fix(tir): change /v4/issuers implementation to match specification (#23)

* add filter to get x-forwarded-for headers

* fix(tir): change /v4/issuers implementation to match specification

The specification indicates that page[after] represents the page being accessed. The implementation has been updated to follow this behavior. Pages start at 0.
Additionally, the links and the self did not reference the full URL, but only the path, without the host, port, or protocol. For its implementation,
`micronaut.server.forward-headers` configuration has been added to read the X-Forwarded-* headers.

* setup qemu to build multiarch images

* feat(server): add support to RFC 7239 Forward header

---------

Co-authored-by: Stefan Wiedemann <wistefan@googlemail.com>

Author: Mortega5

.github/workflows/pre-release.yml

@@ -55,8 +55,18 @@ jobs:
           java-version: '21'
           java-package: jdk
 
-      - name: Log into quay.io
-        run: docker login -u "${{ secrets.QUAY_USERNAME }}" -p "${{ secrets.QUAY_PASSWORD }}" ${{ env.REGISTRY }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_PASSWORD }}
 
       - name: Build&Push image
         run: |

.github/workflows/release.yml

@@ -47,8 +47,18 @@ jobs:
           java-version: '21'
           java-package: jdk
 
-      - name: Log into quay.io
-        run: docker login -u "${{ secrets.QUAY_USERNAME }}" -p "${{ secrets.QUAY_PASSWORD }}" ${{ env.REGISTRY }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_PASSWORD }}
 
       - name: Build&Push image
         run: |

api/trusted-issuers-registry.yaml

@@ -85,8 +85,10 @@ components:
       in: query
       required: false
       schema:
-        type: string
-        example: did:key:z6MksU6tMfbaDzvaRe5oFE4eZTVTV4HJM4fmQWWGsDGQVsEr
+        type: integer
+        minimum: 0
+        default: 0
+        example: 0
   schemas:
     IssuerEntry:
       type: object

src/main/java/org/fiware/iam/configuration/ForwardedForConfig.java

@@ -0,0 +1,46 @@
+package org.fiware.iam.configuration;
+
+import io.micronaut.context.annotation.ConfigurationProperties;
+import lombok.Getter;
+
+/**
+ * Configuration for processing forwarded request headers.
+ * This configuration is used to extract information from headers such as
+ * Forwarded and X-Forwarded-* to determine the original request details.
+ * `Forwarded` header, as defined in RFC 7239, is preferred over `X-Forwarded-*` headers.
+ */
+@ConfigurationProperties("micronaut.server.forward-headers")
+@Getter
+public class ForwardedForConfig {
+
+
+    /**
+     * The name of the header that carries the protocol.
+     * Default: "X-Forwarded-Proto".
+     */
+    private String protocolHeader;
+
+    /**
+     * The name of the header that carries the port.
+     * Default: "X-Forwarded-Port".
+     */
+    private String portHeader;
+
+    /**
+     * The name of the header that carries the host.
+     * Default: "X-Forwarded-Host".
+     */
+    private String hostHeader;
+
+    /**
+     * The name of the header that carries the context path or prefix of the request.
+     * Default: "X-Forwarded-Prefix".
+     */
+    private String prefixHeader;
+
+    /**
+     * The name of the header that carries the client’s IP address.
+     * Default: "X-Forwarded-For".
+     */
+    private String forHeader;
+}

