wip

2025-10-31 14:15:50 +00:00 · 2025-03-15 17:44:41 +02:00
parent 52f189563b
commit 0c91465c63
6 changed files with 725 additions and 695 deletions
--- a/internal/handlers/handlers.go
+++ b/internal/handlers/handlers.go
@@ -0,0 +1,634 @@
+package handlers
+
+import (
+	"fmt"
+	"math/rand/v2"
+	"net/http"
+	"strings"
+	"tinyauth/internal/auth"
+	"tinyauth/internal/hooks"
+	"tinyauth/internal/providers"
+	"tinyauth/internal/types"
+
+	"github.com/gin-gonic/gin"
+	"github.com/google/go-querystring/query"
+	"github.com/pquerna/otp/totp"
+	"github.com/rs/zerolog/log"
+)
+
+func NewHandlers(config types.HandlersConfig, auth *auth.Auth, hooks *hooks.Hooks, providers *providers.Providers) *Handlers {
+	return &Handlers{
+		Config:    config,
+		Auth:      auth,
+		Hooks:     hooks,
+		Providers: providers,
+	}
+}
+
+type Handlers struct {
+	Config    types.HandlersConfig
+	Auth      *auth.Auth
+	Hooks     *hooks.Hooks
+	Providers *providers.Providers
+}
+
+func (h *Handlers) AuthHandler(c *gin.Context) {
+	// Create struct for proxy
+	var proxy types.Proxy
+
+	// Bind URI
+	err := c.BindUri(&proxy)
+
+	// Handle error
+	if err != nil {
+		log.Error().Err(err).Msg("Failed to bind URI")
+		c.JSON(400, gin.H{
+			"status":  400,
+			"message": "Bad Request",
+		})
+		return
+	}
+
+	// Check if the request is coming from a browser (tools like curl/bruno use */* and they don't include the text/html)
+	isBrowser := strings.Contains(c.Request.Header.Get("Accept"), "text/html")
+
+	if isBrowser {
+		log.Debug().Msg("Request is most likely coming from a browser")
+	} else {
+		log.Debug().Msg("Request is most likely not coming from a browser")
+	}
+
+	log.Debug().Interface("proxy", proxy.Proxy).Msg("Got proxy")
+
+	// Check if auth is enabled
+	authEnabled, err := h.Auth.AuthEnabled(c)
+
+	// Handle error
+	if err != nil {
+		log.Error().Err(err).Msg("Failed to check if auth is enabled")
+
+		if proxy.Proxy == "nginx" || !isBrowser {
+			c.JSON(500, gin.H{
+				"status":  500,
+				"message": "Internal Server Error",
+			})
+			return
+		}
+
+		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
+		return
+	}
+
+	// If auth is not enabled, return 200
+	if !authEnabled {
+		c.JSON(200, gin.H{
+			"status":  200,
+			"message": "Authenticated",
+		})
+		return
+	}
+
+	// Get user context
+	userContext := h.Hooks.UseUserContext(c)
+
+	// Get headers
+	uri := c.Request.Header.Get("X-Forwarded-Uri")
+	proto := c.Request.Header.Get("X-Forwarded-Proto")
+	host := c.Request.Header.Get("X-Forwarded-Host")
+
+	// Check if user is logged in
+	if userContext.IsLoggedIn {
+		log.Debug().Msg("Authenticated")
+
+		// Check if user is allowed to access subdomain, if request is nginx.example.com the subdomain (resource) is nginx
+		appAllowed, err := h.Auth.ResourceAllowed(c, userContext)
+
+		// Check if there was an error
+		if err != nil {
+			log.Error().Err(err).Msg("Failed to check if app is allowed")
+
+			if proxy.Proxy == "nginx" || !isBrowser {
+				c.JSON(500, gin.H{
+					"status":  500,
+					"message": "Internal Server Error",
+				})
+				return
+			}
+
+			c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
+			return
+		}
+
+		log.Debug().Bool("appAllowed", appAllowed).Msg("Checking if app is allowed")
+
+		// The user is not allowed to access the app
+		if !appAllowed {
+			log.Warn().Str("username", userContext.Username).Str("host", host).Msg("User not allowed")
+
+			// Set WWW-Authenticate header
+			c.Header("WWW-Authenticate", "Basic realm=\"tinyauth\"")
+
+			if proxy.Proxy == "nginx" || !isBrowser {
+				c.JSON(401, gin.H{
+					"status":  401,
+					"message": "Unauthorized",
+				})
+				return
+			}
+
+			// Build query
+			queries, err := query.Values(types.UnauthorizedQuery{
+				Username: userContext.Username,
+				Resource: strings.Split(host, ".")[0],
+			})
+
+			// Handle error (no need to check for nginx/headers since we are sure we are using caddy/traefik)
+			if err != nil {
+				log.Error().Err(err).Msg("Failed to build query")
