Add reverse-proxy auth middleware reading X-Forwarded-User
Assisted-by: GLM-5.1 via pi
diff --git a/lib/middleware/auth.rb b/lib/middleware/auth.rb
new file mode 100644
index 0000000..f444559
--- /dev/null
+++ b/lib/middleware/auth.rb
@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Middleware
+end
+
+class Middleware::Auth
+ def initialize(app, header: "X-Forwarded-User")
+ @app = app
+ @header = header
+ end
+
+ def call(env)
+ user = env["HTTP_#{header_name}"]
+ return [401, {}, ["Unauthorized"]] unless user
+
+ env["domus.user"] = user
+ @app.call(env)
+ end
+
+ private
+
+ def header_name
+ @header.upcase.tr("-", "_")
+ end
+end
diff --git a/test/test_auth.rb b/test/test_auth.rb
new file mode 100644
index 0000000..caa98e2
--- /dev/null
+++ b/test/test_auth.rb
@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require_relative "test_helper"
+require "rack/test"
+require_relative "../lib/middleware/auth"
+
+class TestAuth < Minitest::Test
+ include Rack::Test::Methods
+
+ def app
+ inner = proc { |env| [200, {}, ["hello #{env['domus.user']}"]] }
+ Middleware::Auth.new(inner)
+ end
+
+ def test_allows_request_with_header
+ get "/", {}, { "HTTP_X_FORWARDED_USER" => "alice" }
+ assert_equal 200, last_response.status
+ assert_equal "hello alice", last_response.body
+ end
+
+ def test_rejects_request_without_header
+ get "/"
+ assert_equal 401, last_response.status
+ assert_equal "Unauthorized", last_response.body
+ end
+end