mirror of
https://github.com/steveiliop56/tinyauth.git
synced 2025-10-28 04:35:40 +00:00
635 lines
15 KiB
Go
635 lines
15 KiB
Go
package handlers
|
|
|
|
import (
|
|
"fmt"
|
|
"math/rand/v2"
|
|
"net/http"
|
|
"strings"
|
|
"tinyauth/internal/auth"
|
|
"tinyauth/internal/hooks"
|
|
"tinyauth/internal/providers"
|
|
"tinyauth/internal/types"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
"github.com/google/go-querystring/query"
|
|
"github.com/pquerna/otp/totp"
|
|
"github.com/rs/zerolog/log"
|
|
)
|
|
|
|
func NewHandlers(config types.HandlersConfig, auth *auth.Auth, hooks *hooks.Hooks, providers *providers.Providers) *Handlers {
|
|
return &Handlers{
|
|
Config: config,
|
|
Auth: auth,
|
|
Hooks: hooks,
|
|
Providers: providers,
|
|
}
|
|
}
|
|
|
|
type Handlers struct {
|
|
Config types.HandlersConfig
|
|
Auth *auth.Auth
|
|
Hooks *hooks.Hooks
|
|
Providers *providers.Providers
|
|
}
|
|
|
|
func (h *Handlers) AuthHandler(c *gin.Context) {
|
|
// Create struct for proxy
|
|
var proxy types.Proxy
|
|
|
|
// Bind URI
|
|
err := c.BindUri(&proxy)
|
|
|
|
// Handle error
|
|
if err != nil {
|
|
log.Error().Err(err).Msg("Failed to bind URI")
|
|
c.JSON(400, gin.H{
|
|
"status": 400,
|
|
"message": "Bad Request",
|
|
})
|
|
return
|
|
}
|
|
|
|
// Check if the request is coming from a browser (tools like curl/bruno use */* and they don't include the text/html)
|
|
isBrowser := strings.Contains(c.Request.Header.Get("Accept"), "text/html")
|
|
|
|
if isBrowser {
|
|
log.Debug().Msg("Request is most likely coming from a browser")
|
|
} else {
|
|
log.Debug().Msg("Request is most likely not coming from a browser")
|
|
}
|
|
|
|
log.Debug().Interface("proxy", proxy.Proxy).Msg("Got proxy")
|
|
|
|
// Check if auth is enabled
|
|
authEnabled, err := h.Auth.AuthEnabled(c)
|
|
|
|
// Handle error
|
|
if err != nil {
|
|
log.Error().Err(err).Msg("Failed to check if auth is enabled")
|
|
|
|
if proxy.Proxy == "nginx" || !isBrowser {
|
|
c.JSON(500, gin.H{
|
|
"status": 500,
|
|
"message": "Internal Server Error",
|
|
})
|
|
return
|
|
}
|
|
|
|
c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
|
|
return
|
|
}
|
|
|
|
// If auth is not enabled, return 200
|
|
if !authEnabled {
|
|
c.JSON(200, gin.H{
|
|
"status": 200,
|
|
"message": "Authenticated",
|
|
})
|
|
return
|
|
}
|
|
|
|
// Get user context
|
|
userContext := h.Hooks.UseUserContext(c)
|
|
|
|
// Get headers
|
|
uri := c.Request.Header.Get("X-Forwarded-Uri")
|
|
proto := c.Request.Header.Get("X-Forwarded-Proto")
|
|
host := c.Request.Header.Get("X-Forwarded-Host")
|
|
|
|
// Check if user is logged in
|
|
if userContext.IsLoggedIn {
|
|
log.Debug().Msg("Authenticated")
|
|
|
|
// Check if user is allowed to access subdomain, if request is nginx.example.com the subdomain (resource) is nginx
|
|
appAllowed, err := h.Auth.ResourceAllowed(c, userContext)
|
|
|
|
// Check if there was an error
|
|
if err != nil {
|
|
log.Error().Err(err).Msg("Failed to check if app is allowed")
|
|
|
|
if proxy.Proxy == "nginx" || !isBrowser {
|
|
c.JSON(500, gin.H{
|
|
"status": 500,
|
|
"message": "Internal Server Error",
|
|
})
|
|
return
|
|
}
|
|
|
|
c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
|
|
return
|
|
}
|
|
|
|
log.Debug().Bool("appAllowed", appAllowed).Msg("Checking if app is allowed")
|
|
|
|
// The user is not allowed to access the app
