mirror of
https://github.com/hrfee/jfa-go.git
synced 2024-12-22 17:10:10 +00:00
Add refresh tokens for persistent login, logout button
the main JWT is stored temporarily, whereas the refresh token is stored as a cookie and can only be used to obtain a new main token. Logout button adds token to blocklist internally and deletes JWT and refresh token from browser storage.
This commit is contained in:
parent
29a79a1ce1
commit
d144077e62
5
api.go
5
api.go
@ -609,6 +609,11 @@ func (app *appContext) ModifyConfig(gc *gin.Context) {
|
||||
}
|
||||
}
|
||||
|
||||
func (app *appContext) Logout(gc *gin.Context) {
|
||||
app.invalidIds = append(app.invalidIds, gc.GetString("userId"))
|
||||
gc.JSON(200, map[string]bool{"success": true})
|
||||
}
|
||||
|
||||
// func Restart() error {
|
||||
// defer func() {
|
||||
// if r := recover(); r != nil {
|
||||
|
127
auth.go
127
auth.go
@ -4,6 +4,7 @@ import (
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
"os"
|
||||
"strconv"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
@ -40,7 +41,14 @@ func (app *appContext) authenticate(gc *gin.Context) {
|
||||
claims, ok := token.Claims.(jwt.MapClaims)
|
||||
var userId string
|
||||
var jfId string
|
||||
if ok && token.Valid {
|
||||
expiryUnix, err := strconv.ParseInt(claims["exp"].(string), 10, 64)
|
||||
if err != nil {
|
||||
app.debug.Printf("Auth denied: %s", err)
|
||||
respond(401, "Unauthorized", gc)
|
||||
return
|
||||
}
|
||||
expiry := time.Unix(expiryUnix, 0)
|
||||
if ok && token.Valid && claims["type"].(string) == "bearer" && expiry.After(time.Now()) {
|
||||
userId = claims["id"].(string)
|
||||
jfId = claims["jfid"].(string)
|
||||
} else {
|
||||
@ -76,71 +84,126 @@ func (app *appContext) GetToken(gc *gin.Context) {
|
||||
auth, _ := base64.StdEncoding.DecodeString(header[1])
|
||||
creds := strings.SplitN(string(auth), ":", 2)
|
||||
match := false
|
||||
var userId string
|
||||
var userId, jfId string
|
||||
for _, user := range app.users {
|
||||
if user.Username == creds[0] && user.Password == creds[1] {
|
||||
match = true
|
||||
userId = user.UserID
|
||||
}
|
||||
}
|
||||
jfId := ""
|
||||
if !match {
|
||||
if !app.jellyfinLogin {
|
||||
app.info.Println("Auth failed: Invalid username and/or password")
|
||||
respond(401, "Unauthorized", gc)
|
||||
return
|
||||
}
|
||||
var status int
|
||||
var err error
|
||||
var user map[string]interface{}
|
||||
user, status, err = app.authJf.authenticate(creds[0], creds[1])
|
||||
if status != 200 || err != nil {
|
||||
if status == 401 || status == 400 {
|
||||
app.info.Println("Auth failed: Invalid username and/or password")
|
||||
respond(401, "Invalid username/password", gc)
|
||||
if creds[1] == "" {
|
||||
token, err := jwt.Parse(creds[0], func(token *jwt.Token) (interface{}, error) {
|
||||
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
|
||||
app.debug.Printf("Invalid JWT signing method %s", token.Header["alg"])
|
||||
return nil, fmt.Errorf("Unexpected signing method %v", token.Header["alg"])
|
||||
}
|
||||
return []byte(os.Getenv("JFA_SECRET")), nil
|
||||
})
|
||||
if err != nil {
|
||||
app.debug.Printf("Auth denied: %s", err)
|
||||
respond(401, "Unauthorized", gc)
|
||||
return
|
||||
}
|
||||
app.err.Printf("Auth failed: Couldn't authenticate with Jellyfin: Code %d", status)
|
||||
respond(500, "Jellyfin error", gc)
|
||||
return
|
||||
} else {
|
||||
jfId = user["Id"].(string)
|
||||
if app.config.Section("ui").Key("admin_only").MustBool(true) {
|
||||
if !user["Policy"].(map[string]interface{})["IsAdministrator"].(bool) {
|
||||
app.debug.Printf("Auth failed: User \"%s\" isn't admin", creds[0])
|
||||
claims, ok := token.Claims.(jwt.MapClaims)
|
||||
for _, id := range app.invalidIds {
|
||||
if claims["id"].(string) == id {
|
||||
app.debug.Printf("Auth denied: Refresh token in blocklist")
|
||||
respond(401, "Unauthorized", gc)
|
||||
return
|
||||
}
|
||||
}
|
||||
newuser := User{}
|
||||
newuser.UserID = shortuuid.New()
|
||||
userId = newuser.UserID
|
||||
// uuid, nothing else identifiable!
