kenmirrors/grocy
1
0
Fork 0
mirror of https://github.com/grocy/grocy.git synced 2025-04-29 01:32:38 +00:00
Code Issues Projects Releases Wiki Activity

Refactor Authentication and add proxy-authentication (#921)

Browse Source 
* Refactor Authentication-Middlewares

* Add Proxy-Authentication

* Disable "Logout" & "Manage Users" when using ProxyAuth

* Review

Co-authored-by: Bernd Bestel <bernd@berrnd.de>
This commit is contained in:
fipwmaqzufheoxq92ebc 2020-08-19 19:23:13 +02:00 committed by GitHub
parent 5b475d9307
commit d60d981fd1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 247 additions and 150 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app.php
View File

@ -19,6 +19,7 @@ require_once __DIR__ . '/config-dist.php'; // For not in own config defined valu
if ((GROCY_MODE === 'dev' || GROCY_MODE === 'demo' || GROCY_MODE === 'prerelease') && !defined('GROCY_USER_ID')) if ((GROCY_MODE === 'dev' || GROCY_MODE === 'demo' || GROCY_MODE === 'prerelease') && !defined('GROCY_USER_ID'))
{ {
define('GROCY_USER_ID', 1); define('GROCY_USER_ID', 1);
define('GROCY_SHOW_AUTH_VIEWS', true);
} }
// Definitions for disabled authentication mode // Definitions for disabled authentication mode
@ -28,6 +29,7 @@ if (GROCY_DISABLE_AUTH === true)
{ {
define('GROCY_USER_ID', 1); define('GROCY_USER_ID', 1);
} }
define('GROCY_SHOW_AUTH_VIEWS', false);
} }
// Setup base application // Setup base application

8
config-dist.php
View File

@ -66,6 +66,14 @@ Setting('ENTRY_PAGE', 'stock');
# places where user context is needed will then use the default (first existing) user # places where user context is needed will then use the default (first existing) user
Setting('DISABLE_AUTH', false); Setting('DISABLE_AUTH', false);
# Either "Grocy\Middleware\DefaultAuthMiddleware", "Grocy\Middleware\ReverseProxyAuthMiddleware"
# or any class that implements Grocy\Middleware\AuthMiddleware
Setting('AUTH_CLASS', 'Grocy\Middleware\DefaultAuthMiddleware');
# When using ReverseProxyAuthMiddleware,
# the name of the HTTP header which your reverse proxy uses to pass the username (on successful authentication)
Setting('REVERSE_PROXY_AUTH_HEADER', 'REMOTE_USER');
# Set this to true if you want to disable the ability to scan a barcode via the device camera (Browser API) # Set this to true if you want to disable the ability to scan a barcode via the device camera (Browser API)
Setting('DISABLE_BROWSER_BARCODE_CAMERA_SCANNING', false); Setting('DISABLE_BROWSER_BARCODE_CAMERA_SCANNING', false);

