mirror of
https://github.com/steveiliop56/tinyauth.git
synced 2026-07-10 04:00:17 +00:00
Compare commits
29 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 250e6fb8a1 | |||
| 056116bf1e | |||
| 2460528500 | |||
| a8777f24da | |||
| 63ab2c9e3f | |||
| 941b882fc9 | |||
| 0e7e281429 | |||
| 181a6cf58c | |||
| 928f9b3133 | |||
| 105de0a608 | |||
| 9bb1e88492 | |||
| aa86e179bb | |||
| 3a435de109 | |||
| e0b8151f66 | |||
| 0d94c16bff | |||
| 097efe9d42 | |||
| 8d84b3e6af | |||
| c7edf79a6d | |||
| f6188f6a8d | |||
| 7235855061 | |||
| 768eb29292 | |||
| 9743fe71cc | |||
| 93e2a6a7fa | |||
| 1649a96cd6 | |||
| 2cb606e5aa | |||
| 229a5ae3c3 | |||
| 122e02811a | |||
| cf97a7a251 | |||
| 82189617b8 |
@@ -86,7 +86,7 @@
|
||||
"addressScopeName": "Adres",
|
||||
"addressScopeDescription": "Geeft de app toegang tot je adres.",
|
||||
"loginTailscaleTitle": "Doorgaan met Tailscale",
|
||||
"loginTailscaleDescription": "Je lijkt toegang te hebben tot Tinyauth vanaf een geautoriseerd Tailscale-apparaat. Wil je doorgaan met je Tailscale-verbinding?",
|
||||
"loginTailscaleDescription": "Je lijkt toegang te hebben tot Tinyauth vanaf een geautoriseerd Tailscale-apparaat. Wil je doorgaan met jeTailscale-verbinding?",
|
||||
"loginTailscaleDeviceName": "Apparaatnaam:",
|
||||
"loginTailscaleOtherMethod": "Op een andere manier inloggen",
|
||||
"loginTailscaleSuccess": "Succesvol geauthenticeerd met Tailscale.",
|
||||
|
||||
@@ -77,7 +77,7 @@
|
||||
"emailScopeName": "E-mail",
|
||||
"emailScopeDescription": "Zezwala aplikacji na dostęp do adresów e-mail.",
|
||||
"profileScopeName": "Profil",
|
||||
"profileScopeDescription": "Zezwala aplikacji na dostęp do informacji o profilu.",
|
||||
"profileScopeDescription": "Zezwala aplikacji na dostęp do informacji o porfilu.",
|
||||
"groupsScopeName": "Grupy",
|
||||
"groupsScopeDescription": "Zezwala aplikacji na dostęp do informacji o grupie.",
|
||||
"backToLoginButton": "Wróć do logowania",
|
||||
|
||||
@@ -99,7 +99,7 @@
|
||||
"quickActionsThemeSystem": "Систем",
|
||||
"quickActionsLogout": "Одјава",
|
||||
"quickActionsTitle": "Брзе радње",
|
||||
"quickActionsProviderLocal": "Локално",
|
||||
"quickActionsProviderLocal": "Lokalno",
|
||||
"quickActionsProviderLDAP": "LDAP",
|
||||
"quickActionsProviderOAuth": "{{provider}} OAuth"
|
||||
}
|
||||
|
||||
@@ -98,7 +98,7 @@
|
||||
"quickActionsThemeDark": "暗色主题",
|
||||
"quickActionsThemeSystem": "跟随系统",
|
||||
"quickActionsLogout": "登出",
|
||||
"quickActionsTitle": "快速操作",
|
||||
"quickActionsTitle": "快速行動",
|
||||
"quickActionsProviderLocal": "本地",
|
||||
"quickActionsProviderLDAP": "LDAP",
|
||||
"quickActionsProviderOAuth": "{{provider}} OAuth"
|
||||
|
||||
@@ -184,7 +184,8 @@ export const AuthorizePage = () => {
|
||||
<CardFooter className="flex flex-col items-stretch gap-3">
|
||||
<Button
|
||||
onClick={() => authorizeMutate()}
|
||||
loading={authorizePending || shouldAutoAuthorize}
|
||||
loading={authorizePending}
|
||||
disabled={shouldAutoAuthorize}
|
||||
>
|
||||
{t("authorizeTitle")}
|
||||
</Button>
|
||||
|
||||
@@ -177,7 +177,8 @@ func (app *BootstrapApp) Setup() error {
|
||||
cookieId := strings.Split(app.runtime.UUID, "-")[0] // first 8 characters of the uuid should be good enough
|
||||
|
||||
