barbercollie/tinyauth
1
0
Fork 1
mirror of https://github.com/steveiliop56/tinyauth.git synced 2025-10-28 12:45:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: make tinyauth not "eat" the authorization header

Browse Source
This commit is contained in:
Stavros
2025-07-15 01:34:25 +03:00
parent 6519644fc1
commit d3bec635f8
3 changed files with 15 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
internal/auth/auth.go
View File

@@ -88,7 +88,9 @@ func (auth *Auth) SearchUser(username string) types.UserSearch {
} }
} }
return types.UserSearch{} return types.UserSearch{
Type: "unknown",
}
} }
func (auth *Auth) VerifyUser(search types.UserSearch, password string) bool { func (auth *Auth) VerifyUser(search types.UserSearch, password string) bool {

18
internal/handlers/proxy.go
View File

@@ -40,10 +40,7 @@ func (h *Handlers) ProxyHandler(c *gin.Context) {
proto := c.Request.Header.Get("X-Forwarded-Proto") proto := c.Request.Header.Get("X-Forwarded-Proto")
host := c.Request.Header.Get("X-Forwarded-Host") host := c.Request.Header.Get("X-Forwarded-Host")
// Remove the port from the host if it exists
hostPortless := strings.Split(host, ":")[0] // *lol* hostPortless := strings.Split(host, ":")[0] // *lol*
// Get the id
id := strings.Split(hostPortless, ".")[0] id := strings.Split(hostPortless, ".")[0]
labels, err := h.Docker.GetLabels(id, hostPortless) labels, err := h.Docker.GetLabels(id, hostPortless)
@@ -66,10 +63,10 @@ func (h *Handlers) ProxyHandler(c *gin.Context) {
ip := c.ClientIP() ip := c.ClientIP()
// Check if the IP is in bypass list
if h.Auth.BypassedIP(labels, ip) { if h.Auth.BypassedIP(labels, ip) {
headersParsed := utils.ParseHeaders(labels.Headers) c.Header("Authorization", c.Request.Header.Get("Authorization"))
headersParsed := utils.ParseHeaders(labels.Headers)
for key, value := range headersParsed { for key, value := range headersParsed {
log.Debug().Str("key", key).Msg("Setting header") log.Debug().Str("key", key).Msg("Setting header")
c.Header(key, value) c.Header(key, value)
@@ -87,7 +84,6 @@ func (h *Handlers) ProxyHandler(c *gin.Context) {
return return
} }
// Check if the IP is allowed/blocked
if !h.Auth.CheckIP(labels, ip) { if !h.Auth.CheckIP(labels, ip) {
if proxy.Proxy == "nginx" || !isBrowser { if proxy.Proxy == "nginx" || !isBrowser {
c.JSON(403, gin.H{ c.JSON(403, gin.H{
@@ -113,7 +109,6 @@ func (h *Handlers) ProxyHandler(c *gin.Context) {
return return
} }
// Check if auth is enabled
authEnabled, err := h.Auth.AuthEnabled(uri, labels) authEnabled, err := h.Auth.AuthEnabled(uri, labels)
if err != nil { if err != nil {
log.Error().Err(err).Msg("Failed to check if app is allowed") log.Error().Err(err).Msg("Failed to check if app is allowed")
@@ -129,8 +124,9 @@ func (h *Handlers) ProxyHandler(c *gin.Context) {
return return
} }
// If auth is not enabled, return 200
if !authEnabled { if !authEnabled {
c.Header("Authorization", c.Request.Header.Get("Authorization"))
headersParsed := utils.ParseHeaders(labels.Headers) headersParsed := utils.ParseHeaders(labels.Headers)
for key, value := range headersParsed { for key, value := range headersParsed {
log.Debug().Str("key", key).Msg("Setting header") log.Debug().Str("key", key).Msg("Setting header")
@@ -150,7 +146,6 @@ func (h *Handlers) ProxyHandler(c *gin.Context) {
return return
} }
// Get user context
userContext := h.Hooks.UseUserContext(c) userContext := h.Hooks.UseUserContext(c)
// If we are using basic auth, we need to check if the user has totp and if it does then disable basic auth // If we are using basic auth, we need to check if the user has totp and if it does then disable basic auth
@@ -159,7 +154,6 @@ func (h *Handlers) ProxyHandler(c *gin.Context) {
userContext.IsLoggedIn = false userContext.IsLoggedIn = false
} }
// Check if user is logged in
if userContext.IsLoggedIn { if userContext.IsLoggedIn {
log.Debug().Msg("Authenticated") log.Debug().Msg("Authenticated")
@@ -200,7 +194,6 @@ func (h *Handlers) ProxyHandler(c *gin.Context) {
return return
} }
// Check groups if using OAuth
if userContext.OAuth { if userContext.OAuth {
groupOk := h.Auth.OAuthGroup(c, userContext, labels) groupOk := h.Auth.OAuthGroup(c, userContext, labels)
@@ -239,19 +232,18 @@ func (h *Handlers) ProxyHandler(c *gin.Context) {
} }
} }
c.Header("Authorization", c.Request.Header.Get("Authorization"))
c.Header("Remote-User", utils.SanitizeHeader(userContext.Username)) c.Header("Remote-User", utils.SanitizeHeader(userContext.Username))
c.Header("Remote-Name", utils.SanitizeHeader(userContext.Name)) c.Header("Remote-Name", utils.SanitizeHeader(userContext.Name))
c.Header("Remote-Email", utils.SanitizeHeader(userContext.Email)) c.Header("Remote-Email", utils.SanitizeHeader(userContext.Email))
c.Header("Remote-Groups", utils.SanitizeHeader(userContext.OAuthGroups)) c.Header("Remote-Groups", utils.SanitizeHeader(userContext.OAuthGroups))
// Set the rest of the headers
parsedHeaders := utils.ParseHeaders(labels.Headers) parsedHeaders := utils.ParseHeaders(labels.Headers)
for key, value := range parsedHeaders { for key, value := range parsedHeaders {
log.Debug().Str("key", key).Msg("Setting header") log.Debug().Str("key", key).Msg("Setting header")
c.Header(key, value) c.Header(key, value)
} }
// Set basic auth headers if configured
if labels.Basic.Username != "" && utils.GetSecret(labels.Basic.Password.Plain, labels.Basic.Password.File) != "" { if labels.Basic.Username != "" && utils.GetSecret(labels.Basic.Password.Plain, labels.Basic.Password.File) != "" {
log.Debug().Str("username", labels.Basic.Username).Msg("Setting basic auth headers") log.Debug().Str("username", labels.Basic.Username).Msg("Setting basic auth headers")
c.Header("Authorization", fmt.Sprintf("Basic %s", utils.GetBasicAuth(labels.Basic.Username, utils.GetSecret(labels.Basic.Password.Plain, labels.Basic.Password.File)))) c.Header("Authorization", fmt.Sprintf("Basic %s", utils.GetBasicAuth(labels.Basic.Username, utils.GetSecret(labels.Basic.Password.Plain, labels.Basic.Password.File))))