+				c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
+				return
+			}
+
+			// We are using caddy/traefik so redirect
+			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", h.Config.AppURL, queries.Encode()))
+			return
+		}
+
+		// Set the user header
+		c.Header("Remote-User", userContext.Username)
+
+		// The user is allowed to access the app
+		c.JSON(200, gin.H{
+			"status":  200,
+			"message": "Authenticated",
+		})
+		return
+	}
+
+	// The user is not logged in
+	log.Debug().Msg("Unauthorized")
+
+	// Set www-authenticate header
+	c.Header("WWW-Authenticate", "Basic realm=\"tinyauth\"")
+
+	if proxy.Proxy == "nginx" || !isBrowser {
+		c.JSON(401, gin.H{
+			"status":  401,
+			"message": "Unauthorized",
+		})
+		return
+	}
+
+	queries, err := query.Values(types.LoginQuery{
+		RedirectURI: fmt.Sprintf("%s://%s%s", proto, host, uri),
+	})
+
+	if err != nil {
+		log.Error().Err(err).Msg("Failed to build query")
+		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
+		return
+	}
+
+	log.Debug().Interface("redirect_uri", fmt.Sprintf("%s://%s%s", proto, host, uri)).Msg("Redirecting to login")
+
+	// Redirect to login
+	c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/?%s", h.Config.AppURL, queries.Encode()))
+}
+
+func (h *Handlers) LoginHandler(c *gin.Context) {
+	// Create login struct
+	var login types.LoginRequest
+
+	// Bind JSON
+	err := c.BindJSON(&login)
+
+	// Handle error
+	if err != nil {
+		log.Error().Err(err).Msg("Failed to bind JSON")
+		c.JSON(400, gin.H{
+			"status":  400,
+			"message": "Bad Request",
+		})
+		return
+	}
+
+	log.Debug().Msg("Got login request")
+
+	// Get user based on username
+	user := h.Auth.GetUser(login.Username)
+
+	// User does not exist
+	if user == nil {
+		log.Debug().Str("username", login.Username).Msg("User not found")
+		c.JSON(401, gin.H{
+			"status":  401,
+			"message": "Unauthorized",
+		})
+		return
+	}
+
+	log.Debug().Msg("Got user")
+
+	// Check if password is correct
+	if !h.Auth.CheckPassword(*user, login.Password) {
+		log.Debug().Str("username", login.Username).Msg("Password incorrect")
+		c.JSON(401, gin.H{
+			"status":  401,
+			"message": "Unauthorized",
+		})
+		return
+	}
+
+	log.Debug().Msg("Password correct, checking totp")
+
+	// Check if user has totp enabled
+	if user.TotpSecret != "" {
+		log.Debug().Msg("Totp enabled")
+
+		// Set totp pending cookie
+		h.Auth.CreateSessionCookie(c, &types.SessionCookie{
+			Username:    login.Username,
+			Provider:    "username",
+			TotpPending: true,
+		})
+
+		// Return totp required
+		c.JSON(200, gin.H{
+			"status":      200,
+			"message":     "Waiting for totp",
+			"totpPending": true,
+		})
+
+		// Stop further processing
+		return
+	}
+
+	// Create session cookie with username as provider
+	h.Auth.CreateSessionCookie(c, &types.SessionCookie{
+		Username: login.Username,
+		Provider: "username",
+	})
+
+	// Return logged in
+	c.JSON(200, gin.H{
+		"status":      200,
+		"message":     "Logged in",
+		"totpPending": false,
+	})
+}
+
+func (h *Handlers) TotpHandler(c *gin.Context) {
+	// Create totp struct
+	var totpReq types.TotpRequest
+
+	// Bind JSON
+	err := c.BindJSON(&totpReq)
+
+	// Handle error
+	if err != nil {
+		log.Error().Err(err).Msg("Failed to bind JSON")
+		c.JSON(400, gin.H{
+			"status":  400,
+			"message": "Bad Request",
+		})
+		return
+	}
+
+	log.Debug().Msg("Checking totp")
+
+	// Get user context
+	userContext := h.Hooks.UseUserContext(c)
+
+	// Check if we have a user
+	if userContext.Username == "" {
+		log.Debug().Msg("No user context")
+		c.JSON(401, gin.H{
+			"status":  401,
+			"message": "Unauthorized",
+		})
+		return
+	}
+
+	// Get user
+	user := h.Auth.GetUser(userContext.Username)
+
+	// Check if user exists
+	if user == nil {
+		log.Debug().Msg("User not found")
+		c.JSON(401, gin.H{
+			"status":  401,
+			"message": "Unauthorized",
+		})
+		return
+	}
+
+	// Check if totp is correct
+	totpOk := totp.Validate(totpReq.Code, user.TotpSecret)
