2020-07-29 21:11:28 +00:00
package main
import (
"encoding/base64"
"fmt"
"os"
"strings"
"time"
2020-08-16 12:36:54 +00:00
"github.com/gin-gonic/gin"
2021-07-27 09:08:01 +00:00
"github.com/golang-jwt/jwt"
2023-06-15 20:32:18 +00:00
"github.com/hrfee/mediabrowser"
2020-08-16 12:36:54 +00:00
"github.com/lithammer/shortuuid/v3"
2020-07-29 21:11:28 +00:00
)
2023-06-15 20:32:18 +00:00
const (
TOKEN_VALIDITY_SEC = 20 * 60
REFRESH_TOKEN_VALIDITY_SEC = 3600 * 24
)
2020-08-16 12:36:54 +00:00
func ( app * appContext ) webAuth ( ) gin . HandlerFunc {
return app . authenticate
2020-07-29 21:11:28 +00:00
}
2020-08-23 13:59:07 +00:00
// CreateToken returns a web token as well as a refresh token, which can be used to obtain new tokens.
2023-06-15 20:32:18 +00:00
func CreateToken ( userId , jfId string , admin bool ) ( string , string , error ) {
2020-08-23 13:59:07 +00:00
var token , refresh string
claims := jwt . MapClaims {
"valid" : true ,
"id" : userId ,
2023-06-15 20:32:18 +00:00
"exp" : time . Now ( ) . Add ( time . Second * TOKEN_VALIDITY_SEC ) . Unix ( ) ,
2020-08-23 13:59:07 +00:00
"jfid" : jfId ,
2023-06-15 20:32:18 +00:00
"admin" : admin ,
2020-08-23 13:59:07 +00:00
"type" : "bearer" ,
}
tk := jwt . NewWithClaims ( jwt . SigningMethodHS256 , claims )
token , err := tk . SignedString ( [ ] byte ( os . Getenv ( "JFA_SECRET" ) ) )
if err != nil {
return "" , "" , err
}
2023-06-15 20:32:18 +00:00
claims [ "exp" ] = time . Now ( ) . Add ( time . Second * REFRESH_TOKEN_VALIDITY_SEC ) . Unix ( )
2020-08-23 13:59:07 +00:00
claims [ "type" ] = "refresh"
tk = jwt . NewWithClaims ( jwt . SigningMethodHS256 , claims )
refresh , err = tk . SignedString ( [ ] byte ( os . Getenv ( "JFA_SECRET" ) ) )
if err != nil {
return "" , "" , err
}
return token , refresh , nil
}
2023-06-15 20:32:18 +00:00
// Caller should return if this returns false.
func ( app * appContext ) decodeValidateAuthHeader ( gc * gin . Context ) ( claims jwt . MapClaims , ok bool ) {
ok = false
2020-07-29 21:11:28 +00:00
header := strings . SplitN ( gc . Request . Header . Get ( "Authorization" ) , " " , 2 )
2020-11-12 21:04:35 +00:00
if header [ 0 ] != "Bearer" {
app . debug . Println ( "Invalid authorization header" )
2020-07-29 21:11:28 +00:00
respond ( 401 , "Unauthorized" , gc )
return
}
2020-11-12 21:25:52 +00:00
token , err := jwt . Parse ( string ( header [ 1 ] ) , checkToken )
2020-07-29 21:11:28 +00:00
if err != nil {
2020-08-16 12:36:54 +00:00
app . debug . Printf ( "Auth denied: %s" , err )
2020-07-29 21:11:28 +00:00
respond ( 401 , "Unauthorized" , gc )
return
}
2023-06-15 20:32:18 +00:00
claims , ok = token . Claims . ( jwt . MapClaims )
if ! ok {
app . debug . Println ( "Invalid JWT" )
respond ( 401 , "Unauthorized" , gc )
return
}
2021-08-22 13:13:44 +00:00
expiryUnix := int64 ( claims [ "exp" ] . ( float64 ) )
2020-08-19 21:30:54 +00:00
if err != nil {
app . debug . Printf ( "Auth denied: %s" , err )
respond ( 401 , "Unauthorized" , gc )
2023-06-15 20:59:34 +00:00
ok = false
2020-08-19 21:30:54 +00:00
return
}
expiry := time . Unix ( expiryUnix , 0 )
2020-08-23 13:59:07 +00:00
if ! ( ok && token . Valid && claims [ "type" ] . ( string ) == "bearer" && expiry . After ( time . Now ( ) ) ) {
app . debug . Printf ( "Auth denied: Invalid token" )
2023-06-15 20:59:34 +00:00
