use Bearer auth instead of Basic

this was a relic from the python version, i'd modeled the auth code off some random blog post back then.
2024-12-22 17:10:10 +00:00 · 2020-11-12 21:04:35 +00:00 · 2020-11-12 21:04:35 +00:00 · d64e98da37
commit d64e98da37
parent ba601935b5
6 changed files with 147 additions and 157 deletions
--- a/api.go
+++ b/api.go
@ -232,7 +232,7 @@ func (app *appContext) getOmbiUser(jfID string) (map[string]interface{}, int, er
 // @Param newUserDTO body newUserDTO true "New user request object"
 // @Success 200
 // @Router /users [post]
-// @Security ApiKeyBlankPassword
+// @Security Bearer
 // @tags Users
 func (app *appContext) NewUserAdmin(gc *gin.Context) {
 	var req newUserDTO
@ -411,7 +411,7 @@ func (app *appContext) NewUser(gc *gin.Context) {
 // @Failure 400 {object} stringResponse
 // @Failure 500 {object} errorListDTO "List of errors"
 // @Router /users [delete]
-// @Security ApiKeyBlankPassword
+// @Security Bearer
 // @tags Users
 func (app *appContext) DeleteUser(gc *gin.Context) {
 	var req deleteUserDTO
@ -475,7 +475,7 @@ func (app *appContext) DeleteUser(gc *gin.Context) {
 // @Param generateInviteDTO body generateInviteDTO true "New invite request object"
 // @Success 200 {object} boolResponse
 // @Router /invites [post]
-// @Security ApiKeyBlankPassword
+// @Security Bearer
 // @tags Invites
 func (app *appContext) GenerateInvite(gc *gin.Context) {
 	var req generateInviteDTO
@ -538,7 +538,7 @@ func (app *appContext) GenerateInvite(gc *gin.Context) {
 // @Success 200 {object} boolResponse
 // @Failure 500 {object} stringResponse
 // @Router /invites/profile [post]
-// @Security ApiKeyBlankPassword
+// @Security Bearer
 // @tags Profiles & Settings
 func (app *appContext) SetProfile(gc *gin.Context) {
 	var req inviteProfileDTO
@ -561,7 +561,7 @@ func (app *appContext) SetProfile(gc *gin.Context) {
 // @Produce json
 // @Success 200 {object} getProfilesDTO
 // @Router /profiles [get]
-// @Security ApiKeyBlankPassword
+// @Security Bearer
 // @tags Profiles & Settings
 func (app *appContext) GetProfiles(gc *gin.Context) {
 	app.storage.loadProfiles()
@ -586,7 +586,7 @@ func (app *appContext) GetProfiles(gc *gin.Context) {
 // @Success 200 {object} boolResponse
 // @Failure 500 {object} stringResponse
 // @Router /profiles/default [post]
-// @Security ApiKeyBlankPassword
+// @Security Bearer
 // @tags Profiles & Settings
 func (app *appContext) SetDefaultProfile(gc *gin.Context) {
 	req := profileChangeDTO{}
@ -615,7 +615,7 @@ func (app *appContext) SetDefaultProfile(gc *gin.Context) {
 // @Success 200 {object} boolResponse
 // @Failure 500 {object} stringResponse
 // @Router /profiles [post]
-// @Security ApiKeyBlankPassword
+// @Security Bearer
 // @tags Profiles & Settings
 func (app *appContext) CreateProfile(gc *gin.Context) {
 	app.info.Println("Profile creation requested")
@ -655,7 +655,7 @@ func (app *appContext) CreateProfile(gc *gin.Context) {
 // @Param profileChangeDTO body profileChangeDTO true "Delete profile object"
 // @Success 200 {object} boolResponse
 // @Router /profiles [delete]
-// @Security ApiKeyBlankPassword
+// @Security Bearer
 // @tags Profiles & Settings
 func (app *appContext) DeleteProfile(gc *gin.Context) {
 	req := profileChangeDTO{}
@ -672,7 +672,7 @@ func (app *appContext) DeleteProfile(gc *gin.Context) {