app.runtime.SessionCookieName = fmt.Sprintf("%s-%s", model.SessionCookieName, cookieId)
|
||||
app.runtime.ScopeCookieName = fmt.Sprintf("%s-%s", model.OIDCScopeCookieName, cookieId)
|
||||
app.runtime.CSRFCookieName = fmt.Sprintf("%s-%s", model.CSRFCookieName, cookieId)
|
||||
app.runtime.RedirectCookieName = fmt.Sprintf("%s-%s", model.RedirectCookieName, cookieId)
|
||||
app.runtime.OAuthSessionCookieName = fmt.Sprintf("%s-%s", model.OAuthSessionCookieName, cookieId)
|
||||
|
||||
// database
|
||||
|
||||
@@ -34,7 +34,6 @@ type OIDCController struct {
|
||||
log *logger.Logger
|
||||
oidc *service.OIDCService
|
||||
runtime *model.RuntimeConfig
|
||||
config *model.Config
|
||||
}
|
||||
|
||||
type AuthorizeCallback struct {
|
||||
@@ -88,7 +87,6 @@ type OIDCControllerInput struct {
|
||||
|
||||
Log *logger.Logger
|
||||
OIDCService *service.OIDCService
|
||||
Config *model.Config
|
||||
RuntimeConfig *model.RuntimeConfig
|
||||
RouterGroup *gin.RouterGroup `name:"apiRouterGroup"`
|
||||
MainRouter *gin.RouterGroup `name:"mainRouterGroup"`
|
||||
@@ -99,7 +97,6 @@ func NewOIDCController(i OIDCControllerInput) *OIDCController {
|
||||
log: i.Log,
|
||||
oidc: i.OIDCService,
|
||||
runtime: i.RuntimeConfig,
|
||||
config: i.Config,
|
||||
}
|
||||
|
||||
i.MainRouter.POST("/authorize", controller.authorize)
|
||||
@@ -244,19 +241,6 @@ func (controller *OIDCController) authorize(c *gin.Context) {
|
||||
}
|
||||
}
|
||||
|
||||
cookieId := strings.SplitN(client.ClientID, "-", 2)[0]
|
||||
cookieName := fmt.Sprintf("%s-%s", controller.runtime.ScopeCookieName, cookieId)
|
||||
scopeCookie, err := c.Cookie(cookieName)
|
||||
|
||||
if err == nil {
|
||||
scopes := fmt.Sprintf("scopes=%s;", req.Scope)
|
||||
if controller.oidc.VerifySignedValue(client.ClientSecret, []byte(scopes), scopeCookie) {
|
||||
if values.OIDCPrompt != service.OIDCPromptLogin {
|
||||
values.OIDCPrompt = service.OIDCPromptNone
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
queries, err := query.Values(values)
|
||||
|
||||
if err != nil {
|
||||
@@ -335,19 +319,6 @@ func (controller *OIDCController) authorizeComplete(c *gin.Context) {
|
||||
return
|
||||
}
|
||||
|
||||
// Get the client
|
||||
client, ok := controller.oidc.GetClient(authorizeReq.ClientID)
|
||||
|
||||
if !ok {
|
||||
controller.authorizeError(c, authorizeErrorParams{
|
||||
err: errors.New("client not found"),
|
||||
reason: "Client not found",
|
||||
reasonPublic: "The client is not configured",
|
||||
json: true,
|
||||
})
|
||||
return
|
||||
}
|
||||
|
||||
// We no longer need the ticket
|
||||
controller.oidc.DeleteAuthorizeRequestTicket(req.Ticket)
|
||||
|
||||
@@ -390,22 +361,6 @@ func (controller *OIDCController) authorizeComplete(c *gin.Context) {
|
||||
return
|
||||
}
|
||||
|
||||
// Set a cookie for the consent screen (approved scopes)
|
||||
cookieId := strings.SplitN(client.ClientID, "-", 2)[0]
|
||||
cookieName := fmt.Sprintf("%s-%s", controller.runtime.ScopeCookieName, cookieId)
|
||||
scopes := fmt.Sprintf("scopes=%s;", authorizeReq.Scope)
|
||||
|
||||
cookie := &http.Cookie{
|
||||
Name: cookieName,
|
||||
Value: controller.oidc.CreateSignedValue(client.ClientSecret, []byte(scopes)),
|
||||
Path: "/",
|
||||
Secure: controller.config.Auth.SecureCookie,