src/main/java/org/fiware/iam/filter/ForwardHeaderParser.java

@@ -0,0 +1,161 @@
+package org.fiware.iam.filter;
+
+import io.micronaut.http.HttpHeaders;
+import io.micronaut.http.HttpRequest;
+import io.micronaut.http.server.HttpServerConfiguration;
+import io.micronaut.http.ssl.ServerSslConfiguration;
+import jakarta.inject.Singleton;
+import org.fiware.iam.configuration.ForwardedForConfig;
+
+import java.util.function.Consumer;
+
+/**
+ * Parses HTTP forwarding headers to extract client request information.
+ *
+ * <p>
+ * This parser handles both the standard RFC 7239 `Forwarded` header and
+ * configurable legacy `X-Forwarded-*` headers. It extracts key information
+ * such as:
+ * <ul>
+ *     <li>Original client IP address (`for` / X-Forwarded-For)</li>
+ *     <li>Original protocol (`proto` / X-Forwarded-Proto)</li>
+ *     <li>Host and optional port (`host` / X-Forwarded-Host and X-Forwarded-Port)</li>
+ *     <li>Proxy information (`by`)</li>
+ *     <li>Path prefix added by upstream proxies (`X-Forwarded-Prefix`)</li>
+ * </ul>
+ * </p>
+ */
+@Singleton
+public class ForwardHeaderParser {
+
+    public static final int DEFAULT_HTTP_PORT = 80;
+    public static final int DEFAULT_HTTPS_PORT = 443;
+
+    private static final String DEFAULT_HOST = "localhost";
+    private static final String HTTP_PROTOCOL = "http";
+    private static final String HTTPS_PROTOCOL = "https";
+
+    // RFC 7239 directive names
+    private static final String FOR_DIRECTIVE = "for";
+    private static final String HOST_DIRECTIVE = "host";
+    private static final String PROTO_DIRECTIVE = "proto";
+    private static final String BY_DIRECTIVE = "by";
+
+    private final ForwardedForConfig config;
+    private final int serverPort;
+    private final String defaultServerProtocol;
+    private final String defaultHost;
+
+    public ForwardHeaderParser(ForwardedForConfig config, HttpServerConfiguration serverConfiguration,
+                               ServerSslConfiguration sslConfig) {
+
+        this.config = config;
+        this.serverPort = serverConfiguration.getPort().orElse(HttpServerConfiguration.DEFAULT_PORT);
+        this.defaultServerProtocol = sslConfig.isEnabled() ? HTTPS_PROTOCOL : HTTP_PROTOCOL;
+        this.defaultHost = serverConfiguration.getHost().orElse(DEFAULT_HOST);
+    }
+
+    /**
+     * Parses the provided HTTP headers to extract forwarding information.
+     *
+     * <p>
+     * This method reads both the standard `Forwarded` header (RFC 7239) and
+     * any legacy `X-Forwarded-*` headers as configured in {@link ForwardedForConfig}.
+     * It populates a {@link ForwardedInfo} object with the extracted details:
+     * client IP (`for`), protocol (`proto`), host, port, proxy (`by`), and path prefix.
+     * `Forwarded` header values take precedence over legacy headers when both are present.
+     * </p>
+     *
+     * <p>
+     * The returned {@link ForwardedInfo} object can be used by downstream filters or
+     * controllers to reconstruct the original request URL or handle redirects correctly
+     * when behind reverse proxies.
+     * </p>
+     *
+     * @param request the incoming request
+     * @return a {@link ForwardedInfo} object containing the parsed forwarding details
+     */
+    public ForwardedInfo parse(HttpRequest<?> request) {
+
+        HttpHeaders headers = request.getHeaders();
+        ForwardedInfo forwardedInfo = new ForwardedInfo(null, defaultServerProtocol, defaultHost, serverPort, null, "");