|
|
if !appAllowed {
|
|
log.Warn().Str("username", userContext.Username).Str("host", host).Msg("User not allowed")
|
|
|
|
// Set WWW-Authenticate header
|
|
c.Header("WWW-Authenticate", "Basic realm=\"tinyauth\"")
|
|
|
|
if proxy.Proxy == "nginx" || !isBrowser {
|
|
c.JSON(401, gin.H{
|
|
"status": 401,
|
|
"message": "Unauthorized",
|
|
})
|
|
return
|
|
}
|
|
|
|
// Build query
|
|
queries, err := query.Values(types.UnauthorizedQuery{
|
|
Username: userContext.Username,
|
|
Resource: strings.Split(host, ".")[0],
|
|
})
|
|
|
|
// Handle error (no need to check for nginx/headers since we are sure we are using caddy/traefik)
|
|
if err != nil {
|
|
log.Error().Err(err).Msg("Failed to build query")
|
|
c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
|
|
return
|
|
}
|
|
|
|
// We are using caddy/traefik so redirect
|
|
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", h.Config.AppURL, queries.Encode()))
|
|
return
|
|
}
|
|
|
|
// Set the user header
|
|
c.Header("Remote-User", userContext.Username)
|
|
|
|
// The user is allowed to access the app
|
|
c.JSON(200, gin.H{
|
|
"status": 200,
|
|
"message": "Authenticated",
|
|
})
|
|
return
|
|
}
|
|
|
|
// The user is not logged in
|
|
log.Debug().Msg("Unauthorized")
|
|
|
|
// Set www-authenticate header
|
|
c.Header("WWW-Authenticate", "Basic realm=\"tinyauth\"")
|
|
|
|
if proxy.Proxy == "nginx" || !isBrowser {
|
|
c.JSON(401, gin.H{
|
|
"status": 401,
|
|
"message": "Unauthorized",
|
|
})
|
|
return
|
|
}
|
|
|
|
queries, err := query.Values(types.LoginQuery{
|
|
RedirectURI: fmt.Sprintf("%s://%s%s", proto, host, uri),
|
|
})
|
|
|
|
if err != nil {
|
|
log.Error().Err(err).Msg("Failed to build query")
|
|
c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
|
|
return
|
|
}
|
|
|
|
log.Debug().Interface("redirect_uri", fmt.Sprintf("%s://%s%s", proto, host, uri)).Msg("Redirecting to login")
|
|
|
|
// Redirect to login
|
|
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/?%s", h.Config.AppURL, queries.Encode()))
|
|
}
|
|
|
|
func (h *Handlers) LoginHandler(c *gin.Context) {
|
|
// Create login struct
|
|
var login types.LoginRequest
|
|
|
|
// Bind JSON
|
|
err := c.BindJSON(&login)
|
|
|
|
// Handle error
|
|
if err != nil {
|
|
log.Error().Err(err).Msg("Failed to bind JSON")
|
|
c.JSON(400, gin.H{
|
|
"status": 400,
|
|
"message": "Bad Request",
|
|
})
|
|
return
|
|
}
|
|
|
|
log.Debug().Msg("Got login request")
|
|
|
|
// Get user based on username
|
|
user := h.Auth.GetUser(login.Username)
|
|
|
|
// User does not exist
|
|
if user == nil {
|
|
log.Debug().Str("username", login.Username).Msg("User not found")
|
|
c.JSON(401, gin.H{
|
|
"status": 401,
|
|
"message": "Unauthorized",
|
|
})
|
|
return
|
|
}
|
|
|
|
log.Debug().Msg("Got user")
|
|
|
|
// Check if password is correct
|
|
if !h.Auth.CheckPassword(*user, login.Password) {
|
|
log.Debug().Str("username", login.Username).Msg("Password incorrect")
|
|
c.JSON(401, gin.H{
|
|
"status": 401,
|
|
"message": "Unauthorized",
|
|
})
|
|
return
|
|
}
|
|
|
|
log.Debug().Msg("Password correct, checking totp")
|
|
|
|
// Check if user has totp enabled
|
|
if user.TotpSecret != "" {
|
|
log.Debug().Msg("Totp enabled")
|
|
|
|
// Set totp pending cookie
|
|
h.Auth.CreateSessionCookie(c, &types.SessionCookie{
|
|
Username: login.Username,
