backend: cmd/pagination: add handlePagination func to get only limited

response size

this helps to get only limited number of resources that the users want
to access not just fetching full resource. and then set continueToken in
the proxy URL.

Author: upsaurav12

backend/cmd/headlamp.go

@@ -453,6 +453,11 @@ func createHeadlampHandler(config *HeadlampConfig) http.Handler {
 		r = baseRoute.PathPrefix(config.BaseURL).Subrouter()
 	}
 
+	if config.Telemetry != nil && config.Metrics != nil {
+		r.Use(telemetry.TracingMiddleware("headlamp-server"))
+		r.Use(config.Metrics.RequestCounterMiddleware)
+	}
+
 	fmt.Println("*** Headlamp Server ***")
 	fmt.Println("  API Routers:")
 
@@ -484,6 +489,22 @@ func createHeadlampHandler(config *HeadlampConfig) http.Handler {
 
 	addPluginRoutes(config, r)
 
+	// Setup port forwarding handlers.
+	r.HandleFunc("/clusters/{clusterName}/portforward", func(w http.ResponseWriter, r *http.Request) {
+		portforward.StartPortForward(config.KubeConfigStore, config.cache, w, r)
+	}).Methods("POST")
+
+	r.HandleFunc("/clusters/{clusterName}/portforward", func(w http.ResponseWriter, r *http.Request) {
+		portforward.StopOrDeletePortForward(config.cache, w, r)
+	}).Methods("DELETE")
+
+	r.HandleFunc("/clusters/{clusterName}/portforward/list", func(w http.ResponseWriter, r *http.Request) {
+		portforward.GetPortForwards(config.cache, w, r)
+	})
+	r.HandleFunc("/clusters/{clusterName}/portforward", func(w http.ResponseWriter, r *http.Request) {
+		portforward.GetPortForwardByID(config.cache, w, r)
+	}).Methods("GET")
+
 	config.handleClusterRequests(r)
 
 	r.HandleFunc("/externalproxy", func(w http.ResponseWriter, r *http.Request) {
@@ -599,6 +620,9 @@ func createHeadlampHandler(config *HeadlampConfig) http.Handler {
 	// Configuration
 	r.HandleFunc("/config", config.getConfig).Methods("GET")
 
+	// Auth token management
+	r.HandleFunc("/auth/set-token", config.handleSetToken).Methods("POST")
+
 	// Websocket connections
 	r.HandleFunc("/wsMultiplexer", config.multiplexer.HandleClientWebSocket)
 
@@ -672,24 +696,9 @@ func createHeadlampHandler(config *HeadlampConfig) http.Handler {
 		http.Redirect(w, r, oauthConfig.AuthCodeURL(state), http.StatusFound)
 	}).Queries("cluster", "{cluster}")
 
-	r.HandleFunc("/portforward", func(w http.ResponseWriter, r *http.Request) {
-		portforward.StartPortForward(config.KubeConfigStore, config.cache, w, r)
-	}).Methods("POST")
-
-	r.HandleFunc("/portforward", func(w http.ResponseWriter, r *http.Request) {
-		portforward.StopOrDeletePortForward(config.cache, w, r)
-	}).Methods("DELETE")
-
-	r.HandleFunc("/portforward/list", func(w http.ResponseWriter, r *http.Request) {
-		portforward.GetPortForwards(config.cache, w, r)
-	})
-
 	r.HandleFunc("/drain-node", config.handleNodeDrain).Methods("POST")
 	r.HandleFunc("/drain-node-status",
 		config.handleNodeDrainStatus).Methods("GET").Queries("cluster", "{cluster}", "nodeName", "{node}")
-	r.HandleFunc("/portforward", func(w http.ResponseWriter, r *http.Request) {
-		portforward.GetPortForwardByID(config.cache, w, r)
-	}).Methods("GET")
 
 	r.HandleFunc("/oidc-callback", func(w http.ResponseWriter, r *http.Request) {
 		state := r.URL.Query().Get("state")
@@ -772,7 +781,10 @@ func createHeadlampHandler(config *HeadlampConfig) http.Handler {
 				redirectURL += baseURL + "/"
 			}
 
-			redirectURL += fmt.Sprintf("auth?cluster=%1s&token=%2s", decodedState, rawUserToken)
+			// Set auth cookie
+			auth.SetTokenCookie(w, r, string(decodedState), rawUserToken)
+
+			redirectURL += fmt.Sprintf("auth?cluster=%1s", decodedState)
 			http.Redirect(w, r, redirectURL, http.StatusSeeOther)
 		} else {
 			http.Error(w, "invalid request", http.StatusBadRequest)
@@ -805,9 +817,13 @@ func createHeadlampHandler(config *HeadlampConfig) http.Handler {
 			"KUBECONFIG", "X-HEADLAMP-USER-ID",
 		})
 		methods := handlers.AllowedMethods([]string{"GET", "POST", "PUT", "HEAD", "DELETE", "PATCH", "OPTIONS"})
-		origins := handlers.AllowedOrigins([]string{"*"})
 
-		return handlers.CORS(headers, methods, origins)(r)
+		return handlers.CORS(
+			headers,
+			methods,
+			handlers.AllowCredentials(),
+			handlers.AllowedOriginValidator(func(s string) bool { return true }),
+		)(r)
 	}
 
 	return r
@@ -823,10 +839,17 @@ func parseClusterAndToken(r *http.Request) (string, string) {
 		cluster = matches[1]
 	}
 
-	// get token
+	// Try Authorization header first (for backward compatibility)
 	token := r.Header.Get("Authorization")
 	token = strings.TrimPrefix(token, "Bearer ")
 
