add: user auth accomplished

docs/README.md

@@ -1,16 +1,18 @@
 # Envoy Gateway Configuration
 
-This document explains how the Envoy gateway is configured and how to modify it.
+This document explains how the Envoy unified ingress gateway is configured and how to modify it.
 
 ## Files
 
-- envoy.yaml: ConfigMap + Deployment + Service for Envoy
+- deploy/k8s/envoy/envoy.yaml: ConfigMap + Deployment + Service for Envoy
 
 ## Current Behavior
 
 - Envoy listens on port 8080 in the Pod and exposes port 80 via a ClusterIP Service.
-- All HTTP traffic is routed to user-api only.
-- gRPC is not exposed by this gateway.
+- Route `/api/users` to `user-api-svc:8888`.
+- Route `/api/email` to `email-api-svc:8888`.
+- Route `/healthz` returns `200 ok` directly from gateway.
+- Unknown routes return `404` from gateway.
 
 ## Routing
 
@@ -20,27 +22,30 @@ static_resources -> listeners -> http_connection_manager -> route_config -> virt
 
 The current routing rules are:
 
-- All requests (prefix: "/") -> cluster: user-api
+- `prefix: /api/users` -> `cluster: user_api_cluster`
+- `prefix: /api/email` -> `cluster: email_api_cluster`
+- `path: /healthz` -> direct response `200`
+- `prefix: /` -> direct response `404`
 
 To add a new HTTP service, add a new route above the default route and define a new cluster.
 
-Example: route /order to order-api-svc:8899
+Example: route `/api/order` to `order-api-svc:8899`
 
 1) Add a route match:
 
 - match:
-    prefix: "/order"
+    prefix: "/api/order"
   route:
-    cluster: order-api
+    cluster: order_api_cluster
 
-2) Add a cluster:
+1) Add a cluster:
 
-- name: order-api
+- name: order_api_cluster
   connect_timeout: 2s
   type: STRICT_DNS
   lb_policy: ROUND_ROBIN
   load_assignment:
-    cluster_name: order-api
+    cluster_name: order_api_cluster
     endpoints:
       - lb_endpoints:
           - endpoint:
@@ -49,22 +54,29 @@ Example: route /order to order-api-svc:8899
                   address: order-api-svc.juwan.svc.cluster.local
                   port_value: 8899
 
-## CSRF Protection
+## CSRF Protection (Double Cookie)
 
-Envoy uses a Lua filter for CSRF validation:
+Envoy uses a Lua filter for double-cookie CSRF validation:
 
 - Safe methods (GET/HEAD/OPTIONS):
-  - If csrf_token cookie is missing, Envoy generates one and sets it in the response.
+  - If missing, Envoy auto-issues two cookies:
+    - `csrf_token`
+    - `csrf_guard`
 - Unsafe methods (POST/PUT/PATCH/DELETE, etc):
-  - Requires BOTH:
-    - header: X-CSRF-Token
-    - cookie: csrf_token
-  - Values must match, otherwise Envoy returns 403.
+  - Requires BOTH headers:
+    - `X-CSRF-Token`
+    - `X-CSRF-Guard`
+  - Requires BOTH cookies:
+    - `csrf_token`
+    - `csrf_guard`
+  - Header values must exactly match cookie values, otherwise Envoy returns `403`.
 
-If you want a different cookie name or header name, update these in the Lua code:
+If you want different cookie or header names, update these constants in Lua:
 
-- Header: x-csrf-token
-- Cookie: csrf_token
+- `TOKEN_COOKIE`
+- `GUARD_COOKIE`
+- `TOKEN_HEADER`
+- `GUARD_HEADER`
 
 To relax or tighten rules, edit the functions:
 
@@ -75,9 +87,8 @@ To relax or tighten rules, edit the functions:
 
 Current Set-Cookie:
 
-csrf_token=<value>; Path=/; SameSite=Strict
-
-To add Secure or HttpOnly, update the string in envoy_on_response.
+- `csrf_token=<value>; Path=/; SameSite=Strict`
+- `csrf_guard=<value>; Path=/; SameSite=Strict`
 
 ## Deployment
 
@@ -90,6 +101,8 @@ kubectl apply -f deploy/k8s/envoy/envoy.yaml
 - Change listening port:
   - Update listener port_value and Service targetPort/port.
 - Change service namespace:
-  - Update cluster DNS addresses (e.g. service.ns.svc.cluster.local).
+  - Update cluster DNS addresses (e.g. `service.ns.svc.cluster.local`).
 - Add more services:
   - Add route + add cluster, as shown above.
+- Update CSRF policy:
+  - Edit Lua validation logic in `envoy.filters.http.lua`.