// app.debug.Printf("Expiry: %+v, OK: %t, Valid: %t, ClaimType: %s\n", expiry, ok, token.Valid, claims["type"].(string))
2020-07-29 21:11:28 +00:00
respond ( 401 , "Unauthorized" , gc )
2023-06-15 20:59:34 +00:00
ok = false
2020-07-29 21:11:28 +00:00
return
}
2023-06-15 20:32:18 +00:00
ok = true
return
}
// Check header for token
func ( app * appContext ) authenticate ( gc * gin . Context ) {
claims , ok := app . decodeValidateAuthHeader ( gc )
if ! ok {
return
}
isAdminToken := claims [ "admin" ] . ( bool )
if ! isAdminToken {
app . debug . Printf ( "Auth denied: Token was not for admin access" )
respond ( 401 , "Unauthorized" , gc )
return
}
2020-08-23 13:59:07 +00:00
userID := claims [ "id" ] . ( string )
jfID := claims [ "jfid" ] . ( string )
2020-07-29 21:11:28 +00:00
match := false
2023-06-15 20:32:18 +00:00
for _ , user := range app . adminUsers {
2020-08-23 13:59:07 +00:00
if user . UserID == userID {
2020-07-29 21:11:28 +00:00
match = true
2020-08-23 13:59:07 +00:00
break
2020-07-29 21:11:28 +00:00
}
}
if ! match {
2020-08-23 13:59:07 +00:00
app . debug . Printf ( "Couldn't find user ID \"%s\"" , userID )
2020-07-29 21:11:28 +00:00
respond ( 401 , "Unauthorized" , gc )
return
}
2020-08-23 13:59:07 +00:00
gc . Set ( "jfId" , jfID )
gc . Set ( "userId" , userID )
2023-06-15 20:32:18 +00:00
gc . Set ( "userMode" , false )
2020-08-23 13:59:07 +00:00
app . debug . Println ( "Auth succeeded" )
2020-07-29 21:11:28 +00:00
gc . Next ( )
}
2020-08-23 13:59:07 +00:00
func checkToken ( token * jwt . Token ) ( interface { } , error ) {
if _ , ok := token . Method . ( * jwt . SigningMethodHMAC ) ; ! ok {
return nil , fmt . Errorf ( "Unexpected signing method %v" , token . Header [ "alg" ] )
}
return [ ] byte ( os . Getenv ( "JFA_SECRET" ) ) , nil
}
2020-09-24 17:50:03 +00:00
type getTokenDTO struct {
Token string ` json:"token" example:"kjsdklsfdkljfsjsdfklsdfkldsfjdfskjsdfjklsdf" ` // API token for use with everything else.
}
2023-06-15 20:32:18 +00:00
func ( app * appContext ) decodeValidateLoginHeader ( gc * gin . Context ) ( username , password string , ok bool ) {
header := strings . SplitN ( gc . Request . Header . Get ( "Authorization" ) , " " , 2 )
auth , _ := base64 . StdEncoding . DecodeString ( header [ 1 ] )
creds := strings . SplitN ( string ( auth ) , ":" , 2 )
username = creds [ 0 ]
password = creds [ 1 ]
ok = false
if username == "" || password == "" {
app . debug . Println ( "Auth denied: blank username/password" )
respond ( 401 , "Unauthorized" , gc )
return
}
ok = true
return
}
func ( app * appContext ) validateJellyfinCredentials ( username , password string , gc * gin . Context ) ( user mediabrowser . User , ok bool ) {
ok = false
user , status , err := app . authJf . Authenticate ( username , password )
if status != 200 || err != nil {
if status == 401 || status == 400 {
app . info . Println ( "Auth denied: Invalid username/password (Jellyfin)" )
respond ( 401 , "Unauthorized" , gc )
return
}
2023-06-17 12:57:48 +00:00
if status == 403 {
app . info . Println ( "Auth denied: Jellyfin account disabled" )
respond ( 403 , "yourAccountWasDisabled" , gc )
return
}
2023-06-15 20:32:18 +00:00
app . err . Printf ( "Auth failed: Couldn't authenticate with Jellyfin (%d/%s)" , status , err )
respond ( 500 , "Jellyfin error" , gc )
return
}
ok = true
return
}
2020-11-12 21:04:35 +00:00
// @Summary Grabs an API token using username & password.
