From 46947279b0acfcc1763f3549364611e8d4c25e35 Mon Sep 17 00:00:00 2001
From: Corry Haines <github@corryh.com>
Date: Fri, 20 Jan 2023 16:20:14 -0800
Subject: [PATCH] Attach user identification headers to response (#453)

Add X-Takahe-User and X-Takahe-User-Identity headers to response, when available, to allow for better Nginx log enrichment.

Also drop these headers in Nginx so they aren't sent into the world. They probably aren't dangerous since they identfy the users _to themselves_ but strip it for now, just in case.
---
 docker/nginx.conf.d/default.conf.tpl | 4 ++++
 users/middleware.py                  | 6 ++++++
 2 files changed, 10 insertions(+)

diff --git a/docker/nginx.conf.d/default.conf.tpl b/docker/nginx.conf.d/default.conf.tpl
index 4143b62..3bcb2b8 100644
--- a/docker/nginx.conf.d/default.conf.tpl
+++ b/docker/nginx.conf.d/default.conf.tpl
@@ -25,6 +25,10 @@ server {
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_http_version 1.1;
 
+    # The user header is available for logging, but not returned to the client
+    proxy_hide_header X-Takahe-User;
+    proxy_hide_header X-Takahe-Identity;
+
     # Serve robots.txt from the non-collected dir as a special case.
     location /robots.txt {
         alias /takahe/static/robots.txt;
diff --git a/users/middleware.py b/users/middleware.py
index 9e7f50d..7192954 100644
--- a/users/middleware.py
+++ b/users/middleware.py
@@ -30,4 +30,10 @@ class IdentityMiddleware:
                     request.identity = None
 
         response = self.get_response(request)
+
+        if request.user:
+            response.headers["X-Takahe-User"] = str(request.user)
+        if request.identity:
+            response.headers["X-Takahe-Identity"] = str(request.identity)
+
         return response