allow both duckdns.org and .fr domains

chart/templates/config.yaml

@@ -4,7 +4,7 @@ metadata:
   name: {{ include "webapp.name" . }}-config
   namespace: {{ .Release.Namespace }}
 data:
-  OAUTH_ALLOWED_HOST: webapp.arcodange.duckdns.org
-  OAUTH_DEVICE_CODE_ALLOWED_IPS: 86.238.234.54,
+  OAUTH_ALLOWED_HOSTS: webapp.arcodange.duckdns.org,webapp.arcodange.fr
+  # OAUTH_DEVICE_CODE_ALLOWED_IPS: 86.238.234.54,
   DATABASE_URL: postgres://pgbouncer_auth:pgbouncer_auth@pgbouncer.tools/postgres?sslmode=disable
 #  DATABASE_URL: postgres://username:password@localhost/dbname?sslmode=disable

chart/templates/localIngress.yaml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    argocd.argoproj.io/tracking-id: webapp:networking.k8s.io/Ingress:webapp/webapp
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.middlewares: localIp@file
+    traefik.ingress.kubernetes.io/router.tls: 'true'
+    traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt
+    traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.duckdns.org
+    traefik.ingress.kubernetes.io/router.tls.domains.0.sans: webapp.arcodange.duckdns.org
+  name: webapp
+  namespace: webapp
+spec:
+  rules:
+    - host: webapp.arcodange.duckdns.org
+      http:
+        paths:
+          - backend:
+              service:
+                name: webapp
+                port:
+                  number: 8080
+            path: /
+            pathType: Prefix

main.go

@@ -21,8 +21,10 @@ import (
 var (
 	db                        *sql.DB // Global database connection
 	c                         = cache.New(5*time.Minute, 10*time.Minute)
-	oauthAllowedHost          = os.Getenv("OAUTH_ALLOWED_HOST")                                // URL authorized for device code
+	oauthAllowedHosts         = strings.Split(os.Getenv("OAUTH_ALLOWED_HOSTS"), ",")           // authorized HOSTS for device code
 	oauthDeviceCodeAllowedIPs = strings.Split(os.Getenv("OAUTH_DEVICE_CODE_ALLOWED_IPS"), ",") // IPS autorisées pour /retrieve
+	_, localNetwork, _        = net.ParseCIDR("192.168.0.0/16")
+	_, k3sNetwork, _          = net.ParseCIDR("10.42.0.0/16")
 )
 
 // dbConnection initializes the database connection.
@@ -103,7 +105,7 @@ func indexHandler(w http.ResponseWriter, r *http.Request) {
 	</body>
 	</html>
 	`
-	fmt.Fprintf(w, tmpl)
+	fmt.Fprint(w, tmpl)
 }
 
 // selectHandler handles HTTP requests and executes a SQL query.
@@ -151,7 +153,7 @@ func oauth2_callback(w http.ResponseWriter, r *http.Request) {
 	// Vérifier le référent (ou origine)
 
 	hostHeader := strings.Trim(r.Header.Get("X-Forwarded-Host"), "[]")
-	if oauthAllowedHost != "" && hostHeader != oauthAllowedHost {
+	if len(oauthAllowedHosts) > 0 && !slices.Contains(oauthAllowedHosts, hostHeader) {
 		fmt.Fprintln(os.Stderr, "X-Forwarded-Host: "+hostHeader)
 		fmt.Fprintln(os.Stderr, "received headers")
 		for key, value := range r.Header {
@@ -283,11 +285,12 @@ func oauth2_callback(w http.ResponseWriter, r *http.Request) {
 func retrieveHandler(w http.ResponseWriter, r *http.Request) {
 	// Récupérer l'IP de l'utilisateur
 	userIP, _, err := net.SplitHostPort(r.RemoteAddr)
-	userIPforwarded := r.Header.Get("X-Forwarded-For")
+	userIPforwarded := net.ParseIP(r.Header.Get("X-Forwarded-For"))
 	if err != nil ||
-		!slices.Contains(oauthDeviceCodeAllowedIPs, userIP) &&
-			!slices.Contains(oauthDeviceCodeAllowedIPs, userIPforwarded) {
-		fmt.Fprintln(os.Stderr, "denied userIP: "+userIP+" forwarded: "+userIPforwarded)
+		!slices.Contains(oauthDeviceCodeAllowedIPs, userIPforwarded.String()) &&
+			!localNetwork.Contains(userIPforwarded) &&
+			!k3sNetwork.Contains(userIPforwarded) {
+		fmt.Fprintln(os.Stderr, "denied userIP: "+userIP+" forwarded: "+userIPforwarded.String())
 		fmt.Fprintf(os.Stderr, "alowed ips: %+v", oauthDeviceCodeAllowedIPs)
 		// Parcourir tous les headers
 		for name, values := range r.Header {