2021-11-15 00:17:39 +00:00
// @description If viewing docs locally, click the lock icon next to this, login with your normal jfa-go credentials. Click 'try it out', then 'execute' and an API Key will be returned, copy it (not including quotes). On any of the other routes, click the lock icon and set the API key as "Bearer `your api key`".
2020-09-24 17:50:03 +00:00
// @Produce json
// @Success 200 {object} getTokenDTO
// @Failure 401 {object} stringResponse
2020-11-12 21:04:35 +00:00
// @Router /token/login [get]
2020-09-24 17:50:03 +00:00
// @tags Auth
// @Security getTokenAuth
2020-11-12 21:04:35 +00:00
func ( app * appContext ) getTokenLogin ( gc * gin . Context ) {
2020-08-16 12:36:54 +00:00
app . info . Println ( "Token requested (login attempt)" )
2023-06-15 20:32:18 +00:00
username , password , ok := app . decodeValidateLoginHeader ( gc )
if ! ok {
2020-11-12 21:04:35 +00:00
return
}
2023-06-15 20:32:18 +00:00
var userID , jfID string
2020-11-12 21:04:35 +00:00
match := false
2023-06-15 20:32:18 +00:00
for _ , user := range app . adminUsers {
if user . Username == username && user . Password == password {
2020-11-12 21:04:35 +00:00
match = true
app . debug . Println ( "Found existing user" )
userID = user . UserID
break
2020-08-23 13:59:07 +00:00
}
2020-11-12 21:04:35 +00:00
}
if ! app . jellyfinLogin && ! match {
app . info . Println ( "Auth denied: Invalid username/password" )
respond ( 401 , "Unauthorized" , gc )
return
}
if ! match {
2023-06-15 20:32:18 +00:00
user , ok := app . validateJellyfinCredentials ( username , password , gc )
if ! ok {
2020-07-29 21:11:28 +00:00
return
}
2021-02-19 00:47:01 +00:00
jfID = user . ID
2022-01-09 19:29:17 +00:00
if ! app . config . Section ( "ui" ) . Key ( "allow_all" ) . MustBool ( false ) {
accountsAdmin := false
adminOnly := app . config . Section ( "ui" ) . Key ( "admin_only" ) . MustBool ( true )
2023-06-20 11:19:24 +00:00
if emailStore , ok := app . storage . GetEmailsKey ( jfID ) ; ok {
2022-01-09 19:29:17 +00:00
accountsAdmin = emailStore . Admin
}
accountsAdmin = accountsAdmin || ( adminOnly && user . Policy . IsAdministrator )
if ! accountsAdmin {
2023-06-15 20:32:18 +00:00
app . debug . Printf ( "Auth denied: Users \"%s\" isn't admin" , username )
2020-11-12 21:04:35 +00:00
respond ( 401 , "Unauthorized" , gc )
2020-08-23 13:59:07 +00:00
return
}
}
2020-11-12 21:04:35 +00:00
// New users are only added when using jellyfinLogin.
