hrfee
/
jfa-go
mirror of https://github.com/hrfee/jfa-go.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

use Bearer auth instead of Basic 

this was a relic from the python version, i'd modeled the auth code off
some random blog post back then.
This commit is contained in:
Harvey Tindall 2020-11-12 21:04:35 +00:00
parent ba601935b5
commit d64e98da37
Signed by: hrfee
GPG Key ID: BBC65952848FB1A2
6 changed files with 147 additions and 157 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
api.go
View File

@ -232,7 +232,7 @@ func (app *appContext) getOmbiUser(jfID string) (map[string]interface{}, int, er
// @Param newUserDTO body newUserDTO true "New user request object"
// @Success 200
// @Router /users [post]
// @Security ApiKeyBlankPassword
// @Security Bearer
// @tags Users
func (app *appContext) NewUserAdmin(gc *gin.Context) {
var req newUserDTO
@ -411,7 +411,7 @@ func (app *appContext) NewUser(gc *gin.Context) {
// @Failure 400 {object} stringResponse
// @Failure 500 {object} errorListDTO "List of errors"
// @Router /users [delete]
// @Security ApiKeyBlankPassword
// @Security Bearer
// @tags Users
func (app *appContext) DeleteUser(gc *gin.Context) {
var req deleteUserDTO
@ -475,7 +475,7 @@ func (app *appContext) DeleteUser(gc *gin.Context) {
// @Param generateInviteDTO body generateInviteDTO true "New invite request object"
// @Success 200 {object} boolResponse
// @Router /invites [post]
// @Security ApiKeyBlankPassword
// @Security Bearer
// @tags Invites
func (app *appContext) GenerateInvite(gc *gin.Context) {
var req generateInviteDTO
@ -538,7 +538,7 @@ func (app *appContext) GenerateInvite(gc *gin.Context) {
// @Success 200 {object} boolResponse
// @Failure 500 {object} stringResponse
// @Router /invites/profile [post]
// @Security ApiKeyBlankPassword
// @Security Bearer
// @tags Profiles & Settings
func (app *appContext) SetProfile(gc *gin.Context) {
var req inviteProfileDTO
@ -561,7 +561,7 @@ func (app *appContext) SetProfile(gc *gin.Context) {
// @Produce json
// @Success 200 {object} getProfilesDTO
// @Router /profiles [get]
// @Security ApiKeyBlankPassword
// @Security Bearer
// @tags Profiles & Settings
func (app *appContext) GetProfiles(gc *gin.Context) {
app.storage.loadProfiles()
@ -586,7 +586,7 @@ func (app *appContext) GetProfiles(gc *gin.Context) {
// @Success 200 {object} boolResponse
// @Failure 500 {object} stringResponse
// @Router /profiles/default [post]
// @Security ApiKeyBlankPassword
// @Security Bearer
// @tags Profiles & Settings
func (app *appContext) SetDefaultProfile(gc *gin.Context) {
req := profileChangeDTO{}
@ -615,7 +615,7 @@ func (app *appContext) SetDefaultProfile(gc *gin.Context) {
// @Success 200 {object} boolResponse
// @Failure 500 {object} stringResponse
// @Router /profiles [post]
// @Security ApiKeyBlankPassword
// @Security Bearer
// @tags Profiles & Settings
func (app *appContext) CreateProfile(gc *gin.Context) {
app.info.Println("Profile creation requested")
@ -655,7 +655,7 @@ func (app *appContext) CreateProfile(gc *gin.Context) {
// @Param profileChangeDTO body profileChangeDTO true "Delete profile object"
// @Success 200 {object} boolResponse
// @Router /profiles [delete]
// @Security ApiKeyBlankPassword
// @Security Bearer
// @tags Profiles & Settings
func (app *appContext) DeleteProfile(gc *gin.Context) {
req := profileChangeDTO{}
@ -672,7 +672,7 @@ func (app *appContext) DeleteProfile(gc *gin.Context) {
