mirror of
https://github.com/hay-kot/homebox.git
synced 2025-08-03 16:20:27 +00:00
proof of concept login mechanism using trusted SSO headers as described here:
https://www.authelia.com/integration/trusted-header-sso/introduction/
This commit is contained in:
verybadsoldier
parent
b497206573
commit
bb0af8ac11
3 changed files with 47 additions and 0 deletions
|
|
@ -123,6 +123,28 @@ func (ctrl *V1Controller) HandleSsoHeaderLogin() errchain.HandlerFunc {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (ctrl *V1Controller) HandleSsoHeaderLogin() server.HandlerFunc {
|
||||||
|
return func(w http.ResponseWriter, r *http.Request) error {
|
||||||
|
var username = r.Header.Get("Remote-Email")
|
||||||
|
|
||||||
|
if username == "" {
|
||||||
|
return validate.NewRequestError(errors.New("authentication failed. not SSO header found"), http.StatusInternalServerError)
|
||||||
|
}
|
||||||
|
|
||||||
|
newToken, err := ctrl.svc.User.LoginWithoutPassword(r.Context(), strings.ToLower(username))
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
return validate.NewRequestError(errors.New("authentication failed"), http.StatusInternalServerError)
|
||||||
|
}
|
||||||
|
|
||||||
|
return server.Respond(w, http.StatusOK, TokenResponse{
|
||||||
|
Token: "Bearer " + newToken.Raw,
|
||||||
|
ExpiresAt: newToken.ExpiresAt,
|
||||||
|
AttachmentToken: newToken.AttachmentToken,
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// HandleAuthLogout godoc
|
// HandleAuthLogout godoc
|
||||||
//
|
//
|
||||||
// @Summary User Logout
|
// @Summary User Logout
|
||||||
|
|
|
||||||
|
|
@ -204,6 +204,18 @@ func (svc *UserService) LoginWithoutPassword(ctx context.Context, username strin
|
||||||
return svc.createSessionToken(ctx, usr.ID, extendedSession)
|
return svc.createSessionToken(ctx, usr.ID, extendedSession)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (svc *UserService) LoginWithoutPassword(ctx context.Context, username string) (UserAuthTokenDetail, error) {
|
||||||
|
usr, err := svc.repos.Users.GetOneEmail(ctx, username)
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
// SECURITY: Perform hash to ensure response times are the same
|
||||||
|
hasher.CheckPasswordHash("not-a-real-password", "not-a-real-password")
|
||||||
|
return UserAuthTokenDetail{}, ErrorInvalidLogin
|
||||||
|
}
|
||||||
|
|
||||||
|
return svc.createSessionToken(ctx, usr.ID)
|
||||||
|
}
|
||||||
|
|
||||||
func (svc *UserService) Logout(ctx context.Context, token string) error {
|
func (svc *UserService) Logout(ctx context.Context, token string) error {
|
||||||
hash := hasher.HashToken(token)
|
hash := hasher.HashToken(token)
|
||||||
err := svc.repos.AuthTokens.DeleteToken(ctx, hash)
|
err := svc.repos.AuthTokens.DeleteToken(ctx, hash)
|
||||||
|
|
|
||||||
|
|
@ -45,6 +45,19 @@
|
||||||
navigateTo("/home");
|
navigateTo("/home");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const { data, error } = await api.login_sso_header();
|
||||||
|
|
||||||
|
if (!error) {
|
||||||
|
// @ts-expect-error - expires is either a date or a string, need to figure out store typing
|
||||||
|
authStore.$patch({
|
||||||
|
token: data.token,
|
||||||
|
expires: data.expiresAt,
|
||||||
|
attachmentToken: data.attachmentToken,
|
||||||
|
});
|
||||||
|
|
||||||
|
navigateTo("/home");
|
||||||
|
}
|
||||||
|
|
||||||
const route = useRoute();
|
const route = useRoute();
|
||||||
const router = useRouter();
|
const router = useRouter();
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue