mirror of
https://github.com/steveiliop56/tinyauth.git
synced 2025-10-30 21:55:43 +00:00
Compare commits
2 Commits
v3.6.2-bet
...
v3.6.2-bet
| Author | SHA1 | Date | |
|---|---|---|---|
|
5854d973ea | ||
|
|
f25ab72747 |
@@ -12,6 +12,7 @@ import {
|
||||
} from "../ui/form";
|
||||
import { Button } from "../ui/button";
|
||||
import { loginSchema, LoginSchema } from "@/schemas/login-schema";
|
||||
import z from "zod";
|
||||
|
||||
interface Props {
|
||||
onSubmit: (data: LoginSchema) => void;
|
||||
@@ -22,6 +23,11 @@ export const LoginForm = (props: Props) => {
|
||||
const { onSubmit, loading } = props;
|
||||
const { t } = useTranslation();
|
||||
|
||||
z.config({
|
||||
customError: (iss) =>
|
||||
iss.input === undefined ? t("fieldRequired") : t("invalidInput"),
|
||||
});
|
||||
|
||||
const form = useForm<LoginSchema>({
|
||||
resolver: zodResolver(loginSchema),
|
||||
});
|
||||
|
||||
@@ -8,6 +8,8 @@ import {
|
||||
import { zodResolver } from "@hookform/resolvers/zod";
|
||||
import { useForm } from "react-hook-form";
|
||||
import { totpSchema, TotpSchema } from "@/schemas/totp-schema";
|
||||
import { useTranslation } from "react-i18next";
|
||||
import z from "zod";
|
||||
|
||||
interface Props {
|
||||
formId: string;
|
||||
@@ -17,6 +19,12 @@ interface Props {
|
||||
|
||||
export const TotpForm = (props: Props) => {
|
||||
const { formId, onSubmit, loading } = props;
|
||||
const { t } = useTranslation();
|
||||
|
||||
z.config({
|
||||
customError: (iss) =>
|
||||
iss.input === undefined ? t("fieldRequired") : t("invalidInput"),
|
||||
});
|
||||
|
||||
const form = useForm<TotpSchema>({
|
||||
resolver: zodResolver(totpSchema),
|
||||
|
||||
@@ -51,5 +51,7 @@
|
||||
"failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
|
||||
"errorTitle": "An error occurred",
|
||||
"errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
|
||||
"forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable."
|
||||
"forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
|
||||
"fieldRequired": "This field is required",
|
||||
"invalidInput": "Invalid input"
|
||||
}
|
||||
@@ -51,5 +51,7 @@
|
||||
"failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
|
||||
"errorTitle": "An error occurred",
|
||||
"errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
|
||||
"forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable."
|
||||
"forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
|
||||
"fieldRequired": "This field is required",
|
||||
"invalidInput": "Invalid input"
|
||||
}
|
||||
@@ -50,7 +50,7 @@ func (auth *Auth) GetSession(c *gin.Context) (*sessions.Session, error) {
|
||||
|
||||
// If there was an error getting the session, it might be invalid so let's clear it and retry
|
||||
if err != nil {
|
||||
log.Warn().Err(err).Msg("Invalid session, clearing cookie and retrying")
|
||||
log.Error().Err(err).Msg("Invalid session, clearing cookie and retrying")
|
||||
c.SetCookie(auth.Config.SessionCookieName, "", -1, "/", fmt.Sprintf(".%s", auth.Config.Domain), auth.Config.CookieSecure, true)
|
||||
session, err = auth.Store.Get(c.Request, auth.Config.SessionCookieName)
|
||||
if err != nil {
|
||||
@@ -79,7 +79,7 @@ func (auth *Auth) SearchUser(username string) types.UserSearch {
|
||||
log.Debug().Str("username", username).Msg("Checking LDAP for user")
|
||||
userDN, err := auth.LDAP.Search(username)
|
||||
if err != nil {
|
||||
log.Warn().Err(err).Str("username", username).Msg("Failed to find user in LDAP")
|
||||
log.Error().Err(err).Str("username", username).Msg("Failed to find user in LDAP")
|
||||
return types.UserSearch{}
|
||||
}
|
||||
return types.UserSearch{
|
||||
@@ -107,7 +107,7 @@ func (auth *Auth) VerifyUser(search types.UserSearch, password string) bool {
|
