Add SSOauth middleware

2025-04-19 19:59:13 +03:00 · 2024-10-02 09:33:28 +02:00 · 2024-10-02 09:33:28 +02:00 · b593512946
commit b593512946
parent 5587440b58
2 changed files with 85 additions and 1 deletions
--- a/handler/session.go
+++ b/handler/session.go
@ -8,7 +8,11 @@ import (
 	"github.com/gorilla/sessions"
 	"github.com/labstack/echo-contrib/session"
 	"github.com/labstack/echo/v4"
+	"github.com/labstack/gommon/log"
+	"github.com/ngoduykhanh/wireguard-ui/model"
+	"github.com/ngoduykhanh/wireguard-ui/store/jsondb"
 	"github.com/ngoduykhanh/wireguard-ui/util"
+	"github.com/rs/xid"
 )

 func ValidSession(next echo.HandlerFunc) echo.HandlerFunc {
@ -43,6 +47,86 @@ func NeedsAdmin(next echo.HandlerFunc) echo.HandlerFunc {
 	}
 }

+// SSOauth uses external authentication (usually by reverseproxy) in the form of HTTP header REMOTE_USER
+func SSOauth(next echo.HandlerFunc) echo.HandlerFunc {
+	return func(c echo.Context) error {
+		if !util.RemoteUser {
+			return next(c)
+		}
+		if !isValidSession(c) {
+			remoteUser := c.Request().Header.Get("REMOTE_USER")
+			if remoteUser == "" {
+				// TODO: Better error handling
+				log.Infof("No REMOTE_USER in reqest. Bailing out.")
+				return c.Redirect(http.StatusTemporaryRedirect, util.BasePath+"/")
+			}
+			log.Debugf("No valid session for REMOTE_USER: %s", remoteUser)
+
+			db := c.Get("db").(*jsondb.JsonDB)
+			dbuser, err := db.GetUserByName(remoteUser)
+			if err != nil {
+				log.Infof("User %s not in database, creating user", remoteUser)
+				newUser := model.User{
+					Username: remoteUser,
+					Admin:    false,
+				}
+				err = db.SaveUser(newUser)
+				if err != nil {
+					// TODO: Better error handling
+					return c.Redirect(http.StatusTemporaryRedirect, util.BasePath+"/")
+				}
+				// Update dbuser from database
+				dbuser, err = db.GetUserByName(remoteUser)
+				if err != nil {
+					// TODO: Better error handling
+					return c.Redirect(http.StatusTemporaryRedirect, util.BasePath+"/")
+				}
+
+			} else {
+				log.Debugf("Got user from db: %s", dbuser.Username)
+			}
+
+			// Set session for REMOTE_USER
+			ageMax := 0
+
+			cookiePath := util.GetCookiePath()
+
+			sess, _ := session.Get("session", c)
+			sess.Options = &sessions.Options{
+				Path:     cookiePath,
+				MaxAge:   ageMax,
+				HttpOnly: true,
+				SameSite: http.SameSiteLaxMode,
+			}
+
+			// set session_token
+			tokenUID := xid.New().String()
+			now := time.Now().UTC().Unix()
+			sess.Values["username"] = dbuser.Username
+			sess.Values["user_hash"] = util.GetDBUserCRC32(dbuser)
+			sess.Values["admin"] = dbuser.Admin
+			sess.Values["session_token"] = tokenUID
+			sess.Values["max_age"] = ageMax
+			sess.Values["created_at"] = now
+			sess.Values["updated_at"] = now
+			sess.Save(c.Request(), c.Response())
+
+			// set session_token in cookie
+			cookie := new(http.Cookie)
+			cookie.Name = "session_token"
+			cookie.Path = cookiePath
+			cookie.Value = tokenUID
+			cookie.MaxAge = ageMax
+			cookie.HttpOnly = true
+			cookie.SameSite = http.SameSiteLaxMode
+			c.SetCookie(cookie)
+
+			return c.Redirect(http.StatusTemporaryRedirect, util.BasePath)
+		}
+		return next(c)
+	}
+}
+
 func isValidSession(c echo.Context) bool {
 	if util.DisableLogin {
 		return true
--- a/main.go
+++ b/main.go
@ -212,7 +212,7 @@ func main() {
 	// register routes
 	app := router.New(tmplDir, extraData, util.SessionSecret, db)

-	app.GET(util.BasePath, handler.WireGuardClients(db), handler.ValidSession, handler.RefreshSession)
+	app.GET(util.BasePath, handler.WireGuardClients(db), handler.SSOauth, handler.ValidSession, handler.RefreshSession)

 	// Important: Make sure that all non-GET routes check the request content type using handler.ContentTypeJson to
 	// mitigate CSRF attacks. This is effective, because browsers don't allow setting the Content-Type header on