Feat/OIDC middleware (#50)

* implement OIDC middleware * auth code cleanup * allow override allowed_user in middleware, fix typos * fix tests and callbackURL * update next release docs * fix OIDC middleware not working with Authentik * feat: add groups support for OIDC claims (#41) Allow users to specify allowed groups in the env and use it to inspect the claims. This performs a logical AND of users and groups (additive). * merge feat/oidc-middleware (#49) * api: enrich provider statistifcs * fix: docker monitor now uses container status * Feat/auto schemas (#48) * use auto generated schemas * go version bump and dependencies upgrade * clarify some error messages --------- Co-authored-by: yusing <yusing@6uo.me> * cleanup some loadbalancer code * api: cleanup websocket code * api: add /v1/health/ws for health bubbles on dashboard * feat: experimental memory logger and logs api for WebUI --------- Co-authored-by: yusing <yusing@6uo.me> --------- Co-authored-by: yusing <yusing@6uo.me> Co-authored-by: Peter Olds <peter@olds.co>
2026-04-23 00:38:33 +02:00 · 2025-01-19 13:48:52 +08:00
parent 0fad7b3411
commit fb0dc7dea0
26 changed files with 1168 additions and 368 deletions
--- a/internal/api/v1/auth/auth.go
+++ b/internal/api/v1/auth/auth.go
@@ -1,139 +1,54 @@
 package auth

 import (
-	"fmt"
 	"net/http"
-	"time"

-	"github.com/golang-jwt/jwt/v5"
 	U "github.com/yusing/go-proxy/internal/api/v1/utils"
 	"github.com/yusing/go-proxy/internal/common"
-	E "github.com/yusing/go-proxy/internal/error"
-	"github.com/yusing/go-proxy/internal/utils/strutils"
+	"github.com/yusing/go-proxy/internal/logging"
 )

-type (
-	Credentials struct {
-		Username string `json:"username"`
-		Password string `json:"password"`
-	}
-	Claims struct {
-		Username string `json:"username"`
-		jwt.RegisteredClaims
-	}
-)
+var defaultAuth Provider

 // Initialize sets up authentication providers.
 func Initialize() error {
+	if !IsEnabled() {
+		logging.Warn().Msg("authentication is disabled, please set API_JWT_SECRET or OIDC_* to enable authentication")
+		return nil
+	}
+
+	var err error
 	// Initialize OIDC if configured.
 	if common.OIDCIssuerURL != "" {
-		return InitOIDC(
-			common.OIDCIssuerURL,
-			common.OIDCClientID,
-			common.OIDCClientSecret,
-			common.OIDCRedirectURL,
-		)
+		defaultAuth, err = NewOIDCProviderFromEnv()
+	} else {
+		defaultAuth, err = NewUserPassAuthFromEnv()
 	}
-	return nil
+
+	return err
+}
+
+func GetDefaultAuth() Provider {
+	return defaultAuth
 }

 func IsEnabled() bool {
-	return common.APIJWTSecret != nil || common.OIDCIssuerURL != ""
+	return common.APIJWTSecret != nil || IsOIDCEnabled()
 }

-// AuthRedirectHandler handles redirect to login page or OIDC login base on configuration.
-func AuthRedirectHandler(w http.ResponseWriter, r *http.Request) {
-	switch {
-	case oauthConfig != nil:
-		RedirectOIDC(w, r)
-		return
-	case common.APIJWTSecret != nil:
-		http.Redirect(w, r, "/login", http.StatusTemporaryRedirect)
-		return
-	default:
-		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
-	}
-}
-
-func setAuthenticatedCookie(w http.ResponseWriter, username string) error {
-	expiresAt := time.Now().Add(common.APIJWTTokenTTL)
-	claim := &Claims{
-		Username: username,
-		RegisteredClaims: jwt.RegisteredClaims{
-			ExpiresAt: jwt.NewNumericDate(expiresAt),
-		},
-	}
-	token := jwt.NewWithClaims(jwt.SigningMethodHS512, claim)
-	tokenStr, err := token.SignedString(common.APIJWTSecret)
-	if err != nil {
-		return err
-	}
-	http.SetCookie(w, &http.Cookie{
-		Name:     CookieToken,
-		Value:    tokenStr,
-		Expires:  expiresAt,
-		HttpOnly: true,
-		Secure:   true,
-		SameSite: http.SameSiteStrictMode,
-		Path:     "/",
-	})
-	return nil
-}
-
-// LogoutHandler clear authentication cookie and redirect to login page.
-func LogoutHandler(w http.ResponseWriter, r *http.Request) {
-	http.SetCookie(w, &http.Cookie{
-		Name:     CookieToken,
-		Value:    "",
-		Expires:  time.Unix(0, 0),
-		HttpOnly: true,
-		Secure:   true,
-		SameSite: http.SameSiteStrictMode,
-		Path:     "/",
-	})
-	AuthRedirectHandler(w, r)
+func IsOIDCEnabled() bool {
+	return common.OIDCIssuerURL != ""
 }

 func RequireAuth(next http.HandlerFunc) http.HandlerFunc {
 	if IsEnabled() {
 		return func(w http.ResponseWriter, r *http.Request) {
-			if checkToken(w, r) {
+			if err := defaultAuth.CheckToken(r); err != nil {
+				U.RespondError(w, err, http.StatusUnauthorized)
+			} else {
 				next(w, r)
 			}
 		}
 	}
 	return next
 }
-
-func checkToken(w http.ResponseWriter, r *http.Request) (ok bool) {
-	tokenCookie, err := r.Cookie(CookieToken)
-	if err != nil {
-		U.RespondError(w, E.New("missing token"), http.StatusUnauthorized)
-		return false
-	}
-	var claims Claims
-	token, err := jwt.ParseWithClaims(tokenCookie.Value, &claims, func(t *jwt.Token) (interface{}, error) {
-		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
-			return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
-		}
-		return common.APIJWTSecret, nil
-	})
-
-	switch {
-	case err != nil:
-		break
-	case !token.Valid:
-		err = E.New("invalid token")
-	case claims.Username != common.APIUser:
-		err = E.New("username mismatch").Subject(claims.Username)
-	case claims.ExpiresAt.Before(time.Now()):
-		err = E.Errorf("token expired on %s", strutils.FormatTime(claims.ExpiresAt.Time))
-	}
-
-	if err != nil {
-		U.RespondError(w, err, http.StatusForbidden)
-		return false
-	}
-
-	return true
-}