// @Produce json
// @Success 200 {object} getInvitesDTO
// @Router /invites [get]
// @Security ApiKeyBlankPassword
// @Security Bearer
// @tags Invites
func (app *appContext) GetInvites(gc *gin.Context) {
app.debug.Println("Invites requested")
@ -749,7 +749,7 @@ func (app *appContext) GetInvites(gc *gin.Context) {
// @Failure 400 {object} stringResponse
// @Failure 500 {object} stringResponse
// @Router /invites/notify [post]
// @Security ApiKeyBlankPassword
// @Security Bearer
// @tags Other
func (app *appContext) SetNotify(gc *gin.Context) {
var req map[string]map[string]bool
@ -811,7 +811,7 @@ func (app *appContext) SetNotify(gc *gin.Context) {
// @Success 200 {object} boolResponse
// @Failure 400 {object} stringResponse
// @Router /invites [delete]
// @Security ApiKeyBlankPassword
// @Security Bearer
// @tags Invites
func (app *appContext) DeleteInvite(gc *gin.Context) {
var req deleteInviteDTO
@ -847,7 +847,7 @@ func parseDt(date string) time.Time {
// @Success 200 {object} getUsersDTO
// @Failure 500 {object} stringResponse
// @Router /users [get]
// @Security ApiKeyBlankPassword
// @Security Bearer
// @tags Users
func (app *appContext) GetUsers(gc *gin.Context) {
app.debug.Println("Users requested")
@ -884,7 +884,7 @@ func (app *appContext) GetUsers(gc *gin.Context) {
// @Success 200 {object} ombiUsersDTO
// @Failure 500 {object} stringResponse
// @Router /ombi/users [get]
// @Security ApiKeyBlankPassword
// @Security Bearer
// @tags Ombi
func (app *appContext) OmbiUsers(gc *gin.Context) {
app.debug.Println("Ombi users requested")
@ -911,7 +911,7 @@ func (app *appContext) OmbiUsers(gc *gin.Context) {
// @Success 200 {object} boolResponse
// @Failure 500 {object} stringResponse
// @Router /ombi/defaults [post]
// @Security ApiKeyBlankPassword
// @Security Bearer
// @tags Ombi
func (app *appContext) SetOmbiDefaults(gc *gin.Context) {
var req ombiUser
@ -933,7 +933,7 @@ func (app *appContext) SetOmbiDefaults(gc *gin.Context) {
// @Success 200 {object} boolResponse
// @Failure 500 {object} stringResponse
// @Router /users/emails [post]
// @Security ApiKeyBlankPassword
// @Security Bearer
// @tags Users
func (app *appContext) ModifyEmails(gc *gin.Context) {
var req modifyEmailsDTO
@ -974,7 +974,7 @@ func (app *appContext) ModifyEmails(gc *gin.Context) {
// @Success 200 {object} errorListDTO
// @Failure 500 {object} errorListDTO "Lists of errors that occured while applying settings"
// @Router /users/settings [post]
// @Security ApiKeyBlankPassword
// @Security Bearer
// @tags Profiles & Settings
func (app *appContext) ApplySettings(gc *gin.Context) {
app.info.Println("User settings change requested")
@ -1058,7 +1058,7 @@ func (app *appContext) ApplySettings(gc *gin.Context) {
// @Produce json
// @Success 200 {object} configDTO "Uses the same format as config-base.json"
// @Router /config [get]
// @Security ApiKeyBlankPassword
// @Security Bearer
// @tags Configuration
func (app *appContext) GetConfig(gc *gin.Context) {
app.info.Println("Config requested")
@ -1118,7 +1118,7 @@ func (app *appContext) GetConfig(gc *gin.Context) {
// @Param appConfig body configDTO true "Config split into sections as in config.ini, all values as strings."
// @Success 200 {object} boolResponse
// @Router /config [post]
// @Security ApiKeyBlankPassword
// @Security Bearer
// @tags Configuration
func (app *appContext) ModifyConfig(gc *gin.Context) {
app.info.Println("Config modification requested")