||||
|
||||
err := auth.LDAP.Bind(search.Username, password)
|
||||
if err != nil {
|
||||
log.Warn().Err(err).Str("username", search.Username).Msg("Failed to bind to LDAP")
|
||||
log.Error().Err(err).Str("username", search.Username).Msg("Failed to bind to LDAP")
|
||||
return false
|
||||
}
|
||||
|
||||
@@ -372,7 +372,7 @@ func (auth *Auth) AuthEnabled(uri string, labels types.Labels) (bool, error) {
|
||||
|
||||
// If there is an error, invalid regex, auth enabled
|
||||
if err != nil {
|
||||
log.Warn().Err(err).Msg("Invalid regex")
|
||||
log.Error().Err(err).Msg("Invalid regex")
|
||||
return true, err
|
||||
}
|
||||
|
||||
@@ -401,7 +401,7 @@ func (auth *Auth) CheckIP(labels types.Labels, ip string) bool {
|
||||
for _, blocked := range labels.IP.Block {
|
||||
res, err := utils.FilterIP(blocked, ip)
|
||||
if err != nil {
|
||||
log.Warn().Err(err).Str("item", blocked).Msg("Invalid IP/CIDR in block list")
|
||||
log.Error().Err(err).Str("item", blocked).Msg("Invalid IP/CIDR in block list")
|
||||
continue
|
||||
}
|
||||
if res {
|
||||
@@ -414,7 +414,7 @@ func (auth *Auth) CheckIP(labels types.Labels, ip string) bool {
|
||||
for _, allowed := range labels.IP.Allow {
|
||||
res, err := utils.FilterIP(allowed, ip)
|
||||
if err != nil {
|
||||
log.Warn().Err(err).Str("item", allowed).Msg("Invalid IP/CIDR in allow list")
|
||||
log.Error().Err(err).Str("item", allowed).Msg("Invalid IP/CIDR in allow list")
|
||||
continue
|
||||
}
|
||||
if res {
|
||||
@@ -438,7 +438,7 @@ func (auth *Auth) BypassedIP(labels types.Labels, ip string) bool {
|
||||
for _, bypassed := range labels.IP.Bypass {
|
||||
res, err := utils.FilterIP(bypassed, ip)
|
||||
if err != nil {
|
||||
log.Warn().Err(err).Str("item", bypassed).Msg("Invalid IP/CIDR in bypass list")
|
||||
log.Error().Err(err).Str("item", bypassed).Msg("Invalid IP/CIDR in bypass list")
|
||||
continue
|
||||
}
|
||||
if res {
|
||||
|
||||
@@ -4,6 +4,7 @@ import (
|
||||
"fmt"
|
||||
"strings"
|
||||
"tinyauth/internal/auth"
|
||||
"tinyauth/internal/oauth"
|
||||
"tinyauth/internal/providers"
|
||||
"tinyauth/internal/types"
|
||||
"tinyauth/internal/utils"
|
||||
@@ -27,28 +28,92 @@ func NewHooks(config types.HooksConfig, auth *auth.Auth, providers *providers.Pr
|
||||
}
|
||||
|
||||
func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
|
||||
// Get session cookie and basic auth
|
||||
cookie, err := hooks.Auth.GetSessionCookie(c)
|
||||
var provider *oauth.OAuth
|
||||
|
||||
if err != nil {
|
||||
log.Error().Err(err).Msg("Failed to get session cookie")
|
||||
goto basic
|
||||
}
|
||||
|
||||
if cookie.TotpPending {
|
||||
log.Debug().Msg("Totp pending")
|
||||
return types.UserContext{
|
||||
Username: cookie.Username,
|
||||
Name: cookie.Name,
|
||||
Email: cookie.Email,
|
||||
Provider: cookie.Provider,
|
||||
TotpPending: true,
|
||||
}
|
||||
}
|
||||
|
||||
if cookie.Provider == "username" {
|
||||
log.Debug().Msg("Provider is username")
|
||||
|
||||
userSearch := hooks.Auth.SearchUser(cookie.Username)
|
||||
|
||||
if userSearch.Type == "unknown" {
|
||||
log.Warn().Str("username", cookie.Username).Msg("User does not exist")
|
||||
goto basic
|
||||
}
|
||||
|
||||
log.Debug().Str("type", userSearch.Type).Msg("User exists")
|
||||
|
||||
return types.UserContext{
|
||||
Username: cookie.Username,
|
||||
Name: cookie.Name,
|
||||
Email: cookie.Email,
|
||||
IsLoggedIn: true,
|
||||
Provider: "username",
|
||||
}
|
||||
}
|
||||
|
||||
log.Debug().Msg("Provider is not username")
|
||||
|
||||
provider = hooks.Providers.GetProvider(cookie.Provider)
|
||||
|
||||
if provider != nil {
|
||||
log.Debug().Msg("Provider exists")
|
||||
|
||||
if !hooks.Auth.EmailWhitelisted(cookie.Email) {
|
||||
log.Warn().Str("email", cookie.Email).Msg("Email is not whitelisted")