|
|
Provider: "username",
|
|
TotpPending: true,
|
|
})
|
|
|
|
// Return totp required
|
|
c.JSON(200, gin.H{
|
|
"status": 200,
|
|
"message": "Waiting for totp",
|
|
"totpPending": true,
|
|
})
|
|
|
|
// Stop further processing
|
|
return
|
|
}
|
|
|
|
// Create session cookie with username as provider
|
|
h.Auth.CreateSessionCookie(c, &types.SessionCookie{
|
|
Username: login.Username,
|
|
Provider: "username",
|
|
})
|
|
|
|
// Return logged in
|
|
c.JSON(200, gin.H{
|
|
"status": 200,
|
|
"message": "Logged in",
|
|
"totpPending": false,
|
|
})
|
|
}
|
|
|
|
func (h *Handlers) TotpHandler(c *gin.Context) {
|
|
// Create totp struct
|
|
var totpReq types.TotpRequest
|
|
|
|
// Bind JSON
|
|
err := c.BindJSON(&totpReq)
|
|
|
|
// Handle error
|
|
if err != nil {
|
|
log.Error().Err(err).Msg("Failed to bind JSON")
|
|
c.JSON(400, gin.H{
|
|
"status": 400,
|
|
"message": "Bad Request",
|
|
})
|
|
return
|
|
}
|
|
|
|
log.Debug().Msg("Checking totp")
|
|
|
|
// Get user context
|
|
userContext := h.Hooks.UseUserContext(c)
|
|
|
|
// Check if we have a user
|
|
if userContext.Username == "" {
|
|
log.Debug().Msg("No user context")
|
|
c.JSON(401, gin.H{
|
|
"status": 401,
|
|
"message": "Unauthorized",
|
|
})
|
|
return
|
|
}
|
|
|
|
// Get user
|
|
user := h.Auth.GetUser(userContext.Username)
|
|
|
|
// Check if user exists
|
|
if user == nil {
|
|
log.Debug().Msg("User not found")
|
|
c.JSON(401, gin.H{
|
|
"status": 401,
|
|
"message": "Unauthorized",
|
|
})
|
|
return
|
|
}
|
|
|
|
// Check if totp is correct
|
|
totpOk := totp.Validate(totpReq.Code, user.TotpSecret)
|
|
|
|
// TOTP is incorrect
|
|
if !totpOk {
|
|
log.Debug().Msg("Totp incorrect")
|
|
c.JSON(401, gin.H{
|
|
"status": 401,
|
|
"message": "Unauthorized",
|
|
})
|
|
return
|
|
}
|
|
|
|
log.Debug().Msg("Totp correct")
|
|
|
|
// Create session cookie with username as provider
|
|
h.Auth.CreateSessionCookie(c, &types.SessionCookie{
|
|
Username: user.Username,
|
|
Provider: "username",
|
|
})
|
|
|
|
// Return logged in
|
|
c.JSON(200, gin.H{
|
|
"status": 200,
|
|
"message": "Logged in",
|
|
})
|
|
}
|
|
|
|
func (h *Handlers) LogoutHandler(c *gin.Context) {
|
|
log.Debug().Msg("Logging out")
|
|
|
|
// Delete session cookie
|
|
h.Auth.DeleteSessionCookie(c)
|
|
|
|
log.Debug().Msg("Cleaning up redirect cookie")
|
|
|
|
// Clean up redirect cookie if it exists
|
|
c.SetCookie("tinyauth_redirect_uri", "", -1, "/", h.Config.Domain, h.Config.CookieSecure, true)
|
|
|
|
// Return logged out
|
|
c.JSON(200, gin.H{
|
|
"status": 200,
|
|
"message": "Logged out",
|
|
})
|
|
}
|
|
|
|
func (h *Handlers) AppHandler(c *gin.Context) {
|
|
log.Debug().Msg("Getting app context")
|
|
|
|
// Get configured providers
|
|
configuredProviders := h.Providers.GetConfiguredProviders()
|
|
|
|
// We have username/password configured so add it to our providers
|
|
if h.Auth.UserAuthConfigured() {
|
|
configuredProviders = append(configuredProviders, "username")
|
|
}
|
|
|
|
// Create app context struct
|
|
appContext := types.AppContext{
|
|
Status: 200,
|
|
Message: "OK",
|
|
ConfiguredProviders: configuredProviders,
|
|
DisableContinue: h.Config.DisableContinue,
|
|
Title: h.Config.Title,
|
|
GenericName: h.Config.GenericName,
|
|
}
|
|
|
|
// Return app context
|
|
c.JSON(200, appContext)
|
|
}
|
|
|
|