+        parseLegacyForwardedHeaders(headers, forwardedInfo);
+        parseForwardedHeader(headers, forwardedInfo);
+
+        int port = forwardedInfo.getForwardedPort();
+        String proto = forwardedInfo.getForwardedProto();
+
+        if (port == 0) {
+            forwardedInfo.setForwardedPort(HTTPS_PROTOCOL.equalsIgnoreCase(proto) ? DEFAULT_HTTPS_PORT : DEFAULT_HTTP_PORT);
+        } else if (port == -1) {
+            // Use the actual server port if the forwarded port is invalid
+            forwardedInfo.setForwardedPort(request.getServerAddress().getPort());
+        }
+
+        return forwardedInfo;
+    }
+
+    private void parseForwardedHeader(HttpHeaders headers, ForwardedInfo defaultEntry) {
+
+        String forwardedHeader = headers.get(HttpHeaders.FORWARDED);
+        if (forwardedHeader == null || forwardedHeader.isEmpty()) {
+            return ;
+        }
+
+        String[] directives = forwardedHeader.split(";");
+
+        for (String directive : directives) {
+            // get only first keyValue if multiple are present
+            String[] keyValue = directive.trim().split(",")[0].split("=", 2);
+            if (keyValue.length == 2) {
+                String key = keyValue[0].trim().toLowerCase();
+                String value = keyValue[1].trim().replaceAll("^\"|\"$", ""); // remove quotes
+                switch (key) {
+                    case FOR_DIRECTIVE:
+                        defaultEntry.setForwardedFor(value);
+                        break;
+                    case PROTO_DIRECTIVE:
+                        defaultEntry.setForwardedProto(value);
+                        break;
+                    case HOST_DIRECTIVE:
+                        // Extract host and optional port
+                        if (value.contains(":")) {
+                            String[] hostParts = value.split(":", 2);
+                            defaultEntry.setForwardedHost(hostParts[0]);
+                            try {
+                                defaultEntry.setForwardedPort(Integer.parseInt(hostParts[1]));
+                            } catch (NumberFormatException e) {
+                                defaultEntry.setForwardedPort(0);
+                            }
+                        } else {
+                            defaultEntry.setForwardedHost(value);
+                            defaultEntry.setForwardedPort(0);
+                        }
+                        break;
+                    case BY_DIRECTIVE:
+                        defaultEntry.setForwardedBy(value);
+                        break;
+                }
+            }
+        }
+    }
+
+    private void parseLegacyForwardedHeaders(HttpHeaders headers, ForwardedInfo defaultEntry) {
+
+        getHeaderValue(headers, config.getForHeader(), defaultEntry::setForwardedFor);
+        getHeaderValue(headers, config.getProtocolHeader(), defaultEntry::setForwardedProto);
+        getHeaderValue(headers, config.getHostHeader(), defaultEntry::setForwardedHost);
+        getHeaderValue(headers, config.getPortHeader(), defaultEntry::setForwardedPortStr);
+        getHeaderValue(headers, config.getPrefixHeader(), defaultEntry::setForwardedPrefix);
+    }
+
+    private void getHeaderValue(HttpHeaders headers, String headerName, Consumer<String> setter) {
+
+        if (headerName != null) {
+            String value = headers.get(headerName);
+            if (value != null) {
+                setter.accept(value);
+            }
+        }
+    }
+}

