request.AddCookie(&http.Cookie{Name: "proxyBasicAuth", Value: "bfd0255218cceb44fec106d13875be3b7120b304b97df9bfccbeb9aab19019fa"})
+				request.AddCookie(&http.Cookie{Name: "proxyBasicAuth", Value: "$2a$10$65mF6LI2F0Nm9PkQk8DlJu.C5jD.fseeXWn9CCGmDxLPomikYWtte"})
 				require.NoError(t, err)
 				response, err := client.Do(request)
 				require.NoError(t, err)