func (h *Handlers) UserHandler(c *gin.Context) {
|
|
log.Debug().Msg("Getting user context")
|
|
|
|
// Get user context
|
|
userContext := h.Hooks.UseUserContext(c)
|
|
|
|
// Create user context response
|
|
userContextResponse := types.UserContextResponse{
|
|
Status: 200,
|
|
IsLoggedIn: userContext.IsLoggedIn,
|
|
Username: userContext.Username,
|
|
Provider: userContext.Provider,
|
|
Oauth: userContext.OAuth,
|
|
TotpPending: userContext.TotpPending,
|
|
}
|
|
|
|
// If we are not logged in we set the status to 401 and add the WWW-Authenticate header else we set it to 200
|
|
if !userContext.IsLoggedIn {
|
|
log.Debug().Msg("Unauthorized")
|
|
c.Header("WWW-Authenticate", "Basic realm=\"tinyauth\"")
|
|
userContextResponse.Message = "Unauthorized"
|
|
} else {
|
|
log.Debug().Interface("userContext", userContext).Msg("Authenticated")
|
|
userContextResponse.Message = "Authenticated"
|
|
}
|
|
|
|
// Return user context
|
|
c.JSON(200, userContextResponse)
|
|
}
|
|
|
|
func (h *Handlers) OauthUrlHandler(c *gin.Context) {
|
|
// Create struct for OAuth request
|
|
var request types.OAuthRequest
|
|
|
|
// Bind URI
|
|
err := c.BindUri(&request)
|
|
|
|
// Handle error
|
|
if err != nil {
|
|
log.Error().Err(err).Msg("Failed to bind URI")
|
|
c.JSON(400, gin.H{
|
|
"status": 400,
|
|
"message": "Bad Request",
|
|
})
|
|
return
|
|
}
|
|
|
|
log.Debug().Msg("Got OAuth request")
|
|
|
|
// Check if provider exists
|
|
provider := h.Providers.GetProvider(request.Provider)
|
|
|
|
// Provider does not exist
|
|
if provider == nil {
|
|
c.JSON(404, gin.H{
|
|
"status": 404,
|
|
"message": "Not Found",
|
|
})
|
|
return
|
|
}
|
|
|
|
log.Debug().Str("provider", request.Provider).Msg("Got provider")
|
|
|
|
// Get auth URL
|
|
authURL := provider.GetAuthURL()
|
|
|
|
log.Debug().Msg("Got auth URL")
|
|
|
|
// Get redirect URI
|
|
redirectURI := c.Query("redirect_uri")
|
|
|
|
// Set redirect cookie if redirect URI is provided
|
|
if redirectURI != "" {
|
|
log.Debug().Str("redirectURI", redirectURI).Msg("Setting redirect cookie")
|
|
c.SetCookie("tinyauth_redirect_uri", redirectURI, 3600, "/", h.Config.Domain, h.Config.CookieSecure, true)
|
|
}
|
|
|
|
// Tailscale does not have an auth url so we create a random code (does not need to be secure) to avoid caching and send it
|
|
if request.Provider == "tailscale" {
|
|
// Build tailscale query
|
|
tailscaleQuery, err := query.Values(types.TailscaleQuery{
|
|
Code: (1000 + rand.IntN(9000)),
|
|
})
|
|
|
|
// Handle error
|
|
if err != nil {
|
|
log.Error().Err(err).Msg("Failed to build query")
|
|
c.JSON(500, gin.H{
|
|
"status": 500,
|
|
"message": "Internal Server Error",
|
|
})
|
|
return
|
|
}
|
|
|
|
// Return tailscale URL (immidiately redirects to the callback)
|
|
c.JSON(200, gin.H{
|
|
"status": 200,
|
|
"message": "OK",
|
|
"url": fmt.Sprintf("%s/api/oauth/callback/tailscale?%s", h.Config.AppURL, tailscaleQuery.Encode()),
|
|
})
|
|
return
|
|
}
|
|
|
|
// Return auth URL
|
|
c.JSON(200, gin.H{
|
|
"status": 200,
|
|
"message": "OK",
|
|
"url": authURL,
|
|
})
|
|
}
|
|
|
|
func (h *Handlers) OauthCallbackHandler(c *gin.Context) {
|
|
// Create struct for OAuth request
|
|
var providerName types.OAuthRequest
|
|
|
|
// Bind URI
|
|
err := c.BindUri(&providerName)
|
|
|
|
// Handle error
|
|
if err != nil {
|
|