+
+	// TOTP is incorrect
+	if !totpOk {
+		log.Debug().Msg("Totp incorrect")
+		c.JSON(401, gin.H{
+			"status":  401,
+			"message": "Unauthorized",
+		})
+		return
+	}
+
+	log.Debug().Msg("Totp correct")
+
+	// Create session cookie with username as provider
+	h.Auth.CreateSessionCookie(c, &types.SessionCookie{
+		Username: user.Username,
+		Provider: "username",
+	})
+
+	// Return logged in
+	c.JSON(200, gin.H{
+		"status":  200,
+		"message": "Logged in",
+	})
+}
+
+func (h *Handlers) LogoutHandler(c *gin.Context) {
+	log.Debug().Msg("Logging out")
+
+	// Delete session cookie
+	h.Auth.DeleteSessionCookie(c)
+
+	log.Debug().Msg("Cleaning up redirect cookie")
+
+	// Clean up redirect cookie if it exists
+	c.SetCookie("tinyauth_redirect_uri", "", -1, "/", h.Config.Domain, h.Config.CookieSecure, true)
+
+	// Return logged out
+	c.JSON(200, gin.H{
+		"status":  200,
+		"message": "Logged out",
+	})
+}
+
+func (h *Handlers) AppHandler(c *gin.Context) {
+	log.Debug().Msg("Getting app context")
+
+	// Get configured providers
+	configuredProviders := h.Providers.GetConfiguredProviders()
+
+	// We have username/password configured so add it to our providers
+	if h.Auth.UserAuthConfigured() {
+		configuredProviders = append(configuredProviders, "username")
+	}
+
+	// Create app context struct
+	appContext := types.AppContext{
+		Status:              200,
+		Message:             "Ok",
+		ConfiguredProviders: configuredProviders,
+		DisableContinue:     h.Config.DisableContinue,
+		Title:               h.Config.Title,
+		GenericName:         h.Config.GenericName,
+	}
+
+	// Return app context
+	c.JSON(200, appContext)
+}
+
+func (h *Handlers) UserHandler(c *gin.Context) {
+	log.Debug().Msg("Getting user context")
+
+	// Get user context
+	userContext := h.Hooks.UseUserContext(c)
+
+	// Create user context response
+	userContextResponse := types.UserContextResponse{
+		Status:      200,
+		IsLoggedIn:  userContext.IsLoggedIn,
+		Username:    userContext.Username,
+		Provider:    userContext.Provider,
+		Oauth:       userContext.OAuth,
+		TotpPending: userContext.TotpPending,
+	}
+
+	// If we are not logged in we set the status to 401 and add the WWW-Authenticate header else we set it to 200
+	if !userContext.IsLoggedIn {
+		log.Debug().Msg("Unauthorized")
+		c.Header("WWW-Authenticate", "Basic realm=\"tinyauth\"")
+		userContextResponse.Message = "Unauthorized"
+	} else {
+		log.Debug().Interface("userContext", userContext).Msg("Authenticated")
+		userContextResponse.Message = "Authenticated"
+	}
+
+	// Return user context
+	c.JSON(200, userContextResponse)
+}
+
+func (h *Handlers) OauthUrlHandler(c *gin.Context) {
+	// Create struct for OAuth request
+	var request types.OAuthRequest
+
+	// Bind URI
+	err := c.BindUri(&request)
+
+	// Handle error
+	if err != nil {
+		log.Error().Err(err).Msg("Failed to bind URI")
+		c.JSON(400, gin.H{
+			"status":  400,
+			"message": "Bad Request",
+		})
+		return
+	}
+
+	log.Debug().Msg("Got OAuth request")
+
+	// Check if provider exists
+	provider := h.Providers.GetProvider(request.Provider)
+
+	// Provider does not exist
+	if provider == nil {
+		c.JSON(404, gin.H{
+			"status":  404,
+			"message": "Not Found",
+		})
+		return
+	}
+
+	log.Debug().Str("provider", request.Provider).Msg("Got provider")
+
+	// Get auth URL
+	authURL := provider.GetAuthURL()
+
+	log.Debug().Msg("Got auth URL")
+
+	// Get redirect URI
+	redirectURI := c.Query("redirect_uri")
+
+	// Set redirect cookie if redirect URI is provided
+	if redirectURI != "" {
+		log.Debug().Str("redirectURI", redirectURI).Msg("Setting redirect cookie")
+		c.SetCookie("tinyauth_redirect_uri", redirectURI, 3600, "/", h.Config.Domain, h.Config.CookieSecure, true)
+	}
+
+	// Tailscale does not have an auth url so we create a random code (does not need to be secure) to avoid caching and send it
+	if request.Provider == "tailscale" {
+		// Build tailscale query
+		tailscaleQuery, err := query.Values(types.TailscaleQuery{
