klz-cables.com/gatekeeper/index.js

const express = require('express');
const cookieParser = require('cookie-parser');
const path = require('path');

const app = express();
const PORT = process.env.PORT || 3000;
const GATEKEEPER_PASSWORD = process.env.GATEKEEPER_PASSWORD || 'klz2026';
const COOKIE_DOMAIN = process.env.COOKIE_DOMAIN;
const AUTH_COOKIE_NAME = 'klz_gatekeeper_session';

app.set('view engine', 'ejs');
app.set('views', path.join(__dirname, 'views'));
app.use(express.urlencoded({ extended: true }));
app.use(cookieParser());
app.use(express.static(path.join(__dirname, 'public')));

// ForwardAuth check endpoint
app.get('/verify', (req, res) => {
  const session = req.cookies[AUTH_COOKIE_NAME];

  if (session === GATEKEEPER_PASSWORD) {
    return res.status(200).send('OK');
  }

  // Traefik will use this to redirect if requested
  const originalUrl = req.headers['x-forwarded-uri'] || '/';
  const host = req.headers['x-forwarded-host'] || '';
  const proto = req.headers['x-forwarded-proto'] || 'https';

  // Redirect to login
  res.redirect(`${proto}://${host}/gatekeeper/login?redirect=${encodeURIComponent(originalUrl)}`);
});

// Login page
app.get('/gatekeeper/login', (req, res) => {
  res.render('login', {
    error: req.query.error ? 'Invalid password' : null,
    redirect: req.query.redirect || '/',
  });
});

// Handle login
app.post('/gatekeeper/login', (req, res) => {
  const { password, redirect } = req.body;

  if (password === GATEKEEPER_PASSWORD) {
    const cookieOptions = {
      httpOnly: true,
      secure: true,
      path: '/',
      maxAge: 30 * 24 * 60 * 60 * 1000, // 30 days
    };

    if (COOKIE_DOMAIN) {
      cookieOptions.domain = COOKIE_DOMAIN;
    }

    res.cookie(AUTH_COOKIE_NAME, GATEKEEPER_PASSWORD, cookieOptions);
    return res.redirect(redirect || '/');
  }

  res.redirect(`/gatekeeper/login?error=1&redirect=${encodeURIComponent(redirect || '/')}`);
});

app.listen(PORT, () => {
  console.log(`Gatekeeper listening on port ${PORT}`);
});