2026-01-23 08:47:05 +00:00
3 changed files with 12 additions and 48 deletions
--- a/.traefik.yml
+++ b/.traefik.yml
@ -11,5 +11,6 @@ testData:
    - userId1
    - userId2
  paths:
-    - base: /v1/users
-      path: /testValue
+    - prefix: /v1/users
+      value: testValue
+    - prefix: /v1/organizations
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@ -1,16 +0,0 @@
-version: '3'
-
-services:
-  reverse-proxy:
-    image: traefik:v3.0
-    command:
-      - --api.insecure=true
-      - --providers.docker
-      - "--experimental.localPlugins.usersblocker.moduleName=github.com/ditkrg/traefik-users-blocker-plugin"
-    ports:
-      - "80:80"
-      - "8080:8080"
-    volumes:
-      # So that Traefik can listen to the Docker events
-      - /var/run/docker.sock:/var/run/docker.sock
-      - ./:/plugins-local/src/github.com/ditkrg/traefik-users-blocker-plugin
--- a/main.go
+++ b/main.go
@ -4,17 +4,12 @@ import (
 	"context"
 	"fmt"
 	"net/http"
-	"os"
 	"strings"
 )

-type Rule struct {
-	AllowedSubPaths []string `json:"allowedSubPaths,omitempty"`
-}
-
 type Path struct {
-	Path string `json:"base,omitempty"`
-	Rule Rule   `json:"rule,omitempty"`
+	Prefix      string `json:"prefix,omitempty"`
+	MustContain string `json:"mustContain,omitempty"`
 }

 type Config struct {
@ -42,8 +37,8 @@ func New(ctx context.Context, next http.Handler, config *Config, name string) (h
 	}

 	for _, path := range config.Paths {
-		if path.Path == "" {
-			return nil, fmt.Errorf("Paths.Path cannot be empty")
+		if path.Prefix == "" {
+			return nil, fmt.Errorf("Paths.Prefix cannot be empty")
 		}
 	}

@ -58,9 +53,6 @@ func New(ctx context.Context, next http.Handler, config *Config, name string) (h
 func (a *UsersBlocker) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	userId := req.Header["X-Auth-User-Id"][0]

-	message := fmt.Sprintf("{requestPath: %s, userId: %s}\n", req.URL.Path, userId)
-	os.Stdout.WriteString(message)
-
 	var isUserBlocked bool

 	for _, id := range a.userId {
@ -75,29 +67,16 @@ func (a *UsersBlocker) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	}

 	for _, path := range a.paths {
-		isPathMatched := strings.HasPrefix(req.URL.Path, path.Path)
+		isPathBlocked := strings.HasPrefix(req.URL.Path, path.Prefix)

-		if !isPathMatched {
-			a.next.ServeHTTP(rw, req)
-			return
+		if isPathBlocked && path.MustContain != "" {
+			isPathBlocked = !strings.Contains(req.URL.Path, path.MustContain)
 		}

-		if len(path.Rule.AllowedSubPaths) == 0 {
-			message := fmt.Sprintf("blocked path %s (matched with %s) for user %s", req.URL.Path, path.Path, userId)
-			os.Stdout.WriteString(message)
-			http.Error(rw, message, http.StatusForbidden)
+		if isPathBlocked {
+			http.Error(rw, "Forbidden", http.StatusForbidden)
 			return
 		}
-
-		for _, allowedSubPath := range path.Rule.AllowedSubPaths {
-			isAllowedSubPathMatched := strings.HasPrefix(req.URL.Path, path.Path+allowedSubPath)
-			if !isAllowedSubPathMatched {
-				message := fmt.Sprintf("blocked path %s (matched with %s) for user %s", req.URL.Path, path.Path+path.Path+allowedSubPath, userId)
-				os.Stdout.WriteString(message)
-				http.Error(rw, message, http.StatusForbidden)
-				return
-			}
-		}
 	}

 	a.next.ServeHTTP(rw, req)