|
||||
app.debug.Printf("Token generated for user \"%s\"", creds[0])
|
||||
app.users = append(app.users, newuser)
|
||||
expiryUnix, err := strconv.ParseInt(claims["exp"].(string), 10, 64)
|
||||
if err != nil {
|
||||
app.debug.Printf("Auth denied: %s", err)
|
||||
respond(401, "Unauthorized", gc)
|
||||
return
|
||||
}
|
||||
expiry := time.Unix(expiryUnix, 0)
|
||||
if ok && token.Valid && claims["type"].(string) == "refresh" && expiry.After(time.Now()) {
|
||||
userId = claims["id"].(string)
|
||||
jfId = claims["jfid"].(string)
|
||||
} else {
|
||||
app.debug.Printf("Invalid token (invalid or not refresh type)")
|
||||
respond(401, "Unauthorized", gc)
|
||||
return
|
||||
}
|
||||
} else {
|
||||
var status int
|
||||
var err error
|
||||
var user map[string]interface{}
|
||||
user, status, err = app.authJf.authenticate(creds[0], creds[1])
|
||||
if status != 200 || err != nil {
|
||||
if status == 401 || status == 400 {
|
||||
app.info.Println("Auth failed: Invalid username and/or password")
|
||||
respond(401, "Invalid username/password", gc)
|
||||
return
|
||||
}
|
||||
app.err.Printf("Auth failed: Couldn't authenticate with Jellyfin: Code %d", status)
|
||||
respond(500, "Jellyfin error", gc)
|
||||
return
|
||||
} else {
|
||||
jfId = user["Id"].(string)
|
||||
if app.config.Section("ui").Key("admin_only").MustBool(true) {
|
||||
if !user["Policy"].(map[string]interface{})["IsAdministrator"].(bool) {
|
||||
app.debug.Printf("Auth failed: User \"%s\" isn't admin", creds[0])
|
||||
respond(401, "Unauthorized", gc)
|
||||
}
|
||||
}
|
||||
newuser := User{}
|
||||
newuser.UserID = shortuuid.New()
|
||||
userId = newuser.UserID
|
||||
// uuid, nothing else identifiable!
|
||||
app.debug.Printf("Token generated for user \"%s\"", creds[0])
|
||||
app.users = append(app.users, newuser)
|
||||
}
|
||||
}
|
||||
}
|
||||
token, err := CreateToken(userId, jfId)
|
||||
token, refresh, err := CreateToken(userId, jfId)
|
||||
if err != nil {
|
||||
respond(500, "Error generating token", gc)
|
||||
}
|
||||
resp := map[string]string{"token": token}
|
||||
resp := map[string]string{"token": token, "refresh": refresh}
|
||||
gc.JSON(200, resp)
|
||||
}
|
||||
|
||||
func CreateToken(userId string, jfId string) (string, error) {
|
||||
func CreateToken(userId string, jfId string) (string, string, error) {
|
||||
var token, refresh string
|
||||
var err error
|
||||
claims := jwt.MapClaims{
|
||||
"valid": true,
|
||||
"id": userId,
|
||||
"exp": time.Now().Add(time.Minute * 20).Unix(),
|
||||
"exp": strconv.FormatInt(time.Now().Add(time.Minute*20).Unix(), 10),
|
||||
"jfid": jfId,
|
||||
"type": "bearer",
|
||||
}
|
||||
|
||||
tk := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
|
||||
token, err := tk.SignedString([]byte(os.Getenv("JFA_SECRET")))
|
||||
token, err = tk.SignedString([]byte(os.Getenv("JFA_SECRET")))
|
||||
if err != nil {
|
||||
return "", err
|
||||
return "", "", err
|
||||
}
|
||||
return token, nil
|
||||
|
||||
claims = jwt.MapClaims{
|
||||
"valid": true,
|
||||
"id": userId,
|
||||
"exp": strconv.FormatInt(time.Now().Add(time.Hour*24).Unix(), 10),
|
||||
"jfid": jfId,
|
||||
"type": "refresh",
|
||||
}
|
||||
|
||||
