Source: iapheader.go in package golang.org/x/pkgsite/internal/middleware


package middleware

import (
	"context"
	"errors"
	"fmt"
	"net/http"

	"google.golang.org/api/idtoken"
)

ValidateIAPHeader checks that the request has a header that proves it arrived via the IAP. See https://cloud.google.com/iap/docs/signed-headers-howto#securing_iap_headers.

func ValidateIAPHeader(audience string) Middleware {
	return func(h http.Handler) http.Handler {

Health checks don't come from the IAP; allow them.

Adapted from https://github.com/GoogleCloudPlatform/golang-samples/blob/master/iap/validate.go

				token := r.Header.Get("X-Goog-IAP-JWT-Assertion")
				if err := validateIAPToken(r.Context(), token, audience); err != nil {
					http.Error(w, err.Error(), http.StatusUnauthorized)
					return
				}
			}
			h.ServeHTTP(w, r)
		})
	}
}

func validateIAPToken(ctx context.Context, iapJWT, audience string) error {
	if iapJWT == "" {
		return errors.New("missing IAP token")
	}
	if _, err := idtoken.Validate(ctx, iapJWT, audience); err != nil {
		return fmt.Errorf("validating IPA token: %v", err)
	}
	return nil