139
middleware/ApiKeyAuthMiddleware.php
View File

@ -2,104 +2,75 @@
namespace Grocy\Middleware; namespace Grocy\Middleware;
use Psr\Http\Message\ResponseFactoryInterface;
use Psr\Http\Message\ServerRequestInterface as Request; use Psr\Http\Message\ServerRequestInterface as Request;
use Psr\Http\Server\RequestHandlerInterface as RequestHandler;
use Psr\Http\Message\ResponseInterface as Response;
use Slim\Routing\RouteContext; use Slim\Routing\RouteContext;
use Grocy\Services\SessionService;
use Grocy\Services\ApiKeyService; use Grocy\Services\ApiKeyService;
class ApiKeyAuthMiddleware extends BaseMiddleware class ApiKeyAuthMiddleware extends AuthMiddleware
{ {
public function __construct(\DI\Container $container, string $sessionCookieName, string $apiKeyHeaderName) public function __construct(\DI\Container $container, ResponseFactoryInterface $responseFactory)
{ {
parent::__construct($container); parent::__construct($container, $responseFactory);
$this->SessionCookieName = $sessionCookieName; $this->ApiKeyHeaderName = $this->AppContainer->get('ApiKeyHeaderName');
$this->ApiKeyHeaderName = $apiKeyHeaderName; }
}
protected $SessionCookieName; protected $ApiKeyHeaderName;
protected $ApiKeyHeaderName;
public function __invoke(Request $request, RequestHandler $handler): Response function authenticate(Request $request)
{ {
$routeContext = RouteContext::fromRequest($request); if (!defined('GROCY_SHOW_AUTH_VIEWS'))
$route = $routeContext->getRoute(); {
$routeName = $route->getName(); define('GROCY_SHOW_AUTH_VIEWS', true);
}
if (GROCY_MODE === 'dev' || GROCY_MODE === 'demo' || GROCY_MODE === 'prerelease' || GROCY_IS_EMBEDDED_INSTALL || GROCY_DISABLE_AUTH) $routeContext = RouteContext::fromRequest($request);
{ $route = $routeContext->getRoute();
define('GROCY_AUTHENTICATED', true); $routeName = $route->getName();
$response = $handler->handle($request);
}
else
{
$validSession = true;
$validApiKey = true;
$usedApiKey = null;
$sessionService = SessionService::getInstance(); $validApiKey = true;
if (!isset($_COOKIE[$this->SessionCookieName]) || !$sessionService->IsValidSession($_COOKIE[$this->SessionCookieName])) $usedApiKey = null;
{
$validSession = false;
}
$apiKeyService = new ApiKeyService(); $apiKeyService = new ApiKeyService();
// First check of the API key in the configured header // First check of the API key in the configured header
if (!$request->hasHeader($this->ApiKeyHeaderName) || !$apiKeyService->IsValidApiKey($request->getHeaderLine($this->ApiKeyHeaderName))) if (!$request->hasHeader($this->ApiKeyHeaderName) || !$apiKeyService->IsValidApiKey($request->getHeaderLine($this->ApiKeyHeaderName)))
{ {
$validApiKey = false; $validApiKey = false;
} }
else else
{ {
$usedApiKey = $request->getHeaderLine($this->ApiKeyHeaderName); $usedApiKey = $request->getHeaderLine($this->ApiKeyHeaderName);
} }
// Not recommended, but it's also possible to provide the API key via a query parameter (same name as the configured header) // Not recommended, but it's also possible to provide the API key via a query parameter (same name as the configured header)
if (!$validApiKey && !empty($request->getQueryParam($this->ApiKeyHeaderName)) && $apiKeyService->IsValidApiKey($request->getQueryParam($this->ApiKeyHeaderName))) if (!$validApiKey && !empty($request->getQueryParam($this->ApiKeyHeaderName)) && $apiKeyService->IsValidApiKey($request->getQueryParam($this->ApiKeyHeaderName)))
{ {
$validApiKey = true; $validApiKey = true;
$usedApiKey = $request->getQueryParam($this->ApiKeyHeaderName); $usedApiKey = $request->getQueryParam($this->ApiKeyHeaderName);
} }
// Handling of special purpose API keys // Handling of special purpose API keys
if (!$validApiKey) if (!$validApiKey)
{ {
if ($routeName === 'calendar-ical') if ($routeName === 'calendar-ical')
{ {
if ($request->getQueryParam('secret') !== null && $apiKeyService->IsValidApiKey($request->getQueryParam('secret'), ApiKeyService::API_KEY_TYPE_SPECIAL_PURPOSE_CALENDAR_ICAL)) if ($request->getQueryParam('secret') !== null && $apiKeyService->IsValidApiKey($request->getQueryParam('secret'), ApiKeyService::API_KEY_TYPE_SPECIAL_PURPOSE_CALENDAR_ICAL))
{ {
$validApiKey = true; $validApiKey = true;
} }
} }
} }
if (!$validSession && !$validApiKey) if ($validApiKey)
{ {
define('GROCY_AUTHENTICATED', false); return $apiKeyService->GetUserByApiKey($usedApiKey);
$response = new \Slim\Psr7\Response(); // No content when unauthorized
$response = $response->withStatus(401);
}
elseif ($validApiKey)
{
$user = $apiKeyService->GetUserByApiKey($usedApiKey);
define('GROCY_AUTHENTICATED', true);
define('GROCY_USER_ID', $user->id);
$response = $handler->handle($request); }
} else
elseif ($validSession) {
{ return null;
$user = $sessionService->GetUserBySessionKey($_COOKIE[$this->SessionCookieName]); }
define('GROCY_AUTHENTICATED', true); }
define('GROCY_USER_ID', $user->id);
$response = $handler->handle($request);
}
}
return $response;
}
} }

84
middleware/AuthMiddleware.php Normal file
View File

@ -0,0 +1,84 @@
<?php
namespace Grocy\Middleware;
use Psr\Http\Message\ResponseFactoryInterface;
use Psr\Http\Message\ResponseInterface as Response;
use Psr\Http\Message\ServerRequestInterface as Request;
use Psr\Http\Server\RequestHandlerInterface as RequestHandler;
use Slim\Routing\RouteContext;
use Grocy\Services\SessionService;
abstract class AuthMiddleware extends BaseMiddleware
{
public function __construct(\DI\Container $container, ResponseFactoryInterface $responseFactory)
{
parent::__construct($container);
$this->ResponseFactory = $responseFactory;
}
protected $ResponseFactory;
public function __invoke(Request $request, RequestHandler $handler): Response
{
$routeContext = RouteContext::fromRequest($request);
$route = $routeContext->getRoute();
$routeName = $route->getName();
$isApiRoute = string_starts_with($request->getUri()->getPath(), '/api/');
if ($routeName === 'root')
{
return $handler->handle($request);
}
else if ($routeName === 'login')
{
define('GROCY_AUTHENTICATED', false);
return $handler->handle($request);
}
if (GROCY_MODE === 'dev' || GROCY_MODE === 'demo' || GROCY_MODE === 'prerelease' || GROCY_IS_EMBEDDED_INSTALL || GROCY_DISABLE_AUTH)
{
$sessionService = SessionService::getInstance();
$user = $sessionService->GetDefaultUser();
define('GROCY_AUTHENTICATED', true);
define('GROCY_USER_USERNAME', $user->username);
return $handler->handle($request);
}
else
{
$user = $this->authenticate($request);
if ($user === null)
{
define('GROCY_AUTHENTICATED', false);
$response = $this->ResponseFactory->createResponse();
if ($isApiRoute)
{
return $response->withStatus(401);
}
else
{
return $response->withHeader('Location', $this->AppContainer->get('UrlManager')->ConstructUrl('/login'));
}
}
else
{
define('GROCY_AUTHENTICATED', true);
define('GROCY_USER_ID', $user->id);
define('GROCY_USER_USERNAME', $user->username);
return $response = $handler->handle($request);
}
}
}
/**
* @param Request $request
* @return mixed|null the user row or null if the request is not authenticated
* @throws \Exception Throws an \Exception if config is invalid.
*/
protected abstract function authenticate(Request $request);
}

