mirror of
https://github.com/hrfee/jfa-go.git
synced 2024-12-22 17:10:10 +00:00
ips: add advanced settings for ip logging
This commit is contained in:
parent
04c94ba55a
commit
269836fc99
41
auth.go
41
auth.go
@ -18,6 +18,28 @@ const (
|
|||||||
REFRESH_TOKEN_VALIDITY_SEC = 3600 * 24
|
REFRESH_TOKEN_VALIDITY_SEC = 3600 * 24
|
||||||
)
|
)
|
||||||
|
|
||||||
|
func (app *appContext) logIpInfo(gc *gin.Context, user bool, out string) {
|
||||||
|
app.info.Printf(out)
|
||||||
|
if (user && LOGIPU) || (!user && LOGIP) {
|
||||||
|
app.info.Printf(" (ip=%s)", strings.TrimSpace(gc.Request.Header.Get("X-Real-IP")))
|
||||||
|
}
|
||||||
|
app.info.Print("\n")
|
||||||
|
}
|
||||||
|
func (app *appContext) logIpDebug(gc *gin.Context, user bool, out string) {
|
||||||
|
app.debug.Printf(out)
|
||||||
|
if (user && LOGIPU) || (!user && LOGIP) {
|
||||||
|
app.debug.Printf(" (ip=%s)", strings.TrimSpace(gc.Request.Header.Get("X-Real-IP")))
|
||||||
|
}
|
||||||
|
app.debug.Print("\n")
|
||||||
|
}
|
||||||
|
func (app *appContext) logIpErr(gc *gin.Context, user bool, out string) {
|
||||||
|
app.err.Printf(out)
|
||||||
|
if (user && LOGIPU) || (!user && LOGIP) {
|
||||||
|
app.err.Printf(" (ip=%s)", strings.TrimSpace(gc.Request.Header.Get("X-Real-IP")))
|
||||||
|
}
|
||||||
|
app.err.Print("\n")
|
||||||
|
}
|
||||||
|
|
||||||
func (app *appContext) webAuth() gin.HandlerFunc {
|
func (app *appContext) webAuth() gin.HandlerFunc {
|
||||||
return app.authenticate
|
return app.authenticate
|
||||||
}
|
}
|
||||||
@ -133,8 +155,7 @@ type getTokenDTO struct {
|
|||||||
Token string `json:"token" example:"kjsdklsfdkljfsjsdfklsdfkldsfjdfskjsdfjklsdf"` // API token for use with everything else.
|
Token string `json:"token" example:"kjsdklsfdkljfsjsdfklsdfkldsfjdfskjsdfjklsdf"` // API token for use with everything else.
|
||||||
}
|
}
|
||||||
|
|
||||||
func (app *appContext) decodeValidateLoginHeader(gc *gin.Context) (username, password string, ok bool) {
|
func (app *appContext) decodeValidateLoginHeader(gc *gin.Context, userpage bool) (username, password string, ok bool) {
|
||||||
ip := strings.TrimSpace(gc.Request.Header.Get("X-Real-IP"))
|
|
||||||
header := strings.SplitN(gc.Request.Header.Get("Authorization"), " ", 2)
|
header := strings.SplitN(gc.Request.Header.Get("Authorization"), " ", 2)
|
||||||
auth, _ := base64.StdEncoding.DecodeString(header[1])
|
auth, _ := base64.StdEncoding.DecodeString(header[1])
|
||||||
creds := strings.SplitN(string(auth), ":", 2)
|
creds := strings.SplitN(string(auth), ":", 2)
|
||||||
@ -142,7 +163,7 @@ func (app *appContext) decodeValidateLoginHeader(gc *gin.Context) (username, pas
|
|||||||
password = creds[1]
|
password = creds[1]
|
||||||
ok = false
|
ok = false
|
||||||
if username == "" || password == "" {
|
if username == "" || password == "" {
|
||||||
app.debug.Print("Auth denied: blank username/password ip=", ip, "\n")
|
app.logIpDebug(gc, userpage, "Auth denied: blank username/password")
|
||||||
respond(401, "Unauthorized", gc)
|
respond(401, "Unauthorized", gc)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@ -150,18 +171,17 @@ func (app *appContext) decodeValidateLoginHeader(gc *gin.Context) (username, pas
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
func (app *appContext) validateJellyfinCredentials(username, password string, gc *gin.Context) (user mediabrowser.User, ok bool) {
|
func (app *appContext) validateJellyfinCredentials(username, password string, gc *gin.Context, userpage bool) (user mediabrowser.User, ok bool) {
|
||||||
ip := strings.TrimSpace(gc.Request.Header.Get("X-Real-IP"))
|
|
||||||
ok = false
|
ok = false
|
||||||
user, status, err := app.authJf.Authenticate(username, password)
|
user, status, err := app.authJf.Authenticate(username, password)
|
||||||
if status != 200 || err != nil {
|
if status != 200 || err != nil {
|
||||||
if status == 401 || status == 400 {
|
if status == 401 || status == 400 {
|
||||||
app.info.Print("Auth denied: Invalid username/password (Jellyfin) ip=", ip, "\n")
|
app.logIpInfo(gc, userpage, "Auth denied: Invalid username/password (Jellyfin)")
|
||||||
respond(401, "Unauthorized", gc)
|
respond(401, "Unauthorized", gc)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
if status == 403 {
|
if status == 403 {
|
||||||
app.info.Print("Auth denied: Jellyfin account disabled ip=", ip, "\n")
|
app.logIpInfo(gc, userpage, "Auth denied: Jellyfin account disabled")
|
||||||
respond(403, "yourAccountWasDisabled", gc)
|
respond(403, "yourAccountWasDisabled", gc)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@ -182,9 +202,8 @@ func (app *appContext) validateJellyfinCredentials(username, password string, gc
|
|||||||
// @tags Auth
|
// @tags Auth
|
||||||
// @Security getTokenAuth
|
// @Security getTokenAuth