239
auth.go
View File

@ -46,14 +46,13 @@ func CreateToken(userId, jfId string) (string, string, error) {
// Check header for token
func (app *appContext) authenticate(gc *gin.Context) {
header := strings.SplitN(gc.Request.Header.Get("Authorization"), " ", 2)
if header[0] != "Basic" {
app.debug.Println("Invalid authentication header")
if header[0] != "Bearer" {
app.debug.Println("Invalid authorization header")
respond(401, "Unauthorized", gc)
return
}
auth, _ := base64.StdEncoding.DecodeString(header[1])
creds := strings.SplitN(string(auth), ":", 2)
token, err := jwt.Parse(creds[0], checkToken)
creds, _ := base64.StdEncoding.DecodeString(header[1])
token, err := jwt.Parse(string(creds), checkToken)
if err != nil {
app.debug.Printf("Auth denied: %s", err)
respond(401, "Unauthorized", gc)
@ -103,146 +102,128 @@ type getTokenDTO struct {
Token string `json:"token" example:"kjsdklsfdkljfsjsdfklsdfkldsfjdfskjsdfjklsdf"` // API token for use with everything else.
}
// getToken checks the header for a username and password, as well as checking the refresh cookie.
// @Summary Grabs an API token using username & password, or via a refresh cookie.
// @description Click the lock icon next to this, login with your normal jfa-go credentials. Click 'try it out', then 'execute' and an API Key will be returned, copy it (not including quotes). On any of the other routes, click the lock icon and use the token as your -Username-. The password can be anything.
// @Summary Grabs an API token using username & password.
// @description Click the lock icon next to this, login with your normal jfa-go credentials. Click 'try it out', then 'execute' and an API Key will be returned, copy it (not including quotes). On any of the other routes, click the lock icon and set the API key as "Bearer <your api key>".
// @Produce json
// @Success 200 {object} getTokenDTO
// @Failure 401 {object} stringResponse
// @Router /getToken [get]
// @Router /token/login [get]
// @tags Auth
// @Security getTokenAuth
func (app *appContext) getToken(gc *gin.Context) {
func (app *appContext) getTokenLogin(gc *gin.Context) {
app.info.Println("Token requested (login attempt)")
header := strings.SplitN(gc.Request.Header.Get("Authorization"), " ", 2)
auth, _ := base64.StdEncoding.DecodeString(header[1])
creds := strings.SplitN(string(auth), ":", 2)
// check cookie first
var userID, jfID string
valid := false
noLogin := false
checkLogin := func() {
if creds[0] == "" || creds[1] == "" {
app.debug.Println("Auth denied: blank username/password")
respond(401, "Unauthorized", gc)
if creds[0] == "" || creds[1] == "" {
app.debug.Println("Auth denied: blank username/password")
respond(401, "Unauthorized", gc)
return
}
match := false
for _, user := range app.users {
if user.Username == creds[0] && user.Password == creds[1] {
match = true
app.debug.Println("Found existing user")
userID = user.UserID
break
}
}
if !app.jellyfinLogin && !match {
app.info.Println("Auth denied: Invalid username/password")
respond(401, "Unauthorized", gc)
return
}
if !match {
var status int
var err error
var user map[string]interface{}
user, status, err = app.authJf.Authenticate(creds[0], creds[1])
if status != 200 || err != nil {
if status == 401 || status == 400 {
app.info.Println("Auth denied: Invalid username/password (Jellyfin)")
respond(401, "Unauthorized", gc)
return
}
app.err.Printf("Auth failed: Couldn't authenticate with Jellyfin (%d/%s)", status, err)
respond(500, "Jellyfin error", gc)
return
}
match := false
for _, user := range app.users {
if user.Username == creds[0] && user.Password == creds[1] {
match = true
app.debug.Println("Found existing user")
userID = user.UserID
break
}
}
if !app.jellyfinLogin && !match {
app.info.Println("Auth denied: Invalid username/password")
respond(401, "Unauthorized", gc)
return
}
if !match {
var status int
var err error
var user map[string]interface{}
user, status, err = app.authJf.Authenticate(creds[0], creds[1])
if status != 200 || err != nil {
if status == 401 || status == 400 {
app.info.Println("Auth denied: Invalid username/password (Jellyfin)")
respond(401, "Unauthorized", gc)
return
}
app.err.Printf("Auth failed: Couldn't authenticate with Jellyfin (%d/%s)", status, err)
respond(500, "Jellyfin error", gc)
jfID = user["Id"].(string)
if app.config.Section("ui").Key("admin_only").MustBool(true) {
if !user["Policy"].(map[string]interface{})["IsAdministrator"].(bool) {
app.debug.Printf("Auth denied: Users \"%s\" isn't admin", creds[0])
respond(401, "Unauthorized", gc)
return
}
jfID = user["Id"].(string)
if app.config.Section("ui").Key("admin_only").MustBool(true) {
if !user["Policy"].(map[string]interface{})["IsAdministrator"].(bool) {