 // @Produce json
 // @Success 200 {object} getInvitesDTO
 // @Router /invites [get]
-// @Security ApiKeyBlankPassword
+// @Security Bearer
 // @tags Invites
 func (app *appContext) GetInvites(gc *gin.Context) {
 	app.debug.Println("Invites requested")
@ -749,7 +749,7 @@ func (app *appContext) GetInvites(gc *gin.Context) {
 // @Failure 400 {object} stringResponse
 // @Failure 500 {object} stringResponse
 // @Router /invites/notify [post]
-// @Security ApiKeyBlankPassword
+// @Security Bearer
 // @tags Other
 func (app *appContext) SetNotify(gc *gin.Context) {
 	var req map[string]map[string]bool
@ -811,7 +811,7 @@ func (app *appContext) SetNotify(gc *gin.Context) {
 // @Success 200 {object} boolResponse
 // @Failure 400 {object} stringResponse
 // @Router /invites [delete]
-// @Security ApiKeyBlankPassword
+// @Security Bearer
 // @tags Invites
 func (app *appContext) DeleteInvite(gc *gin.Context) {
 	var req deleteInviteDTO
@ -847,7 +847,7 @@ func parseDt(date string) time.Time {
 // @Success 200 {object} getUsersDTO
 // @Failure 500 {object} stringResponse
 // @Router /users [get]
-// @Security ApiKeyBlankPassword
+// @Security Bearer
 // @tags Users
 func (app *appContext) GetUsers(gc *gin.Context) {
 	app.debug.Println("Users requested")
@ -884,7 +884,7 @@ func (app *appContext) GetUsers(gc *gin.Context) {
 // @Success 200 {object} ombiUsersDTO
 // @Failure 500 {object} stringResponse
 // @Router /ombi/users [get]
-// @Security ApiKeyBlankPassword
+// @Security Bearer
 // @tags Ombi
 func (app *appContext) OmbiUsers(gc *gin.Context) {
 	app.debug.Println("Ombi users requested")
@ -911,7 +911,7 @@ func (app *appContext) OmbiUsers(gc *gin.Context) {
 // @Success 200 {object} boolResponse
 // @Failure 500 {object} stringResponse
 // @Router /ombi/defaults [post]
-// @Security ApiKeyBlankPassword
+// @Security Bearer
 // @tags Ombi
 func (app *appContext) SetOmbiDefaults(gc *gin.Context) {
 	var req ombiUser
@ -933,7 +933,7 @@ func (app *appContext) SetOmbiDefaults(gc *gin.Context) {
 // @Success 200 {object} boolResponse
 // @Failure 500 {object} stringResponse
 // @Router /users/emails [post]
-// @Security ApiKeyBlankPassword
+// @Security Bearer
 // @tags Users
 func (app *appContext) ModifyEmails(gc *gin.Context) {
 	var req modifyEmailsDTO
@ -974,7 +974,7 @@ func (app *appContext) ModifyEmails(gc *gin.Context) {
 // @Success 200 {object} errorListDTO
 // @Failure 500 {object} errorListDTO "Lists of errors that occured while applying settings"
 // @Router /users/settings [post]
-// @Security ApiKeyBlankPassword
+// @Security Bearer
 // @tags Profiles & Settings
 func (app *appContext) ApplySettings(gc *gin.Context) {
 	app.info.Println("User settings change requested")
@ -1058,7 +1058,7 @@ func (app *appContext) ApplySettings(gc *gin.Context) {
 // @Produce json
 // @Success 200 {object} configDTO "Uses the same format as config-base.json"
 // @Router /config [get]
-// @Security ApiKeyBlankPassword
+// @Security Bearer
 // @tags Configuration
 func (app *appContext) GetConfig(gc *gin.Context) {
 	app.info.Println("Config requested")
@ -1118,7 +1118,7 @@ func (app *appContext) GetConfig(gc *gin.Context) {
 // @Param appConfig body configDTO true "Config split into sections as in config.ini, all values as strings."
