1
0
mirror of https://github.com/hrfee/jfa-go.git synced 2024-12-22 17:10:10 +00:00

ips: add advanced settings for ip logging

This commit is contained in:
Harvey Tindall 2023-12-23 20:54:55 +00:00
parent 04c94ba55a
commit 269836fc99
Signed by: hrfee
GPG Key ID: BBC65952848FB1A2
5 changed files with 60 additions and 13 deletions

41
auth.go
View File

@ -18,6 +18,28 @@ const (
REFRESH_TOKEN_VALIDITY_SEC = 3600 * 24 REFRESH_TOKEN_VALIDITY_SEC = 3600 * 24
) )
func (app *appContext) logIpInfo(gc *gin.Context, user bool, out string) {
app.info.Printf(out)
if (user && LOGIPU) || (!user && LOGIP) {
app.info.Printf(" (ip=%s)", strings.TrimSpace(gc.Request.Header.Get("X-Real-IP")))
}
app.info.Print("\n")
}
func (app *appContext) logIpDebug(gc *gin.Context, user bool, out string) {
app.debug.Printf(out)
if (user && LOGIPU) || (!user && LOGIP) {
app.debug.Printf(" (ip=%s)", strings.TrimSpace(gc.Request.Header.Get("X-Real-IP")))
}
app.debug.Print("\n")
}
func (app *appContext) logIpErr(gc *gin.Context, user bool, out string) {
app.err.Printf(out)
if (user && LOGIPU) || (!user && LOGIP) {
app.err.Printf(" (ip=%s)", strings.TrimSpace(gc.Request.Header.Get("X-Real-IP")))
}
app.err.Print("\n")
}
func (app *appContext) webAuth() gin.HandlerFunc { func (app *appContext) webAuth() gin.HandlerFunc {
return app.authenticate return app.authenticate
} }
@ -133,8 +155,7 @@ type getTokenDTO struct {
Token string `json:"token" example:"kjsdklsfdkljfsjsdfklsdfkldsfjdfskjsdfjklsdf"` // API token for use with everything else. Token string `json:"token" example:"kjsdklsfdkljfsjsdfklsdfkldsfjdfskjsdfjklsdf"` // API token for use with everything else.
} }
func (app *appContext) decodeValidateLoginHeader(gc *gin.Context) (username, password string, ok bool) { func (app *appContext) decodeValidateLoginHeader(gc *gin.Context, userpage bool) (username, password string, ok bool) {
ip := strings.TrimSpace(gc.Request.Header.Get("X-Real-IP"))
header := strings.SplitN(gc.Request.Header.Get("Authorization"), " ", 2) header := strings.SplitN(gc.Request.Header.Get("Authorization"), " ", 2)
auth, _ := base64.StdEncoding.DecodeString(header[1]) auth, _ := base64.StdEncoding.DecodeString(header[1])
creds := strings.SplitN(string(auth), ":", 2) creds := strings.SplitN(string(auth), ":", 2)
@ -142,7 +163,7 @@ func (app *appContext) decodeValidateLoginHeader(gc *gin.Context) (username, pas
password = creds[1] password = creds[1]
ok = false ok = false
if username == "" || password == "" { if username == "" || password == "" {
app.debug.Print("Auth denied: blank username/password ip=", ip, "\n") app.logIpDebug(gc, userpage, "Auth denied: blank username/password")
respond(401, "Unauthorized", gc) respond(401, "Unauthorized", gc)
return return
} }
@ -150,18 +171,17 @@ func (app *appContext) decodeValidateLoginHeader(gc *gin.Context) (username, pas
return return
} }
func (app *appContext) validateJellyfinCredentials(username, password string, gc *gin.Context) (user mediabrowser.User, ok bool) { func (app *appContext) validateJellyfinCredentials(username, password string, gc *gin.Context, userpage bool) (user mediabrowser.User, ok bool) {
ip := strings.TrimSpace(gc.Request.Header.Get("X-Real-IP"))
ok = false ok = false
user, status, err := app.authJf.Authenticate(username, password) user, status, err := app.authJf.Authenticate(username, password)
if status != 200 || err != nil { if status != 200 || err != nil {
if status == 401 || status == 400 { if status == 401 || status == 400 {
app.info.Print("Auth denied: Invalid username/password (Jellyfin) ip=", ip, "\n") app.logIpInfo(gc, userpage, "Auth denied: Invalid username/password (Jellyfin)")
respond(401, "Unauthorized", gc) respond(401, "Unauthorized", gc)
return return
} }
if status == 403 { if status == 403 {
app.info.Print("Auth denied: Jellyfin account disabled ip=", ip, "\n") app.logIpInfo(gc, userpage, "Auth denied: Jellyfin account disabled")
respond(403, "yourAccountWasDisabled", gc) respond(403, "yourAccountWasDisabled", gc)
return return
} }
@ -182,9 +202,8 @@ func (app *appContext) validateJellyfinCredentials(username, password string, gc
// @tags Auth // @tags Auth
// @Security getTokenAuth // @Security getTokenAuth
func (app *appContext) getTokenLogin(gc *gin.Context) { func (app *appContext) getTokenLogin(gc *gin.Context) {
ip := strings.TrimSpace(gc.Request.Header.Get("X-Real-IP"))
app.info.Println("Token requested (login attempt)") app.info.Println("Token requested (login attempt)")
username, password, ok := app.decodeValidateLoginHeader(gc) username, password, ok := app.decodeValidateLoginHeader(gc, false)
if !ok { if !ok {
return return
} }
@ -199,12 +218,12 @@ func (app *appContext) getTokenLogin(gc *gin.Context) {
} }
} }
if !app.jellyfinLogin && !match { if !app.jellyfinLogin && !match {
app.info.Print("Auth denied: Invalid username/password ip=", ip, "\n") app.logIpInfo(gc, false, "Auth denied: Invalid username/password")
respond(401, "Unauthorized", gc) respond(401, "Unauthorized", gc)
return return
} }
if !match { if !match {
user, ok := app.validateJellyfinCredentials(username, password, gc) user, ok := app.validateJellyfinCredentials(username, password, gc, false)
if !ok { if !ok {
return return
} }