app.debug.Printf("Auth denied: Users \"%s\" isn't admin", creds[0])
respond(401, "Unauthorized", gc)
return
}
}
// New users are only added when using jellyfinLogin.
userID = shortuuid.New()
newUser := User{
UserID: userID,
}
app.debug.Printf("Token generated for user \"%s\"", creds[0])
app.users = append(app.users, newUser)
}
valid = true
}
checkCookie := func() {
cookie, err := gc.Cookie("refresh")
if err == nil && cookie != "" {
for _, token := range app.invalidTokens {
if cookie == token {
if creds[0] == "" || creds[1] == "" {
app.debug.Println("getToken denied: Invalid refresh token and no username/password provided")
respond(401, "Unauthorized", gc)
noLogin = true
return
}
app.debug.Println("getToken: Invalid token but username/password provided")
return
}
}
token, err := jwt.Parse(cookie, checkToken)
if err != nil {
if creds[0] == "" || creds[1] == "" {
app.debug.Println("getToken denied: Invalid refresh token and no username/password provided")
respond(401, "Unauthorized", gc)
noLogin = true
return
}
app.debug.Println("getToken: Invalid token but username/password provided")
return
}
claims, ok := token.Claims.(jwt.MapClaims)
expiryUnix, err := strconv.ParseInt(claims["exp"].(string), 10, 64)
if err != nil {
if creds[0] == "" || creds[1] == "" {
app.debug.Printf("getToken denied: Invalid token (%s) and no username/password provided", err)
respond(401, "Unauthorized", gc)
noLogin = true
return
}
app.debug.Printf("getToken: Invalid token (%s) but username/password provided", err)
return
}
expiry := time.Unix(expiryUnix, 0)
if !(ok && token.Valid && claims["type"].(string) == "refresh" && expiry.After(time.Now())) {
if creds[0] == "" || creds[1] == "" {
app.debug.Printf("getToken denied: Invalid token (%s) and no username/password provided", err)
respond(401, "Unauthorized", gc)
noLogin = true
return
}
app.debug.Printf("getToken: Invalid token (%s) but username/password provided", err)
return
}
userID = claims["id"].(string)
jfID = claims["jfid"].(string)
valid = true
// New users are only added when using jellyfinLogin.
userID = shortuuid.New()
newUser := User{
UserID: userID,
}
app.debug.Printf("Token generated for user \"%s\"", creds[0])
app.users = append(app.users, newUser)
}
checkCookie()
if !valid && !noLogin {
checkLogin()
}
if valid {
token, refresh, err := CreateToken(userID, jfID)
if err != nil {
app.err.Printf("getToken failed: Couldn't generate token (%s)", err)
respond(500, "Couldn't generate token", gc)
return
}
gc.SetCookie("refresh", refresh, (3600 * 24), "/", gc.Request.URL.Hostname(), true, true)
gc.JSON(200, getTokenDTO{token})
} else {
gc.AbortWithStatus(401)
token, refresh, err := CreateToken(userID, jfID)
if err != nil {
app.err.Printf("getToken failed: Couldn't generate token (%s)", err)
respond(500, "Couldn't generate token", gc)
return
}
gc.SetCookie("refresh", refresh, (3600 * 24), "/", gc.Request.URL.Hostname(), true, true)
gc.JSON(200, getTokenDTO{token})
}
// @Summary Grabs an API token using a refresh token from cookies.
// @Produce json
// @Success 200 {object} getTokenDTO
// @Failure 401 {object} stringResponse
// @Router /token/refresh [get]
// @tags Auth
func (app *appContext) getTokenRefresh(gc *gin.Context) {
app.debug.Println("Token requested (refresh token)")
cookie, err := gc.Cookie("refresh")
if err != nil || cookie == "" {
app.debug.Printf("getTokenRefresh denied: Couldn't get token: %s", err)
respond(400, "Couldn't get token", gc)
return
}
for _, token := range app.invalidTokens {
if cookie == token {
app.debug.Println("getTokenRefresh: Invalid token")
respond(401, "Invalid token", gc)
return
}
}
token, err := jwt.Parse(cookie, checkToken)
if err != nil {
app.debug.Println("getTokenRefresh: Invalid token")
respond(400, "Invalid token", gc)
return
}
claims, ok := token.Claims.(jwt.MapClaims)
expiryUnix, err := strconv.ParseInt(claims["exp"].(string), 10, 64)
if err != nil {
app.debug.Printf("getTokenRefresh: Invalid token expiry: %s", err)
respond(401, "Invalid token", gc)
return
}
expiry := time.Unix(expiryUnix, 0)
if !(ok && token.Valid && claims["type"].(string) == "refresh" && expiry.After(time.Now())) {
app.debug.Printf("getTokenRefresh: Invalid token: %s", err)
respond(401, "Invalid token", gc)
return
}
userID := claims["id"].(string)
jfID := claims["jfid"].(string)
jwt, refresh, err := CreateToken(userID, jfID)
if err != nil {
app.err.Printf("getTokenRefresh failed: Couldn't generate token (%s)", err)
respond(500, "Couldn't generate token", gc)
return
}
gc.SetCookie("refresh", refresh, (3600 * 24), "/", gc.Request.URL.Hostname(), true, true)
gc.JSON(200, getTokenDTO{jwt})
}