13
internal/hooks/hooks.go
View File

@@ -37,15 +37,15 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
userSearch := hooks.Auth.SearchUser(basic.Username) userSearch := hooks.Auth.SearchUser(basic.Username)
if userSearch.Type == "" { if userSearch.Type == "unkown" {
log.Error().Str("username", basic.Username).Msg("User does not exist") log.Warn().Str("username", basic.Username).Msg("Basic auth user does not exist, skipping")
return types.UserContext{} goto session
} }
// Verify the user // Verify the user
if !hooks.Auth.VerifyUser(userSearch, basic.Password) { if !hooks.Auth.VerifyUser(userSearch, basic.Password) {
log.Error().Str("username", basic.Username).Msg("Password incorrect") log.Error().Str("username", basic.Username).Msg("Basic auth user password incorrect, skipping")
return types.UserContext{} goto session
} }
// Get the user type // Get the user type
@@ -75,6 +75,7 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
} }
session:
// Check cookie error after basic auth // Check cookie error after basic auth
if err != nil { if err != nil {
log.Error().Err(err).Msg("Failed to get session cookie") log.Error().Err(err).Msg("Failed to get session cookie")
@@ -98,7 +99,7 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
userSearch := hooks.Auth.SearchUser(cookie.Username) userSearch := hooks.Auth.SearchUser(cookie.Username)
if userSearch.Type == "" { if userSearch.Type == "unknown" {
log.Error().Str("username", cookie.Username).Msg("User does not exist") log.Error().Str("username", cookie.Username).Msg("User does not exist")
return types.UserContext{} return types.UserContext{}
} }