|
||||||
func (app *appContext) getTokenLogin(gc *gin.Context) {
|
func (app *appContext) getTokenLogin(gc *gin.Context) {
|
||||||
ip := strings.TrimSpace(gc.Request.Header.Get("X-Real-IP"))
|
|
||||||
app.info.Println("Token requested (login attempt)")
|
app.info.Println("Token requested (login attempt)")
|
||||||
username, password, ok := app.decodeValidateLoginHeader(gc)
|
username, password, ok := app.decodeValidateLoginHeader(gc, false)
|
||||||
if !ok {
|
if !ok {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@ -199,12 +218,12 @@ func (app *appContext) getTokenLogin(gc *gin.Context) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
if !app.jellyfinLogin && !match {
|
if !app.jellyfinLogin && !match {
|
||||||
app.info.Print("Auth denied: Invalid username/password ip=", ip, "\n")
|
app.logIpInfo(gc, false, "Auth denied: Invalid username/password")
|
||||||
respond(401, "Unauthorized", gc)
|
respond(401, "Unauthorized", gc)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
if !match {
|
if !match {
|
||||||
user, ok := app.validateJellyfinCredentials(username, password, gc)
|
user, ok := app.validateJellyfinCredentials(username, password, gc, false)
|
||||||
if !ok {
|
if !ok {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -120,6 +120,9 @@ func (app *appContext) loadConfig() error {
|
|||||||
app.config.Section("jellyfin").Key("device").SetValue("jfa-go")
|
app.config.Section("jellyfin").Key("device").SetValue("jfa-go")
|
||||||
app.config.Section("jellyfin").Key("device_id").SetValue(fmt.Sprintf("jfa-go-%s-%s", version, commit))
|
app.config.Section("jellyfin").Key("device_id").SetValue(fmt.Sprintf("jfa-go-%s-%s", version, commit))
|
||||||
|
|
||||||
|
LOGIP = app.config.Section("advanced").Key("log_ips").MustBool(false)
|
||||||
|
LOGIPU = app.config.Section("advanced").Key("log_ips_userpage").MustBool(false)
|
||||||
|
|
||||||
// These two settings are pretty much the same
|
// These two settings are pretty much the same
|
||||||
url1 := app.config.Section("invite_emails").Key("url_base").String()
|
url1 := app.config.Section("invite_emails").Key("url_base").String()
|
||||||
url2 := app.config.Section("password_resets").Key("url_base").String()
|
url2 := app.config.Section("password_resets").Key("url_base").String()
|
||||||
|
@ -297,6 +297,29 @@
|
|||||||
"advanced": true
|
"advanced": true
|
||||||
},
|
},
|
||||||
"settings": {
|
"settings": {
|
||||||
|
"log_ips": {
|
||||||
|
"name": "Log IPs accessing Admin Page",
|
||||||
|
"required": false,
|
||||||
|
"requires_restart": true,
|
||||||
|
"type": "bool",
|
||||||
|
"value": false,
|
||||||
|
"description": "Log IP addresses in console and in activities. See notice below on legality."
|
||||||
|
},
|
||||||
|
"log_ips_userpage": {
|
||||||
|
"name": "Log IPs accessing User Page",
|
||||||
|
"required": false,
|
||||||
|
"requires_restart": true,
|
||||||
|
"type": "bool",
|
||||||
|
"value": false,
|
||||||
|
"description": "Log IP addresses in console and in activities. See notice below on legality."
|
||||||
|
},
|
||||||
|
"ip_note": {
|
||||||
|
"name": "Logging IPs:",
|
||||||
|
"type": "note",
|
||||||
|
"value": "",
|
||||||
|
"required": "false",
|
||||||
|
"description": "Logging IP addresses through jfa-go may violate GDPR or other privacy regulations, as IPs are linked to account information. Enable at your own risk."
|
||||||
|
},
|
||||||
"tls": {
|
"tls": {
|
||||||
"name": "TLS/HTTP2",
|
"name": "TLS/HTTP2",
|
||||||
"required": false,
|
"required": false,
|
||||||
|
2
main.go
2
main.go
@ -46,6 +46,8 @@ var (
|
|||||||
SWAGGER *bool
|
SWAGGER *bool
|
||||||
QUIT = false
|
QUIT = false
|
||||||
RUNNING = false
|
RUNNING = false
|
||||||
|
LOGIP = false // Log admin IPs
|
||||||
|
LOGIPU = false // Log user IPs
|
||||||
// Used to know how many times to re-broadcast restart signal.
|
// Used to know how many times to re-broadcast restart signal.
|
||||||
RESTARTLISTENERCOUNT = 0
|
RESTARTLISTENERCOUNT = 0
|
||||||
warning = color.New(color.FgYellow).SprintfFunc()
|
warning = color.New(color.FgYellow).SprintfFunc()
|
||||||
|
@ -46,12 +46,12 @@ func (app *appContext) getUserTokenLogin(gc *gin.Context) {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
app.info.Println("UserToken requested (login attempt)")
|
app.info.Println("UserToken requested (login attempt)")
|
||||||
username, password, ok := app.decodeValidateLoginHeader(gc)
|
username, password, ok := app.decodeValidateLoginHeader(gc, true)
|
||||||
if !ok {
|
if !ok {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
user, ok := app.validateJellyfinCredentials(username, password, gc)
|
user, ok := app.validateJellyfinCredentials(username, password, gc, true)
|
||||||
if !ok {
|
if !ok {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user