4
config/config-base.json
View File

@ -617,7 +617,7 @@
"description": "Deprecated in favor of User Profiles. Location of stored user policy template (json)."
},
"user_configuration": {
"name": "userConfiguration (Deprecated in favor of User Profiles.",
"name": "userConfiguration (Deprecated)",
"required": false,
"requires_restart": true,
"type": "text",
@ -625,7 +625,7 @@
"description": "Deprecated in favor of User Profiles. Location of stored user configuration template (used for setting homescreen layout) (json)"
},
"user_displayprefs": {
"name": "displayPreferences (Deprecated in favor of User Profiles.",
"name": "displayPreferences (Deprecated)",
"required": false,
"requires_restart": true,
"type": "text",

8
main.go
View File

@ -511,7 +511,8 @@ func start(asDaemon, firstCall bool) {
}
if !firstRun {
router.GET("/", app.AdminPage)
router.GET("/getToken", app.getToken)
router.GET("/token/login", app.getTokenLogin)
router.GET("/token/refresh", app.getTokenRefresh)
router.POST("/newUser", app.NewUser)
router.Use(static.Serve("/invite/", static.LocalFile(filepath.Join(app.local_path, "static"), false)))
router.GET("/invite/:invCode", app.InviteProxy)
@ -607,8 +608,9 @@ func flagPassed(name string) (found bool) {
// @license.url https://raw.githubusercontent.com/hrfee/jfa-go/main/LICENSE
// @BasePath /
// @securityDefinitions.basic ApiKeyBlankPassword
// @name ApiKeyBlankPassword
// @securityDefinitions.apikey Bearer
// @in header
// @name Authorization
// @securityDefinitions.basic getTokenAuth
// @name getTokenAuth

11
ts/admin.ts
View File

@ -121,8 +121,15 @@ window.toClipboard = (str: string): void => {
function login(username: string, password: string, modal: boolean, button?: HTMLButtonElement, run?: (arg0: number) => void): void {
const req = new XMLHttpRequest();
req.responseType = 'json';
req.open("GET", "/getToken", true);
req.setRequestHeader("Authorization", "Basic " + btoa(username + ":" + password));
let url = "/token/login";
const refresh = (username == "" && password == "");
if (refresh) {
url = "/token/refresh";
}
req.open("GET", url, true);
if (!refresh) {
req.setRequestHeader("Authorization", "Basic " + btoa(username + ":" + password));
}
req.onreadystatechange = function (): void {
if (this.readyState == 4) {
if (this.status != 200) {

6
ts/modules/common.ts
View File

@ -48,7 +48,7 @@ export const _get = (url: string, data: Object, onreadystatechange: () => void):
let req = new XMLHttpRequest();
req.open("GET", url, true);
req.responseType = 'json';
req.setRequestHeader("Authorization", "Basic " + btoa(window.token + ":"));
req.setRequestHeader("Authorization", "Bearer " + btoa(window.token));
req.setRequestHeader('Content-Type', 'application/json; charset=UTF-8');
req.onreadystatechange = onreadystatechange;
req.send(JSON.stringify(data));
@ -60,7 +60,7 @@ export const _post = (url: string, data: Object, onreadystatechange: () => void,
if (response) {
req.responseType = 'json';
}
req.setRequestHeader("Authorization", "Basic " + btoa(window.token + ":"));
req.setRequestHeader("Authorization", "Bearer " + btoa(window.token));
req.setRequestHeader('Content-Type', 'application/json; charset=UTF-8');
req.onreadystatechange = onreadystatechange;
req.send(JSON.stringify(data));
@ -69,7 +69,7 @@ export const _post = (url: string, data: Object, onreadystatechange: () => void,
export function _delete(url: string, data: Object, onreadystatechange: () => void): void {
let req = new XMLHttpRequest();
req.open("DELETE", url, true);
req.setRequestHeader("Authorization", "Basic " + btoa(window.token + ":"));
req.setRequestHeader("Authorization", "Bearer " + btoa(window.token));
req.setRequestHeader('Content-Type', 'application/json; charset=UTF-8');
req.onreadystatechange = onreadystatechange;
req.send(JSON.stringify(data));