tk = jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
|
||||
refresh, err = tk.SignedString([]byte(os.Getenv("JFA_SECRET")))
|
||||
if err != nil {
|
||||
return "", "", err
|
||||
}
|
||||
|
||||
return token, refresh, nil
|
||||
}
|
||||
|
||||
func respond(code int, message string, gc *gin.Context) {
|
||||
|
@ -531,6 +531,61 @@ document.getElementById('inviteForm').onsubmit = function() {
|
||||
return false;
|
||||
};
|
||||
|
||||
function tryLogin(username, password, modal, button) {
|
||||
let req = new XMLHttpRequest();
|
||||
req.responseType = 'json';
|
||||
req.onreadystatechange = function() {
|
||||
if (this.readyState == 4) {
|
||||
if (this.status != 200) {
|
||||
let errormsg = req.response["error"];
|
||||
if (errormsg == "") {
|
||||
errormsg = "Unknown error"
|
||||
}
|
||||
if (modal) {
|
||||
button.disabled = false;
|
||||
button.textContent = errormsg;
|
||||
if (!button.classList.contains('btn-danger')) {
|
||||
button.classList.add('btn-danger');
|
||||
button.classList.remove('btn-primary');
|
||||
}
|
||||
setTimeout(function () {
|
||||
if (button.classList.contains('btn-danger')) {
|
||||
button.classList.add('btn-primary');
|
||||
button.classList.remove('btn-danger');
|
||||
button.textContent = 'Login';
|
||||
}
|
||||
}, 4000)
|
||||
} else {
|
||||
loginModal.show();
|
||||
}
|
||||
} else {
|
||||
const data = this.response;
|
||||
window.token = data['token'];
|
||||
document.cookie = "refresh=" + data['refresh'];
|
||||
generateInvites();
|
||||
const interval = setInterval(function() { generateInvites(); }, 60 * 1000);
|
||||
let day = document.getElementById('days');
|
||||
addOptions(30, day);
|
||||
day.selected = "0";
|
||||
let hour = document.getElementById('hours');
|
||||
addOptions(24, hour);
|
||||
hour.selected = "0";
|
||||
let minutes = document.getElementById('minutes');
|
||||
addOptions(59, minutes);
|
||||
minutes.selected = "30";
|
||||
checkDuration();
|
||||
if (modal) {
|
||||
loginModal.hide();
|
||||
}
|
||||
document.getElementById('logoutButton').setAttribute('style', '');
|
||||
}
|
||||
}
|
||||
};
|
||||
req.open("GET", "/getToken", true);
|
||||
req.setRequestHeader("Authorization", "Basic " + btoa(username + ":" + password));
|
||||
req.send();
|
||||
}
|
||||
|
||||
document.getElementById('loginForm').onsubmit = function() {
|
||||
window.token = "";
|
||||
let details = serializeForm('loginForm');
|
||||
@ -545,50 +600,7 @@ document.getElementById('loginForm').onsubmit = function() {
|
||||
button.innerHTML =
|
||||
'<span class="spinner-border spinner-border-sm" role="status" aria-hidden="true" style="margin-right: 0.5rem;"></span>' +
|
||||
'Loading...';
|
||||
let req = new XMLHttpRequest();
|
||||
req.responseType = 'json';
|
||||
req.onreadystatechange = function() {
|
||||
if (this.readyState == 4) {
|
||||
if (this.status != 200) {
|
||||
let errormsg = req.response["error"];
|
||||
if (errormsg == "") {
|
||||
errormsg = "Unknown error"
|
||||
}
|
||||
button.disabled = false;
|
||||
button.textContent = errormsg;
|
||||
if (!button.classList.contains('btn-danger')) {
|
||||
button.classList.add('btn-danger');
|
||||
button.classList.remove('btn-primary');
|
||||
}
|
||||