log.Error().Err(err).Msg("Failed to bind URI")
|
|
c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
|
|
return
|
|
}
|
|
|
|
log.Debug().Interface("provider", providerName.Provider).Msg("Got provider name")
|
|
|
|
// Get code
|
|
code := c.Query("code")
|
|
|
|
// Code empty so redirect to error
|
|
if code == "" {
|
|
log.Error().Msg("No code provided")
|
|
c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
|
|
return
|
|
}
|
|
|
|
log.Debug().Msg("Got code")
|
|
|
|
// Get provider
|
|
provider := h.Providers.GetProvider(providerName.Provider)
|
|
|
|
log.Debug().Str("provider", providerName.Provider).Msg("Got provider")
|
|
|
|
// Provider does not exist
|
|
if provider == nil {
|
|
c.Redirect(http.StatusPermanentRedirect, "/not-found")
|
|
return
|
|
}
|
|
|
|
// Exchange token (authenticates user)
|
|
_, err = provider.ExchangeToken(code)
|
|
|
|
log.Debug().Msg("Got token")
|
|
|
|
// Handle error
|
|
if err != nil {
|
|
log.Error().Msg("Failed to exchange token")
|
|
c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
|
|
return
|
|
}
|
|
|
|
// Get email
|
|
email, err := h.Providers.GetUser(providerName.Provider)
|
|
|
|
log.Debug().Str("email", email).Msg("Got email")
|
|
|
|
// Handle error
|
|
if err != nil {
|
|
log.Error().Msg("Failed to get email")
|
|
c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
|
|
return
|
|
}
|
|
|
|
// Email is not whitelisted
|
|
if !h.Auth.EmailWhitelisted(email) {
|
|
log.Warn().Str("email", email).Msg("Email not whitelisted")
|
|
|
|
// Build query
|
|
unauthorizedQuery, err := query.Values(types.UnauthorizedQuery{
|
|
Username: email,
|
|
})
|
|
|
|
// Handle error
|
|
if err != nil {
|
|
log.Error().Msg("Failed to build query")
|
|
c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
|
|
return
|
|
}
|
|
|
|
// Redirect to unauthorized
|
|
c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/unauthorized?%s", h.Config.AppURL, unauthorizedQuery.Encode()))
|
|
}
|
|
|
|
log.Debug().Msg("Email whitelisted")
|
|
|
|
// Create session cookie
|
|
h.Auth.CreateSessionCookie(c, &types.SessionCookie{
|
|
Username: email,
|
|
Provider: providerName.Provider,
|
|
})
|
|
|
|
// Get redirect URI
|
|
redirectURI, redirectURIErr := c.Cookie("tinyauth_redirect_uri")
|
|
|
|
// If it is empty it means that no redirect_uri was provided to the login screen so we just log in
|
|
if redirectURIErr != nil {
|
|
c.Redirect(http.StatusPermanentRedirect, h.Config.AppURL)
|
|
}
|
|
|
|
log.Debug().Str("redirectURI", redirectURI).Msg("Got redirect URI")
|
|
|
|
// Clean up redirect cookie since we already have the value
|
|
c.SetCookie("tinyauth_redirect_uri", "", -1, "/", h.Config.Domain, h.Config.CookieSecure, true)
|
|
|
|
// Build query
|
|
redirectQuery, err := query.Values(types.LoginQuery{
|
|
RedirectURI: redirectURI,
|
|
})
|
|
|
|
log.Debug().Msg("Got redirect query")
|
|
|
|
// Handle error
|
|
if err != nil {
|
|
log.Error().Msg("Failed to build query")
|
|
c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
|
|
return
|
|
}
|
|
|
|
// Redirect to continue with the redirect URI
|
|
c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/continue?%s", h.Config.AppURL, redirectQuery.Encode()))
|
|
}
|
|
|
|
func (h *Handlers) HealthcheckHandler(c *gin.Context) {
|
|
c.JSON(200, gin.H{
|
|
"status": 200,
|
|
"message": "OK",
|
|
})
|
|
}
|