+			Code: (1000 + rand.IntN(9000)),
+		})
+
+		// Handle error
+		if err != nil {
+			log.Error().Err(err).Msg("Failed to build query")
+			c.JSON(500, gin.H{
+				"status":  500,
+				"message": "Internal Server Error",
+			})
+			return
+		}
+
+		// Return tailscale URL (immidiately redirects to the callback)
+		c.JSON(200, gin.H{
+			"status":  200,
+			"message": "Ok",
+			"url":     fmt.Sprintf("%s/api/oauth/callback/tailscale?%s", h.Config.AppURL, tailscaleQuery.Encode()),
+		})
+		return
+	}
+
+	// Return auth URL
+	c.JSON(200, gin.H{
+		"status":  200,
+		"message": "Ok",
+		"url":     authURL,
+	})
+}
+
+func (h *Handlers) OauthCallbackHandler(c *gin.Context) {
+	// Create struct for OAuth request
+	var providerName types.OAuthRequest
+
+	// Bind URI
+	err := c.BindUri(&providerName)
+
+	// Handle error
+	if err != nil {
+		log.Error().Err(err).Msg("Failed to bind URI")
+		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
+		return
+	}
+
+	log.Debug().Interface("provider", providerName.Provider).Msg("Got provider name")
+
+	// Get code
+	code := c.Query("code")
+
+	// Code empty so redirect to error
+	if code == "" {
+		log.Error().Msg("No code provided")
+		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
+		return
+	}
+
+	log.Debug().Msg("Got code")
+
+	// Get provider
+	provider := h.Providers.GetProvider(providerName.Provider)
+
+	log.Debug().Str("provider", providerName.Provider).Msg("Got provider")
+
+	// Provider does not exist
+	if provider == nil {
+		c.Redirect(http.StatusPermanentRedirect, "/not-found")
+		return
+	}
+
+	// Exchange token (authenticates user)
+	_, err = provider.ExchangeToken(code)
+
+	log.Debug().Msg("Got token")
+
+	// Handle error
+	if err != nil {
+		log.Error().Msg("Failed to exchange token")
+		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
+		return
+	}
+
+	// Get email
+	email, err := h.Providers.GetUser(providerName.Provider)
+
+	log.Debug().Str("email", email).Msg("Got email")
+
+	// Handle error
+	if err != nil {
+		log.Error().Msg("Failed to get email")
+		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
+		return
+	}
+
+	// Email is not whitelisted
+	if !h.Auth.EmailWhitelisted(email) {
+		log.Warn().Str("email", email).Msg("Email not whitelisted")
+
+		// Build query
+		unauthorizedQuery, err := query.Values(types.UnauthorizedQuery{
+			Username: email,
+		})
+
+		// Handle error
+		if err != nil {
+			log.Error().Msg("Failed to build query")
+			c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
+			return
+		}
+
+		// Redirect to unauthorized
+		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/unauthorized?%s", h.Config.AppURL, unauthorizedQuery.Encode()))
+	}
+
+	log.Debug().Msg("Email whitelisted")
+
+	// Create session cookie
+	h.Auth.CreateSessionCookie(c, &types.SessionCookie{
+		Username: email,
+		Provider: providerName.Provider,
+	})
+
+	// Get redirect URI
+	redirectURI, redirectURIErr := c.Cookie("tinyauth_redirect_uri")
+
+	// If it is empty it means that no redirect_uri was provided to the login screen so we just log in
+	if redirectURIErr != nil {
+		c.Redirect(http.StatusPermanentRedirect, h.Config.AppURL)
+	}
+
+	log.Debug().Str("redirectURI", redirectURI).Msg("Got redirect URI")
+
+	// Clean up redirect cookie since we already have the value
+	c.SetCookie("tinyauth_redirect_uri", "", -1, "/", h.Config.Domain, h.Config.CookieSecure, true)
+
+	// Build query
+	redirectQuery, err := query.Values(types.LoginQuery{
+		RedirectURI: redirectURI,
+	})
+
+	log.Debug().Msg("Got redirect query")
+
+	// Handle error
+	if err != nil {
+		log.Error().Msg("Failed to build query")
+		c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
+		return
+	}
+
+	// Redirect to continue with the redirect URI
+	c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/continue?%s", h.Config.AppURL, redirectQuery.Encode()))
+}
+
+func (h *Handlers) HealthcheckHandler(c *gin.Context) {
+	c.JSON(200, gin.H{
+		"status":  200,
+		"message": "OK",
+	})
+}