userID = shortuuid . New ( )
newUser := User {
UserID : userID ,
2020-07-29 21:11:28 +00:00
}
2023-06-15 20:32:18 +00:00
app . debug . Printf ( "Token generated for user \"%s\"" , username )
app . adminUsers = append ( app . adminUsers , newUser )
2020-07-29 21:11:28 +00:00
}
2023-06-15 20:32:18 +00:00
token , refresh , err := CreateToken ( userID , jfID , true )
2020-11-12 21:04:35 +00:00
if err != nil {
app . err . Printf ( "getToken failed: Couldn't generate token (%s)" , err )
respond ( 500 , "Couldn't generate token" , gc )
return
2020-07-29 21:11:28 +00:00
}
2020-11-12 21:04:35 +00:00
gc . SetCookie ( "refresh" , refresh , ( 3600 * 24 ) , "/" , gc . Request . URL . Hostname ( ) , true , true )
gc . JSON ( 200 , getTokenDTO { token } )
}
2023-06-18 11:30:23 +00:00
func ( app * appContext ) decodeValidateRefreshCookie ( gc * gin . Context , cookieName string ) ( claims jwt . MapClaims , ok bool ) {
2023-06-15 20:32:18 +00:00
ok = false
2023-06-18 11:30:23 +00:00
cookie , err := gc . Cookie ( cookieName )
2020-11-12 21:04:35 +00:00
if err != nil || cookie == "" {
app . debug . Printf ( "getTokenRefresh denied: Couldn't get token: %s" , err )
respond ( 400 , "Couldn't get token" , gc )
return
}
for _ , token := range app . invalidTokens {
if cookie == token {
app . debug . Println ( "getTokenRefresh: Invalid token" )
respond ( 401 , "Invalid token" , gc )
2020-08-23 13:59:07 +00:00
return
}
2020-08-19 21:30:54 +00:00
}
2020-11-12 21:04:35 +00:00
token , err := jwt . Parse ( cookie , checkToken )
if err != nil {
app . debug . Println ( "getTokenRefresh: Invalid token" )
respond ( 400 , "Invalid token" , gc )
return
}
2023-06-15 20:32:18 +00:00
claims , ok = token . Claims . ( jwt . MapClaims )
2021-08-22 14:00:20 +00:00
expiryUnix := int64 ( claims [ "exp" ] . ( float64 ) )
2020-11-12 21:04:35 +00:00
if err != nil {
app . debug . Printf ( "getTokenRefresh: Invalid token expiry: %s" , err )
respond ( 401 , "Invalid token" , gc )
2023-06-15 20:59:34 +00:00
ok = false
2020-11-12 21:04:35 +00:00
return
}
expiry := time . Unix ( expiryUnix , 0 )
if ! ( ok && token . Valid && claims [ "type" ] . ( string ) == "refresh" && expiry . After ( time . Now ( ) ) ) {
2023-06-15 20:59:34 +00:00
app . debug . Printf ( "getTokenRefresh: Invalid token: %+v" , err )
2020-11-12 21:04:35 +00:00
respond ( 401 , "Invalid token" , gc )
2023-06-15 20:59:34 +00:00
ok = false
2020-11-12 21:04:35 +00:00
return
}
2023-06-15 20:32:18 +00:00
ok = true
return
}
// @Summary Grabs an API token using a refresh token from cookies.
// @Produce json
// @Success 200 {object} getTokenDTO
// @Failure 401 {object} stringResponse
// @Router /token/refresh [get]
// @tags Auth
func ( app * appContext ) getTokenRefresh ( gc * gin . Context ) {
app . debug . Println ( "Token requested (refresh token)" )
2023-06-18 11:30:23 +00:00
claims , ok := app . decodeValidateRefreshCookie ( gc , "refresh" )
2023-06-15 20:32:18 +00:00
if ! ok {
return
}
2020-11-12 21:04:35 +00:00
userID := claims [ "id" ] . ( string )
jfID := claims [ "jfid" ] . ( string )
2023-06-15 20:32:18 +00:00
jwt , refresh , err := CreateToken ( userID , jfID , true )
2020-11-12 21:04:35 +00:00
if err != nil {
app . err . Printf ( "getTokenRefresh failed: Couldn't generate token (%s)" , err )
respond ( 500 , "Couldn't generate token" , gc )
return
}
2023-06-15 20:32:18 +00:00
gc . SetCookie ( "refresh" , refresh , REFRESH_TOKEN_VALIDITY_SEC , "/" , gc . Request . URL . Hostname ( ) , true , true )
2020-11-12 21:04:35 +00:00
gc . JSON ( 200 , getTokenDTO { jwt } )
2020-07-29 21:11:28 +00:00
}