+	// If no auth header, try cookie
+	if token == "" && cluster != "" {
+		if cookieToken, err := auth.GetTokenFromCookie(r, cluster); err == nil {
+			token = cookieToken
+		}
+	}
+
 	return cluster, token
 }
 
@@ -945,7 +968,7 @@ func cacheRefreshedToken(token *oauth2.Token, tokenType string, oldToken string,
 
 func (c *HeadlampConfig) refreshAndSetToken(oidcAuthConfig *kubeconfig.OidcConfig,
 	cache cache.Cache[interface{}], token string,
-	w http.ResponseWriter, cluster string, span trace.Span, ctx context.Context,
+	w http.ResponseWriter, r *http.Request, cluster string, span trace.Span, ctx context.Context,
 ) {
 	// The token type to use
 	tokenType := "id_token"
@@ -967,12 +990,16 @@ func (c *HeadlampConfig) refreshAndSetToken(oidcAuthConfig *kubeconfig.OidcConfi
 		c.telemetryHandler.RecordError(span, err, "Token refresh failed")
 		c.telemetryHandler.RecordErrorCount(ctx, attribute.String("error", "token_refresh_failure"))
 	} else if newToken != nil {
+		var newTokenString string
 		if c.oidcUseAccessToken {
-			w.Header().Set("X-Authorization", newToken.Extra("access_token").(string))
+			newTokenString = newToken.Extra("access_token").(string)
 		} else {
-			w.Header().Set("X-Authorization", newToken.Extra("id_token").(string))
+			newTokenString = newToken.Extra("id_token").(string)
 		}
 
+		// Set refreshed token in cookie
+		auth.SetTokenCookie(w, r, cluster, newTokenString)
+
 		c.telemetryHandler.RecordEvent(span, "Token refreshed successfully")
 	}
 }
@@ -1105,7 +1132,7 @@ func (c *HeadlampConfig) OIDCTokenRefreshMiddleware(next http.Handler) http.Hand
 		}
 
 		// refresh and cache new token
-		c.refreshAndSetToken(oidcAuthConfig, c.cache, token, w, cluster, span, ctx)
+		c.refreshAndSetToken(oidcAuthConfig, c.cache, token, w, r, cluster, span, ctx)
 
 		next.ServeHTTP(w, r)
 		c.telemetryHandler.RecordDuration(ctx, start,
@@ -1139,13 +1166,6 @@ func StartHeadlampServer(config *HeadlampConfig) {
 	config.Metrics = metrics
 	config.telemetryHandler = telemetry.NewRequestHandler(tel, metrics)
 
-	router := mux.NewRouter()
-
-	if config.Telemetry != nil && config.Metrics != nil {
-		router.Use(telemetry.TracingMiddleware("headlamp-server"))
-		router.Use(config.Metrics.RequestCounterMiddleware)
-	}
-
 	// Copy static files as squashFS is read-only (AppImage)
 	if config.StaticDir != "" {
 		dir, err := os.MkdirTemp(os.TempDir(), ".headlamp")
@@ -1355,6 +1375,8 @@ func (c *HeadlampConfig) handleError(w http.ResponseWriter, ctx context.Context,
 // It parses the request and creates a proxy request to the cluster.
 // That proxy is saved in the cache with the context key.
 func handleClusterAPI(c *HeadlampConfig, router *mux.Router) { //nolint:funlen
+	router.HandleFunc("/clusters/{clusterName}/set-token", c.handleSetToken).Methods("POST")
+
 	router.PathPrefix("/clusters/{clusterName}/{api:.*}").HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		start := time.Now()
 		ctx := r.Context()
@@ -1526,8 +1548,6 @@ func (c *HeadlampConfig) getClusters() []Cluster {
 	}
 
 	for _, context := range contexts {
-		context := context
-
 		if context.Error != "" {
 			clusters = append(clusters, Cluster{
 				Name:  context.Name,
@@ -1582,8 +1602,6 @@ func parseCustomNameClusters(contexts []kubeconfig.Context) ([]Cluster, []error)
 	var setupErrors []error
 
 	for _, context := range contexts {
-		context := context
-
 		info := context.KubeContext.Extensions["headlamp_info"]
 		if info != nil {
 			// Convert the runtime.Unknown object to a byte slice
@@ -2044,8 +2062,6 @@ func (c *HeadlampConfig) updateCustomContextToCache(config *api.Config, clusterN
 	}
 
 	for _, context := range contexts {
-		context := context
-
 		// Remove the old context from the store
 		if err := c.KubeConfigStore.RemoveContext(clusterName); err != nil {
 			logger.Log(logger.LevelError, nil, err, "Removing context from the store")
@@ -2430,3 +2446,32 @@ func (c *HeadlampConfig) handleNodeDrainStatus(w http.ResponseWriter, r *http.Re
 	logger.Log(logger.LevelInfo, map[string]string{"duration_ms": fmt.Sprintf("%d", time.Since(start).Milliseconds())},
 		nil, "handleNodeDrainStatus completed")
 }
+
+// handlerSetToken sets the authentication token in a cookie.
+// If the token is an empty string, the cookie is cleared.
+func (c *HeadlampConfig) handleSetToken(w http.ResponseWriter, r *http.Request) {
+	cluster := mux.Vars(r)["clusterName"]
+
+	var req struct {
+		Token string `json:"token"`
+	}
+
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, "Invalid JSON", http.StatusBadRequest)
+		return
+	}
+
+	// Validate cluster name is provided
+	if cluster == "" {
+		http.Error(w, "Cluster name is required", http.StatusBadRequest)
+		return
+	}
+
+	if req.Token == "" {
+		auth.ClearTokenCookie(w, r, cluster)
+	} else {
+		auth.SetTokenCookie(w, r, cluster, req.Token)
+	}
+
+	w.WriteHeader(http.StatusOK)
+}