feat: support HTTP redirect for forward authentication middleware in Traefik (#368)

* feat: support HTTP redirect for forward authentication middleware in Traefik

* fix(docs): fix my terrible merge 

Signed-off-by: Jason Cameron <jasoncameron.all@gmail.com>

* chore: fix typo in docs

Signed-off-by: Jason Cameron <jasoncameron.all@gmail.com>

* fix(ci): add forwardauth

Signed-off-by: Jason Cameron <jasoncameron.all@gmail.com>

* chore: improve doc, target must be a space

* chore: changelog

* fix: validate X-Forwarded headers and check redirect domain

* chore: refactor error handling

* fix(doc): cookie traefik

* fix: tests merge

* Update docs/docs/admin/environments/traefik.mdx

Co-authored-by: Henri Vasserman <henv@hot.ee>
Signed-off-by: Xe Iaso <me@xeiaso.net>

---------

Signed-off-by: Jason Cameron <git@jasoncameron.dev>
Signed-off-by: Jason Cameron <jasoncameron.all@gmail.com>
Signed-off-by: Xe Iaso <me@xeiaso.net>
Co-authored-by: Jason Cameron <git@jasoncameron.dev>
Co-authored-by: Jason Cameron <jasoncameron.all@gmail.com>
Co-authored-by: Xe Iaso <me@xeiaso.net>
Co-authored-by: Henri Vasserman <henv@hot.ee>

lib/http_test.go

@@ -1,10 +1,13 @@
 package lib
 
 import (
+	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"testing"
 
 	"github.com/TecharoHQ/anubis"
+	"github.com/TecharoHQ/anubis/lib/policy"
 )
 
 func TestSetCookie(t *testing.T) {
@@ -129,3 +132,62 @@ func TestClearCookieWithDynamicDomain(t *testing.T) {
 		t.Errorf("wanted cookie max age of -1, got: %d", ckie.MaxAge)
 	}
 }
+
+func TestRenderIndexRedirect(t *testing.T) {
+	s := &Server{
+		opts: Options{
+			PublicUrl: "https://anubis.example.com",
+		},
+	}
+	req := httptest.NewRequest("GET", "/", nil)
+	req.Header.Set("X-Forwarded-Proto", "https")
+	req.Header.Set("X-Forwarded-Host", "example.com")
+	req.Header.Set("X-Forwarded-Uri", "/foo")
+
+	rr := httptest.NewRecorder()
+	s.RenderIndex(rr, req, policy.CheckResult{}, nil, true)
+
+	if rr.Code != http.StatusTemporaryRedirect {
+		t.Errorf("expected status %d, got %d", http.StatusTemporaryRedirect, rr.Code)
+	}
+	location := rr.Header().Get("Location")
+	parsedURL, err := url.Parse(location)
+	if err != nil {
+		t.Fatalf("failed to parse location URL %q: %v", location, err)
+	}
+
+	scheme := "https"
+	if parsedURL.Scheme != scheme {
+		t.Errorf("expected scheme to be %q, got %q", scheme, parsedURL.Scheme)
+	}
+
+	host := "anubis.example.com"
+	if parsedURL.Host != host {
+		t.Errorf("expected url to be %q, got %q", host, parsedURL.Host)
+	}
+
+	redir := parsedURL.Query().Get("redir")
+	expectedRedir := "https://example.com/foo"
+	if redir != expectedRedir {
+		t.Errorf("expected redir param to be %q, got %q", expectedRedir, redir)
+	}
+}
+
+func TestRenderIndexUnauthorized(t *testing.T) {
+	s := &Server{
+		opts: Options{
+			PublicUrl: "",
+		},
+	}
+	req := httptest.NewRequest("GET", "/", nil)
+	rr := httptest.NewRecorder()
+
+	s.RenderIndex(rr, req, policy.CheckResult{}, nil, true)
+
+	if rr.Code != http.StatusUnauthorized {
+		t.Errorf("expected status %d, got %d", http.StatusUnauthorized, rr.Code)
+	}
+	if body := rr.Body.String(); body != "Authorization required" {
+		t.Errorf("expected body %q, got %q", "Authorization required", body)
+	}
+}