From 15ccf554d2e28368b614fdcdc76049807d48d803 Mon Sep 17 00:00:00 2001 From: ZDDC Date: Tue, 28 Apr 2026 17:53:55 -0500 Subject: [PATCH] feat(zddc-server): debug-level dump of every request's full headers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ACLMiddleware now slog.Debug's the configured email-header name, the observed value at that name, and the full r.Header map on every request. Off at the default INFO log level; enable per-pod with ZDDC_LOG_LEVEL=debug. Motivated by debugging the X-Auth-Request-Email passthrough chain — when access logs show email=anonymous, /.admin/whoami is unreachable (the admin gate requires a non-empty email, which is the chicken-and-egg). The debug log line dumps headers without the gate, so an operator can identify whichever header name the upstream proxy is actually setting (X-Forwarded-User, X-Forwarded-Email, Remote-User, X-Authentik-Email, etc.) and adjust ZDDC_EMAIL_HEADER accordingly. The debug-level dump captures auth tokens and cookies along with everything else; safe in dev clusters, not appropriate for production unless the operator is comfortable with the trade-off. README documents the trade-off in the Admin Debug Page section. Co-Authored-By: Claude Opus 4.7 (1M context) --- zddc/README.md | 4 ++++ zddc/internal/handler/middleware.go | 12 ++++++++++++ 2 files changed, 16 insertions(+) diff --git a/zddc/README.md b/zddc/README.md index 8ea172f..31f4d3e 100644 --- a/zddc/README.md +++ b/zddc/README.md @@ -190,6 +190,10 @@ push code/images but cannot `kubectl exec` into the running container. It surfac `kubectl exec -- env | grep ^ZDDC_` for diagnosing chart / deployment overrides. - **`/.admin/logs`** — recent log entries (last 500) from an in-memory ring buffer. Optional `?level=info|warn|error|debug` and `?since=` query params. + At `ZDDC_LOG_LEVEL=debug` every request also logs its full header map under + `msg=request headers` — useful for diagnosing proxy / SSO header passthrough + (e.g. confirming which header carries the email). Note: that dump includes + auth tokens and cookies; only enable debug in trusted environments. - **`/.admin/`** — HTML dashboard that fetches the three JSON endpoints client-side. ### Authorization diff --git a/zddc/internal/handler/middleware.go b/zddc/internal/handler/middleware.go index 88a2e91..d354301 100644 --- a/zddc/internal/handler/middleware.go +++ b/zddc/internal/handler/middleware.go @@ -20,6 +20,18 @@ const EmailKey contextKey = "email" func ACLMiddleware(cfg config.Config, next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { email := r.Header.Get(cfg.EmailHeader) + // DEBUG-level header dump for diagnosing proxy / SSO header + // passthrough. Off by default (LogLevel info); enable with + // ZDDC_LOG_LEVEL=debug. Logs the configured header name, the + // observed value at that name, and the full request header + // map so an operator can see exactly what reached the binary. + // Note: at debug level this also captures auth tokens, cookies, + // and anything else upstream proxies forward — only enable in + // trusted environments. + slog.Debug("request headers", + "configured", cfg.EmailHeader, + "observed", email, + "headers", r.Header) ctx := context.WithValue(r.Context(), EmailKey, email) next.ServeHTTP(w, r.WithContext(ctx)) })