 // @Success 200 {object} boolResponse
 // @Router /config [post]
-// @Security ApiKeyBlankPassword
+// @Security Bearer
 // @tags Configuration
 func (app *appContext) ModifyConfig(gc *gin.Context) {
 	app.info.Println("Config modification requested")
--- a/auth.go
+++ b/auth.go
@ -46,14 +46,13 @@ func CreateToken(userId, jfId string) (string, string, error) {
 // Check header for token
 func (app *appContext) authenticate(gc *gin.Context) {
 	header := strings.SplitN(gc.Request.Header.Get("Authorization"), " ", 2)
-	if header[0] != "Basic" {
-		app.debug.Println("Invalid authentication header")
+	if header[0] != "Bearer" {
+		app.debug.Println("Invalid authorization header")
 		respond(401, "Unauthorized", gc)
 		return
 	}
-	auth, _ := base64.StdEncoding.DecodeString(header[1])
-	creds := strings.SplitN(string(auth), ":", 2)
-	token, err := jwt.Parse(creds[0], checkToken)
+	creds, _ := base64.StdEncoding.DecodeString(header[1])
+	token, err := jwt.Parse(string(creds), checkToken)
 	if err != nil {
 		app.debug.Printf("Auth denied: %s", err)
 		respond(401, "Unauthorized", gc)
@ -103,26 +102,20 @@ type getTokenDTO struct {
 	Token string `json:"token" example:"kjsdklsfdkljfsjsdfklsdfkldsfjdfskjsdfjklsdf"` // API token for use with everything else.
 }

-// getToken checks the header for a username and password, as well as checking the refresh cookie.
-
-// @Summary Grabs an API token using username & password, or via a refresh cookie.
-// @description Click the lock icon next to this, login with your normal jfa-go credentials. Click 'try it out', then 'execute' and an API Key will be returned, copy it (not including quotes). On any of the other routes, click the lock icon and use the token as your -Username-. The password can be anything.
+// @Summary Grabs an API token using username & password.
+// @description Click the lock icon next to this, login with your normal jfa-go credentials. Click 'try it out', then 'execute' and an API Key will be returned, copy it (not including quotes). On any of the other routes, click the lock icon and set the API key as "Bearer <your api key>".
 // @Produce json
 // @Success 200 {object} getTokenDTO
 // @Failure 401 {object} stringResponse
-// @Router /getToken [get]
+// @Router /token/login [get]
 // @tags Auth
 // @Security getTokenAuth
-func (app *appContext) getToken(gc *gin.Context) {
+func (app *appContext) getTokenLogin(gc *gin.Context) {
 	app.info.Println("Token requested (login attempt)")
 	header := strings.SplitN(gc.Request.Header.Get("Authorization"), " ", 2)
 	auth, _ := base64.StdEncoding.DecodeString(header[1])
 	creds := strings.SplitN(string(auth), ":", 2)
-	// check cookie first
 	var userID, jfID string
-	valid := false
-	noLogin := false
-	checkLogin := func() {
 	if creds[0] == "" || creds[1] == "" {
 		app.debug.Println("Auth denied: blank username/password")
 		respond(401, "Unauthorized", gc)
@ -173,67 +166,6 @@ func (app *appContext) getToken(gc *gin.Context) {
 		app.debug.Printf("Token generated for user \"%s\"", creds[0])
 		app.users = append(app.users, newUser)
 	}
-		valid = true
-	}
-	checkCookie := func() {
-		cookie, err := gc.Cookie("refresh")
-		if err == nil && cookie != "" {
-			for _, token := range app.invalidTokens {
-				if cookie == token {
-					if creds[0] == "" || creds[1] == "" {
-						app.debug.Println("getToken denied: Invalid refresh token and no username/password provided")
-						respond(401, "Unauthorized", gc)
-						noLogin = true
-						return
-					}
-					app.debug.Println("getToken: Invalid token but username/password provided")
-					return
-				}
-			}
-			token, err := jwt.Parse(cookie, checkToken)
-			if err != nil {
-				if creds[0] == "" || creds[1] == "" {
