fixes

Signed-off-by: Grant Linville <[email protected]>

pkg/api/server/server.go

@@ -62,12 +62,11 @@ func (s *Server) wrap(f api.HandlerFunc) http.HandlerFunc {
 			return
 		}
 
-		if !s.authorizer.Authorize(req, user) {
-			http.Error(rw, "forbidden", http.StatusForbidden)
-			return
-		}
-
 		if strings.HasPrefix(req.URL.Path, "/api/") {
+			if !s.authorizer.Authorize(req, user) {
+				http.Error(rw, "forbidden", http.StatusForbidden)
+				return
+			}
 			rw.Header().Set("Cache-Control", "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0")
 			rw.Header().Set("Pragma", "no-cache")
 			rw.Header().Set("Expires", "0")

pkg/bootstrap/bootstrap.go

@@ -7,8 +7,11 @@ import (
 	"os"
 	"strings"
 
+	types2 "github.com/obot-platform/obot/apiclient/types"
 	"github.com/obot-platform/obot/pkg/api"
 	"github.com/obot-platform/obot/pkg/api/authz"
+	"github.com/obot-platform/obot/pkg/gateway/client"
+	"github.com/obot-platform/obot/pkg/gateway/types"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/user"
 )
@@ -17,9 +20,10 @@ const bootstrapCookie = "obot-bootstrap"
 
 type Bootstrap struct {
 	token, serverURL string
+	gatewayClient    *client.Client
 }
 
-func New(serverURL string) (*Bootstrap, error) {
+func New(serverURL string, c *client.Client) (*Bootstrap, error) {
 	token := os.Getenv("OBOT_BOOTSTRAP_TOKEN")
 
 	if token == "" {
@@ -35,8 +39,9 @@ func New(serverURL string) (*Bootstrap, error) {
 	fmt.Printf("Bootstrap token: %s\n", token)
 
 	return &Bootstrap{
-		token:     token,
-		serverURL: serverURL,
+		token:         token,
+		serverURL:     serverURL,
+		gatewayClient: c,
 	}, nil
 }
 
@@ -52,14 +57,23 @@ func (b *Bootstrap) AuthenticateRequest(req *http.Request) (*authenticator.Respo
 		return nil, false, nil
 	}
 
+	gatewayUser, err := b.gatewayClient.EnsureIdentityWithRole(
+		req.Context(),
+		&types.Identity{
+			ProviderUsername: "bootstrap",
+		},
+		req.Header.Get("X-Obot-User-Timezone"),
+		types2.RoleAdmin,
+	)
+	if err != nil {
+		return nil, false, err
+	}
+
 	return &authenticator.Response{
 		User: &user.DefaultInfo{
-			Name: "bootstrap",
-			UID:  "bootstrap",
-			Groups: []string{
-				authz.AdminGroup,
-				authz.AuthenticatedGroup,
-			},
+			Name:   "bootstrap",
+			UID:    fmt.Sprintf("%d", gatewayUser.ID),
+			Groups: []string{authz.AdminGroup, authz.AuthenticatedGroup},
 		},
 	}, true, nil
 }

pkg/gateway/server/user.go

@@ -26,13 +26,15 @@ func (s *Server) getCurrentUser(apiContext api.Context) error {
 	}
 
 	name, namespace := apiContext.AuthProviderNameAndNamespace()
-	providerURL, err := s.dispatcher.URLForAuthProvider(apiContext.Context(), namespace, name)
-	if err != nil {
-		return fmt.Errorf("failed to get auth provider URL: %v", err)
-	}
 
-	if err = s.client.UpdateProfileIconIfNeeded(apiContext.Context(), user, name, namespace, providerURL.String()); err != nil {
-		pkgLog.Warnf("failed to update profile icon for user %s: %v", user.Username, err)
+	if name != "" && namespace != "" {
+		providerURL, err := s.dispatcher.URLForAuthProvider(apiContext.Context(), namespace, name)
+		if err != nil {
+			return fmt.Errorf("failmed to get auth provider URL: %v", err)
+		}
+		if err = s.client.UpdateProfileIconIfNeeded(apiContext.Context(), user, name, namespace, providerURL.String()); err != nil {
+			pkgLog.Warnf("failed to update profile icon for user %s: %v", user.Username, err)
+		}
 	}
 
 	return apiContext.Write(types.ConvertUser(user, s.client.IsExplicitAdmin(user.Email)))

pkg/services/config.go

@@ -292,7 +292,7 @@ func New(ctx context.Context, config Config) (*Services, error) {
 		proxyManager       *proxy.Manager
 	)
 
-	bootstrapper, err := bootstrap2.New(config.Hostname)
+	bootstrapper, err := bootstrap2.New(config.Hostname, gatewayClient)
 	if err != nil {
 		return nil, err
 	}