|
||||
HttpOnly: true,
|
||||
SameSite: http.SameSiteLaxMode,
|
||||
}
|
||||
|
||||
http.SetCookie(c.Writer, cookie)
|
||||
|
||||
c.JSON(200, gin.H{
|
||||
"status": 200,
|
||||
"redirect_uri": fmt.Sprintf("%s?%s", authorizeReq.RedirectURI, queries.Encode()),
|
||||
|
||||
@@ -20,7 +20,8 @@ var OverrideProviders = map[string]string{
|
||||
var ReservedProviderNames = []string{"local", "ldap", "tailscale"}
|
||||
|
||||
const SessionCookieName = "tinyauth-session"
|
||||
const CSRFCookieName = "tinyauth-csrf"
|
||||
const RedirectCookieName = "tinyauth-redirect"
|
||||
const OAuthSessionCookieName = "tinyauth-oauth"
|
||||
const OIDCScopeCookieName = "tinyauth-scope"
|
||||
|
||||
const GracefulShutdownTimeout = 5 // seconds
|
||||
|
||||
@@ -5,7 +5,8 @@ type RuntimeConfig struct {
|
||||
UUID string
|
||||
CookieDomain string
|
||||
SessionCookieName string
|
||||
ScopeCookieName string
|
||||
CSRFCookieName string
|
||||
RedirectCookieName string
|
||||
OAuthSessionCookieName string
|
||||
LocalUsers []LocalUser
|
||||
OAuthProviders map[string]OAuthServiceConfig
|
||||
|
||||
@@ -3,7 +3,6 @@ package service
|
||||
import (
|
||||
"context"
|
||||
"crypto"
|
||||
"crypto/hmac"
|
||||
"crypto/rand"
|
||||
"crypto/rsa"
|
||||
"crypto/sha256"
|
||||
@@ -23,7 +22,6 @@ import (
|
||||
|
||||
"github.com/go-jose/go-jose/v4"
|
||||
"github.com/golang-jwt/jwt/v5"
|
||||
"github.com/google/uuid"
|
||||
"github.com/steveiliop56/ding"
|
||||
"github.com/tinyauthapp/tinyauth/internal/model"
|
||||
"github.com/tinyauthapp/tinyauth/internal/repository"
|
||||
@@ -307,9 +305,6 @@ func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
|
||||
|
||||
for id, client := range i.Config.OIDC.Clients {
|
||||
client.ID = id
|
||||
if err := uuid.Validate(client.ClientID); err != nil {
|
||||
return nil, fmt.Errorf("invalid client id: %w", err)
|
||||
}
|
||||
if client.Name == "" {
|
||||
client.Name = utils.Capitalize(client.ID)
|
||||
}
|
||||
@@ -323,9 +318,6 @@ func NewOIDCService(i OIDCServiceInput) (*OIDCService, error) {
|
||||
client.ClientSecret = secret
|
||||
}
|
||||
client.ClientSecretFile = ""
|
||||
if len(client.ClientSecret) < 32 {
|
||||
return nil, fmt.Errorf("client secret for client %s is too short, must be >= 32 chars", client.ClientID)
|
||||
}
|
||||
clients[id] = client
|
||||
i.Log.App.Debug().Str("clientId", client.ClientID).Msg("Loaded OIDC client configuration")
|
||||
}
|
||||
@@ -977,21 +969,3 @@ func (service *OIDCService) GetPrompt(prompt string) []OIDCPrompt {
|
||||
|
||||
return parsedPromps
|
||||
}
|
||||
|
||||
func (service *OIDCService) CreateSignedValue(key string, data []byte) string {
|
||||
// create the signature
|
||||
h := hmac.New(sha256.New, []byte(key))
|
||||
h.Write(data)
|
||||
sig := base64.URLEncoding.EncodeToString(h.Sum(nil))
|
||||
|
||||
// hash the data
|
||||
hasher := sha256.New()
|
||||
hasher.Write(data)
|
||||
hash := base64.URLEncoding.EncodeToString(hasher.Sum(nil))
|
||||
|
||||
return fmt.Sprintf("%s.%s", hash, sig)
|
||||
}
|
||||
|
||||
func (service *OIDCService) VerifySignedValue(key string, data []byte, signedValue string) bool {
|
||||
return service.CreateSignedValue(key, data) == signedValue
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user