setTimeout(function () {
|
||||
if (button.classList.contains('btn-danger')) {
|
||||
button.classList.add('btn-primary');
|
||||
button.classList.remove('btn-danger');
|
||||
button.textContent = 'Login';
|
||||
}
|
||||
}, 4000)
|
||||
} else {
|
||||
const data = this.response;
|
||||
window.token = data['token'];
|
||||
generateInvites();
|
||||
const interval = setInterval(function() { generateInvites(); }, 60 * 1000);
|
||||
let day = document.getElementById('days');
|
||||
addOptions(30, day);
|
||||
day.selected = "0";
|
||||
let hour = document.getElementById('hours');
|
||||
addOptions(24, hour);
|
||||
hour.selected = "0";
|
||||
let minutes = document.getElementById('minutes');
|
||||
addOptions(59, minutes);
|
||||
minutes.selected = "30";
|
||||
checkDuration();
|
||||
loginModal.hide();
|
||||
}
|
||||
}
|
||||
};
|
||||
req.open("GET", "/getToken", true);
|
||||
req.setRequestHeader("Authorization", "Basic " + btoa(details['username'] + ":" + details['password']));
|
||||
req.send();
|
||||
tryLogin(details['username'], details['password'], true, button)
|
||||
return false;
|
||||
};
|
||||
|
||||
@ -794,7 +806,29 @@ document.getElementById('openUsers').onclick = function () {
|
||||
};
|
||||
|
||||
generateInvites(empty = true);
|
||||
loginModal.show();
|
||||
|
||||
let refreshToken = getCookie("refresh")
|
||||
if (refreshToken != "") {
|
||||
tryLogin(refreshToken, "", false)
|
||||
} else {
|
||||
loginModal.show();
|
||||
}
|
||||
|
||||
document.getElementById('logoutButton').onclick = function () {
|
||||
let req = new XMLHttpRequest();
|
||||
req.open("POST", "/logout", true);
|
||||
req.responseType = 'json';
|
||||
req.setRequestHeader("Authorization", "Basic " + btoa(window.token + ":"));
|
||||
req.onreadystatechange = function() {
|
||||
if (this.readyState == 4 && this.status == 200) {
|
||||
window.token = '';
|
||||
document.cookie = 'refresh=;';
|
||||
location.reload();
|
||||
return false;
|
||||
}
|
||||
};
|
||||
req.send();
|
||||
}
|
||||
|
||||
var config = {};
|
||||
var modifiedConfig = {};
|
||||
|
@ -258,6 +258,9 @@
|
||||
<button type="button" class="btn btn-primary" id="openSettings">
|
||||
Settings <i class="fa fa-cog"></i>
|
||||
</button>
|
||||
<button type="button" class="btn btn-danger" id="logoutButton" style="display: none;">
|
||||
Logout <i class="fa fa-sign-out"></i>
|
||||
</button>
|
||||
</div>
|
||||
<div class="card mb-3 linkGroup">
|
||||
<div class="card-header">Current Invites</div>
|
||||
|
2
main.go
2
main.go
@ -42,6 +42,7 @@ type appContext struct {
|
||||
bsVersion int
|
||||
jellyfinLogin bool
|
||||
users []User
|
||||
invalidIds []string
|
||||
jf Jellyfin
|
||||
authJf Jellyfin
|
||||
datePattern string
|
||||
@ -328,6 +329,7 @@ func main() {
|
||||
router.Use(static.Serve("/invite/", static.LocalFile(filepath.Join(app.local_path, "static"), false)))
|
||||
router.GET("/invite/:invCode", app.InviteProxy)
|
||||
api := router.Group("/", app.webAuth())
|
||||
api.POST("/logout", app.Logout)
|
||||
api.POST("/generateInvite", app.GenerateInvite)
|
||||
api.GET("/getInvites", app.GetInvites)
|
||||
api.POST("/setNotify", app.SetNotify)
|
||||
|
Loading…
Reference in New Issue
Block a user