src/main/java/org/fiware/iam/filter/ForwardedForFilter.java

@@ -0,0 +1,98 @@
+package org.fiware.iam.filter;
+
+import io.micronaut.core.order.Ordered;
+import io.micronaut.http.HttpRequest;
+import io.micronaut.http.MutableHttpResponse;
+import io.micronaut.http.annotation.Filter;
+import io.micronaut.http.filter.HttpServerFilter;
+import io.micronaut.http.filter.ServerFilterChain;
+import io.micronaut.http.uri.UriBuilder;
+import org.reactivestreams.Publisher;
+
+import java.net.URI;
+
+/**
+ * HTTP server filter that normalizes and exposes forwarding information for incoming requests.
+ *
+ * <p>
+ * This filter reads the RFC 7239 Forwarded header as well as legacy X-Forwarded-* headers
+ * (such as X-Forwarded-For, X-Forwarded-Proto, X-Forwarded-Host, X-Forwarded-Prefix) from
+ * each request. It parses these headers to determine the original client IP, protocol,
+ * host, port, and any path prefix applied by upstream proxies or gateways.
+ * </p>
+ *
+ * <p>
+ * The filter then computes the full original request URL and stores it, along with the parsed
+ * forwarding details, as attributes in the request:
+ * <ul>
+ *     <li>{@link #REQ_ATTR}: the reconstructed request URI</li>
+ *     <li>{@link #FORWARD_INFO_ATTR}: the {@link ForwardedInfo} object containing all parsed forwarding information</li>
+ * </ul>
+ * </p>
+ *
+ * <p>
+ * Downstream controllers and filters can use these attributes to correctly generate
+ * absolute URLs, redirects, or logs that reflect the original client-facing request
+ * even when behind reverse proxies.
+ * </p>
+ */
+@Filter(Filter.MATCH_ALL_PATTERN)
+public class ForwardedForFilter implements HttpServerFilter, Ordered {
+
+    public static final String REQ_ATTR = "server-req";
+    public static final String FORWARD_INFO_ATTR = "forwarded-info";
+
+    private static final String HTTP_PROTOCOL = "http";
+    private static final String HTTPS_PROTOCOL = "https";
+
+    private final ForwardHeaderParser forwardHeaderParser;
+
+    public ForwardedForFilter(ForwardHeaderParser forwardHeaderParser) {
+
+        this.forwardHeaderParser = forwardHeaderParser;
+    }
+
+    @Override
+    public Publisher<MutableHttpResponse<?>> doFilter(HttpRequest<?> request, ServerFilterChain chain) {
+
+        ForwardedInfo forwardedInfo = forwardHeaderParser.parse(request);
+
+        URI reqUrl = getReqUrl(forwardedInfo);
+
+        HttpRequest<?> modifiedRequest = request
+                .setAttribute(REQ_ATTR, reqUrl)
+                .setAttribute(FORWARD_INFO_ATTR, forwardedInfo);
+
+        return chain.proceed(modifiedRequest);
+    }
+
+    private URI getReqUrl(ForwardedInfo forwardedInfo) {
+
+
+        String protocol = forwardedInfo.getForwardedProto();
+        String host = forwardedInfo.getForwardedHost();
+        int port = forwardedInfo.getForwardedPort();
+        String prefix = forwardedInfo.getForwardedPrefix();
+
+        // Ignore default ports
+        Integer portToUse = null;
+        if (!(HTTP_PROTOCOL.equalsIgnoreCase(protocol) && port == ForwardHeaderParser.DEFAULT_HTTP_PORT)
+                && !(HTTPS_PROTOCOL.equalsIgnoreCase(protocol) && port == ForwardHeaderParser.DEFAULT_HTTPS_PORT)) {
+            portToUse = port;
+        }
+
+        UriBuilder builder = UriBuilder.of(protocol + "://" + host).path(prefix);
+
+        if (portToUse != null) {
+            builder.port(portToUse);
+        }
+
+        return builder.build();
+    }
+
+    @Override
+    public int getOrder() {
+
+        return Ordered.HIGHEST_PRECEDENCE;
+    }
+}

src/main/java/org/fiware/iam/filter/ForwardedInfo.java

@@ -0,0 +1,29 @@
+package org.fiware.iam.filter;
+
+import lombok.AllArgsConstructor;
+import lombok.Data;
+import lombok.ToString;
+
+@AllArgsConstructor
+@ToString
+@Data
+public class ForwardedInfo {
+
+    private String forwardedFor;
+    private String forwardedProto;
+    private String forwardedHost;
+    private int forwardedPort;
+    private String forwardedBy;
+    private String forwardedPrefix;
+
+    public void setForwardedPortStr(String portStr) {
+        if (portStr == null || portStr.isEmpty()) {
+            return;
+        }
+        this.forwardedPort = Integer.parseInt(portStr);
+    }
+
+    public String getForwardedPrefix() {
+        return forwardedPrefix != null ? forwardedPrefix : "";
+    }
+}