-					app.debug.Println("getToken denied: Invalid refresh token and no username/password provided")
-					respond(401, "Unauthorized", gc)
-					noLogin = true
-					return
-				}
-				app.debug.Println("getToken: Invalid token but username/password provided")
-				return
-			}
-			claims, ok := token.Claims.(jwt.MapClaims)
-			expiryUnix, err := strconv.ParseInt(claims["exp"].(string), 10, 64)
-			if err != nil {
-				if creds[0] == "" || creds[1] == "" {
-					app.debug.Printf("getToken denied: Invalid token (%s) and no username/password provided", err)
-					respond(401, "Unauthorized", gc)
-					noLogin = true
-					return
-				}
-				app.debug.Printf("getToken: Invalid token (%s) but username/password provided", err)
-				return
-			}
-			expiry := time.Unix(expiryUnix, 0)
-			if !(ok && token.Valid && claims["type"].(string) == "refresh" && expiry.After(time.Now())) {
-				if creds[0] == "" || creds[1] == "" {
-					app.debug.Printf("getToken denied: Invalid token (%s) and no username/password provided", err)
-					respond(401, "Unauthorized", gc)
-					noLogin = true
-					return
-				}
-				app.debug.Printf("getToken: Invalid token (%s) but username/password provided", err)
-				return
-			}
-			userID = claims["id"].(string)
-			jfID = claims["jfid"].(string)
-			valid = true
-		}
-	}
-	checkCookie()
-	if !valid && !noLogin {
-		checkLogin()
-	}
-	if valid {
 	token, refresh, err := CreateToken(userID, jfID)
 	if err != nil {
 		app.err.Printf("getToken failed: Couldn't generate token (%s)", err)
@ -242,7 +174,56 @@ func (app *appContext) getToken(gc *gin.Context) {
 	}
 	gc.SetCookie("refresh", refresh, (3600 * 24), "/", gc.Request.URL.Hostname(), true, true)
 	gc.JSON(200, getTokenDTO{token})
-	} else {
-		gc.AbortWithStatus(401)
-	}
+}
+
+// @Summary Grabs an API token using a refresh token from cookies.
+// @Produce json
+// @Success 200 {object} getTokenDTO
+// @Failure 401 {object} stringResponse
+// @Router /token/refresh [get]
+// @tags Auth
+func (app *appContext) getTokenRefresh(gc *gin.Context) {
+	app.debug.Println("Token requested (refresh token)")
+	cookie, err := gc.Cookie("refresh")
+	if err != nil || cookie == "" {
+		app.debug.Printf("getTokenRefresh denied: Couldn't get token: %s", err)
+		respond(400, "Couldn't get token", gc)
+		return
+	}
+	for _, token := range app.invalidTokens {
+		if cookie == token {
+			app.debug.Println("getTokenRefresh: Invalid token")
+			respond(401, "Invalid token", gc)
+			return
+		}
+	}
+	token, err := jwt.Parse(cookie, checkToken)
+	if err != nil {
+		app.debug.Println("getTokenRefresh: Invalid token")
+		respond(400, "Invalid token", gc)
+		return
+	}
+	claims, ok := token.Claims.(jwt.MapClaims)
+	expiryUnix, err := strconv.ParseInt(claims["exp"].(string), 10, 64)
+	if err != nil {
+		app.debug.Printf("getTokenRefresh: Invalid token expiry: %s", err)
+		respond(401, "Invalid token", gc)
+		return
+	}
+	expiry := time.Unix(expiryUnix, 0)
+	if !(ok && token.Valid && claims["type"].(string) == "refresh" && expiry.After(time.Now())) {
+		app.debug.Printf("getTokenRefresh: Invalid token: %s", err)
+		respond(401, "Invalid token", gc)
+		return
+	}
+	userID := claims["id"].(string)
+	jfID := claims["jfid"].(string)
+	jwt, refresh, err := CreateToken(userID, jfID)
+	if err != nil {
+		app.err.Printf("getTokenRefresh failed: Couldn't generate token (%s)", err)
+		respond(500, "Couldn't generate token", gc)
+		return
+	}
+	gc.SetCookie("refresh", refresh, (3600 * 24), "/", gc.Request.URL.Hostname(), true, true)
+	gc.JSON(200, getTokenDTO{jwt})
 }
--- a/config/config-base.json
+++ b/config/config-base.json
@ -617,7 +617,7 @@
            "description": "Deprecated in favor of User Profiles. Location of stored user policy template (json)."
