fix(frontend): forwardAuth ergänzt X-Pangolin-Token + Remote-User#134
Conversation
…min-Routes) PR #130/#132 hatten WithAuthFrom im oapi-Client um X-Pangolin-Token und Remote-User ergänzt. forwardAuth in admin_api_keys.go ist eine zweite, parallele Implementierung für die Admin-Routes (/admin/printers, /admin/api-keys) die raw http.DefaultClient verwendet — die Header-Liste dort wurde nicht mitgezogen. Konsequenz: SSO-User konnten Read-Routes nutzen, alle Admin-Routes gaben weiterhin 503 weil das Backend mit "missing_credentials" 401 zurück lieferte. Fix: dieselbe Header-Liste in forwardAuth. Plus Regression-Test TestListPrintersPage_ForwardetPangolinSSOHeaders der httptest-Server-seitig beide Header verifiziert. Race-Detector grün, alle 4 Frontend-Packages grün. Refs PR #130 (X-Pangolin-Token), PR #132 (Remote-User), PR #133 (ADR 0014 Backend-Seite)
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request addresses an authentication issue where admin routes were returning 503 errors due to missing headers in the request forwarding logic. By synchronizing the header list in the raw HTTP client with the existing oapi-Client configuration, the SSO-trust path is restored for browser users. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the forwardAuth function in admin_api_keys.go to forward additional SSO-related headers (X-Pangolin-Token and Remote-User) to the backend, preventing 503 errors on admin routes, and adds a corresponding regression test. The reviewer suggests centralizing this header list (e.g., in the api package) to avoid duplication and potential drift with api.HubClient.WithAuthFrom.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| for _, hdr := range []string{ | ||
| "X-Label-Hub-Key", | ||
| "X-Pangolin-User", | ||
| "X-Pangolin-Token", | ||
| "Remote-User", | ||
| "Authorization", | ||
| } { |
There was a problem hiding this comment.
Die Liste der weiterzuleitenden Header ist identisch mit der Liste in api.HubClient.WithAuthFrom (in frontend/internal/api/client.go). Um zukünftige Abweichungen (Drift) zu vermeiden und die Wartbarkeit zu verbessern, wäre es ratsam, diese Header-Liste an einer zentralen Stelle (z. B. als exportierte Variable api.AuthHeaders im api-Paket) zu definieren und an beiden Stellen wiederzuverwenden.
## 0.11.0 (2026-06-24) * feat(auth): Pangolin-SSO + Bypass für alle Scopes trusted (ADR 0014) (#133) ([4fe1a91](4fe1a91)), closes [#133](#133) [#78](#78) [130/#132](#132) * feat(nav): "Drucker" Link für Admin-Drucker-Verwaltung + getrennte ActiveNav-Werte (#135) ([1e982b0](1e982b0)), closes [#135](#135) [#104](#104) [#104](#104) [#104](#104) * fix(frontend): forward Remote-User zum Backend (Pangolin SSO-Standard-Header) (#132) ([38c0cc3](38c0cc3)), closes [#132](#132) [#130](#130) [#130](#130) [#131](#131) [#130](#130) * fix(frontend): forward X-Pangolin-Token zum Backend (Browser-User 503-Fix) (#130) ([5fb2038](5fb2038)), closes [#130](#130) * fix(frontend): forwardAuth ergänzt X-Pangolin-Token + Remote-User (Admin-Routes) (#134) ([af9ee28](af9ee28)), closes [#134](#134) [130/#132](#132) [#130](#130) [#132](#132) [#133](#133) * chore(deps): bump the go-minor-and-patch group across 1 directory with 2 updates (#128) ([a72dd90](a72dd90)), closes [#128](#128) * ci(deps): bump lewagon/wait-on-check-action in the actions-all group (#127) ([e4139ab](e4139ab)), closes [#127](#127) * docs(api): printers.yaml weg, Drucker in DB + /admin/printers Admin-UI (#124) [DRAFT] (#125) ([41bef28](41bef28)), closes [#124](#124) [#125](#125) [#124](#124) [#124](#124) [#124](#124) [#124](#124) [#124](#124) [#3099](https://github.com/strausmann/label-printer-hub/issues/3099) [#124](#124) [#124](#124) [#124](#124) [#124](#124) [#124](#124) [#124](#124) [#3099](https://github.com/strausmann/label-printer-hub/issues/3099) [#124](#124) [#124](#124) [#124](#124) [#124](#124) [#124](#124) [#124](#124) [#124](#124) [#124](#124) [#124](#124) [#124](#124) [#124](#124) [#124](#124) [#124](#124) [#124](#124) [#124](#124) [#124](#124) [compose-passthrou#Pflicht](https://github.com/compose-passthrou/issues/Pflicht) [skip ci]
1 participant
PR #130/#132 hatten
WithAuthFromim oapi-Client erweitert, aberforwardAuthin admin_api_keys.go (raw http-Client für /admin/* Routes) blieb auf der alten 3-Header-Liste — Admin-Routes gaben weiterhin 503. Fix + Regression-Test. Refs PR #130, #132, #133.