|
||||
hooks.Auth.DeleteSessionCookie(c)
|
||||
goto basic
|
||||
}
|
||||
|
||||
log.Debug().Msg("Email is whitelisted")
|
||||
|
||||
return types.UserContext{
|
||||
Username: cookie.Username,
|
||||
Name: cookie.Name,
|
||||
Email: cookie.Email,
|
||||
IsLoggedIn: true,
|
||||
OAuth: true,
|
||||
Provider: cookie.Provider,
|
||||
OAuthGroups: cookie.OAuthGroups,
|
||||
}
|
||||
}
|
||||
|
||||
basic:
|
||||
log.Debug().Msg("Trying basic auth")
|
||||
|
||||
basic := hooks.Auth.GetBasicAuth(c)
|
||||
|
||||
// Check if basic auth is set
|
||||
if basic != nil {
|
||||
log.Debug().Msg("Got basic auth")
|
||||
|
||||
userSearch := hooks.Auth.SearchUser(basic.Username)
|
||||
|
||||
if userSearch.Type == "unkown" {
|
||||
log.Warn().Str("username", basic.Username).Msg("Basic auth user does not exist, skipping")
|
||||
goto session
|
||||
log.Error().Str("username", basic.Username).Msg("Basic auth user does not exist")
|
||||
return types.UserContext{}
|
||||
}
|
||||
|
||||
// Verify the user
|
||||
if !hooks.Auth.VerifyUser(userSearch, basic.Password) {
|
||||
log.Error().Str("username", basic.Username).Msg("Basic auth user password incorrect, skipping")
|
||||
goto session
|
||||
log.Error().Str("username", basic.Username).Msg("Basic auth user password incorrect")
|
||||
return types.UserContext{}
|
||||
}
|
||||
|
||||
// Get the user type
|
||||
if userSearch.Type == "ldap" {
|
||||
log.Debug().Msg("User is LDAP")
|
||||
|
||||
@@ -75,74 +140,5 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
|
||||
|
||||
}
|
||||
|
||||
session:
|
||||
// Check cookie error after basic auth
|
||||
if err != nil {
|
||||
log.Error().Err(err).Msg("Failed to get session cookie")
|
||||
return types.UserContext{}
|
||||
}
|
||||
|
||||
if cookie.TotpPending {
|
||||
log.Debug().Msg("Totp pending")
|
||||
return types.UserContext{
|
||||
Username: cookie.Username,
|
||||
Name: cookie.Name,
|
||||
Email: cookie.Email,
|
||||
Provider: cookie.Provider,
|
||||
TotpPending: true,
|
||||
}
|
||||
}
|
||||
|
||||
// Check if session cookie is username/password auth
|
||||
if cookie.Provider == "username" {
|
||||
log.Debug().Msg("Provider is username")
|
||||
|
||||
userSearch := hooks.Auth.SearchUser(cookie.Username)
|
||||
|
||||
if userSearch.Type == "unknown" {
|
||||
log.Error().Str("username", cookie.Username).Msg("User does not exist")
|
||||
return types.UserContext{}
|
||||
}
|
||||
|
||||
log.Debug().Str("type", userSearch.Type).Msg("User exists")
|
||||
|
||||
return types.UserContext{
|
||||
Username: cookie.Username,
|
||||
Name: cookie.Name,
|
||||
Email: cookie.Email,
|
||||
IsLoggedIn: true,
|
||||
Provider: "username",
|
||||
}
|
||||
}
|
||||
|
||||
log.Debug().Msg("Provider is not username")
|
||||
|
||||
// The provider is not username so we need to check if it is an oauth provider
|
||||
provider := hooks.Providers.GetProvider(cookie.Provider)
|
||||
|
||||
// If we have a provider with this name
|
||||
if provider != nil {
|
||||
log.Debug().Msg("Provider exists")
|
||||
|
||||
// If the email is not whitelisted we delete the cookie and return an empty context
|
||||
if !hooks.Auth.EmailWhitelisted(cookie.Email) {
|
||||
log.Error().Str("email", cookie.Email).Msg("Email is not whitelisted")
|
||||
hooks.Auth.DeleteSessionCookie(c)
|
||||
return types.UserContext{}
|
||||
}
|
||||
|
||||
log.Debug().Msg("Email is whitelisted")
|
||||
|
||||
return types.UserContext{
|
||||
Username: cookie.Username,
|
||||
Name: cookie.Name,
|
||||
Email: cookie.Email,
|
||||
IsLoggedIn: true,
|
||||
OAuth: true,
|
||||
Provider: cookie.Provider,
|
||||
OAuthGroups: cookie.OAuthGroups,
|
||||
}
|
||||
}
|
||||
|
||||
return types.UserContext{}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user