        },
        "user_configuration": {
-            "name": "userConfiguration (Deprecated in favor of User Profiles.",
+            "name": "userConfiguration (Deprecated)",
            "required": false,
            "requires_restart": true,
            "type": "text",
@ -625,7 +625,7 @@
            "description": "Deprecated in favor of User Profiles. Location of stored user configuration template (used for setting homescreen layout) (json)"
        },
        "user_displayprefs": {
-            "name": "displayPreferences (Deprecated in favor of User Profiles.",
+            "name": "displayPreferences (Deprecated)",
            "required": false,
            "requires_restart": true,
            "type": "text",
--- a/main.go
+++ b/main.go
@ -511,7 +511,8 @@ func start(asDaemon, firstCall bool) {
 	}
 	if !firstRun {
 		router.GET("/", app.AdminPage)
-		router.GET("/getToken", app.getToken)
+		router.GET("/token/login", app.getTokenLogin)
+		router.GET("/token/refresh", app.getTokenRefresh)
 		router.POST("/newUser", app.NewUser)
 		router.Use(static.Serve("/invite/", static.LocalFile(filepath.Join(app.local_path, "static"), false)))
 		router.GET("/invite/:invCode", app.InviteProxy)
@ -607,8 +608,9 @@ func flagPassed(name string) (found bool) {
 // @license.url https://raw.githubusercontent.com/hrfee/jfa-go/main/LICENSE
 // @BasePath /

-// @securityDefinitions.basic ApiKeyBlankPassword
-// @name ApiKeyBlankPassword
+// @securityDefinitions.apikey Bearer
+// @in header
+// @name Authorization

 // @securityDefinitions.basic getTokenAuth
 // @name getTokenAuth
--- a/ts/admin.ts
+++ b/ts/admin.ts
@ -121,8 +121,15 @@ window.toClipboard = (str: string): void => {
 function login(username: string, password: string, modal: boolean, button?: HTMLButtonElement, run?: (arg0: number) => void): void {
    const req = new XMLHttpRequest();
    req.responseType = 'json';
-    req.open("GET", "/getToken", true);
+    let url = "/token/login";
+    const refresh = (username == "" && password == "");
+    if (refresh) {
+        url = "/token/refresh";
+    }
+    req.open("GET", url, true);
+    if (!refresh) {
        req.setRequestHeader("Authorization", "Basic " + btoa(username + ":" + password));
+    }
    req.onreadystatechange = function (): void {
        if (this.readyState == 4) {
            if (this.status != 200) {
--- a/ts/modules/common.ts
+++ b/ts/modules/common.ts
@ -48,7 +48,7 @@ export const _get = (url: string, data: Object, onreadystatechange: () => void):
    let req = new XMLHttpRequest();
    req.open("GET", url, true);
    req.responseType = 'json';
-    req.setRequestHeader("Authorization", "Basic " + btoa(window.token + ":"));
+    req.setRequestHeader("Authorization", "Bearer " + btoa(window.token));
    req.setRequestHeader('Content-Type', 'application/json; charset=UTF-8');
    req.onreadystatechange = onreadystatechange;
    req.send(JSON.stringify(data));
@ -60,7 +60,7 @@ export const _post = (url: string, data: Object, onreadystatechange: () => void,
    if (response) {
        req.responseType = 'json';
    }
-    req.setRequestHeader("Authorization", "Basic " + btoa(window.token + ":"));
+    req.setRequestHeader("Authorization", "Bearer " + btoa(window.token));
    req.setRequestHeader('Content-Type', 'application/json; charset=UTF-8');
    req.onreadystatechange = onreadystatechange;
    req.send(JSON.stringify(data));
@ -69,7 +69,7 @@ export const _post = (url: string, data: Object, onreadystatechange: () => void,
 export function _delete(url: string, data: Object, onreadystatechange: () => void): void {
    let req = new XMLHttpRequest();
    req.open("DELETE", url, true);
-    req.setRequestHeader("Authorization", "Basic " + btoa(window.token + ":"));
+    req.setRequestHeader("Authorization", "Bearer " + btoa(window.token));
    req.setRequestHeader('Content-Type', 'application/json; charset=UTF-8');
    req.onreadystatechange = onreadystatechange;
    req.send(JSON.stringify(data));