View File

@ -120,6 +120,9 @@ func (app *appContext) loadConfig() error {
app.config.Section("jellyfin").Key("device").SetValue("jfa-go") app.config.Section("jellyfin").Key("device").SetValue("jfa-go")
app.config.Section("jellyfin").Key("device_id").SetValue(fmt.Sprintf("jfa-go-%s-%s", version, commit)) app.config.Section("jellyfin").Key("device_id").SetValue(fmt.Sprintf("jfa-go-%s-%s", version, commit))
LOGIP = app.config.Section("advanced").Key("log_ips").MustBool(false)
LOGIPU = app.config.Section("advanced").Key("log_ips_userpage").MustBool(false)
// These two settings are pretty much the same // These two settings are pretty much the same
url1 := app.config.Section("invite_emails").Key("url_base").String() url1 := app.config.Section("invite_emails").Key("url_base").String()
url2 := app.config.Section("password_resets").Key("url_base").String() url2 := app.config.Section("password_resets").Key("url_base").String()

View File

@ -297,6 +297,29 @@
"advanced": true "advanced": true
}, },
"settings": { "settings": {
"log_ips": {
"name": "Log IPs accessing Admin Page",
"required": false,
"requires_restart": true,
"type": "bool",
"value": false,
"description": "Log IP addresses in console and in activities. See notice below on legality."
},
"log_ips_userpage": {
"name": "Log IPs accessing User Page",
"required": false,
"requires_restart": true,
"type": "bool",
"value": false,
"description": "Log IP addresses in console and in activities. See notice below on legality."
},
"ip_note": {
"name": "Logging IPs:",
"type": "note",
"value": "",
"required": "false",
"description": "Logging IP addresses through jfa-go may violate GDPR or other privacy regulations, as IPs are linked to account information. Enable at your own risk."
},
"tls": { "tls": {
"name": "TLS/HTTP2", "name": "TLS/HTTP2",
"required": false, "required": false,

View File

@ -46,6 +46,8 @@ var (
SWAGGER *bool SWAGGER *bool
QUIT = false QUIT = false
RUNNING = false RUNNING = false
LOGIP = false // Log admin IPs
LOGIPU = false // Log user IPs
// Used to know how many times to re-broadcast restart signal. // Used to know how many times to re-broadcast restart signal.
RESTARTLISTENERCOUNT = 0 RESTARTLISTENERCOUNT = 0
warning = color.New(color.FgYellow).SprintfFunc() warning = color.New(color.FgYellow).SprintfFunc()

View File

@ -46,12 +46,12 @@ func (app *appContext) getUserTokenLogin(gc *gin.Context) {
return return
} }
app.info.Println("UserToken requested (login attempt)") app.info.Println("UserToken requested (login attempt)")
username, password, ok := app.decodeValidateLoginHeader(gc) username, password, ok := app.decodeValidateLoginHeader(gc, true)
if !ok { if !ok {
return return
} }
user, ok := app.validateJellyfinCredentials(username, password, gc) user, ok := app.validateJellyfinCredentials(username, password, gc, true)
if !ok { if !ok {
return return
} }