24
middleware/DefaultAuthMiddleware.php Normal file
View File

@ -0,0 +1,24 @@
<?php
namespace Grocy\Middleware;
use Psr\Http\Message\ServerRequestInterface as Request;
class DefaultAuthMiddleware extends AuthMiddleware
{
protected function authenticate(Request $request)
{
// First try to authenticate by API key
$auth = new ApiKeyAuthMiddleware($this->AppContainer, $this->ResponseFactory);
$user = $auth->authenticate($request);
if ($user !== null)
{
return $user;
}
// Then by session cookie
$auth = new SessionAuthMiddleware($this->AppContainer, $this->ResponseFactory);
$user = $auth->authenticate($request);
return $user;
}
}

40
middleware/ReverseProxyAuthMiddleware.php Normal file
View File

@ -0,0 +1,40 @@
<?php
namespace Grocy\Middleware;
use Psr\Http\Message\ServerRequestInterface as Request;
use Grocy\Services\DatabaseService;
use Grocy\Services\UsersService;
class ReverseProxyAuthMiddleware extends AuthMiddleware
{
function authenticate(Request $request)
{
if (!defined('GROCY_SHOW_AUTH_VIEWS'))
{
define('GROCY_SHOW_AUTH_VIEWS', false);
}
$db = DatabaseService::getInstance()->GetDbConnection();
$username = $request->getHeader(GROCY_REVERSE_PROXY_AUTH_HEADER);
if (count($username) !== 1)
{
// Invalid configuration of Proxy
throw new \Exception("ReverseProxyAuthMiddleware: Invalid username from proxy: " . var_dump($username));
}
$username = $username[0];
$user = $db->users()->where('username', $username)->fetch();
if ($user == null)
{
$user = UsersService::getInstance()->CreateUser($username, '', '', '');
}
return $user;
}
}

85
middleware/SessionAuthMiddleware.php
View File

@ -1,73 +1,38 @@
<?php <?php
namespace Grocy\Middleware; namespace Grocy\Middleware;
use Psr\Http\Message\ServerRequestInterface as Request;
use Psr\Http\Server\RequestHandlerInterface as RequestHandler;
use Psr\Http\Message\ResponseFactoryInterface; use Psr\Http\Message\ResponseFactoryInterface;
use Psr\Http\Message\ResponseInterface as Response; use Psr\Http\Message\ServerRequestInterface as Request;
use Slim\Routing\RouteContext;
use Grocy\Services\SessionService; use Grocy\Services\SessionService;
use Grocy\Services\LocalizationService;
class SessionAuthMiddleware extends BaseMiddleware class SessionAuthMiddleware extends AuthMiddleware
{ {
public function __construct(\DI\Container $container, string $sessionCookieName, ResponseFactoryInterface $responseFactory) public function __construct(\DI\Container $container, ResponseFactoryInterface $responseFactory)
{ {
parent::__construct($container); parent::__construct($container, $responseFactory);
$this->SessionCookieName = $sessionCookieName; $this->SessionCookieName = $this->AppContainer->get('LoginControllerInstance')->GetSessionCookieName();
$this->ResponseFactory = $responseFactory; }
}
protected $SessionCookieName; protected $SessionCookieName;
protected $ResponseFactory;
public function __invoke(Request $request, RequestHandler $handler): Response function authenticate(Request $request)
{ {
$routeContext = RouteContext::fromRequest($request); if (!defined('GROCY_SHOW_AUTH_VIEWS'))
$route = $routeContext->getRoute(); {
$routeName = $route->getName(); define('GROCY_SHOW_AUTH_VIEWS', true);
$sessionService = SessionService::getInstance(); }
if ($routeName === 'root') $sessionService = SessionService::getInstance();
{ if (!isset($_COOKIE[$this->SessionCookieName]) || !$sessionService->IsValidSession($_COOKIE[$this->SessionCookieName]))
$response = $handler->handle($request); {
} return null;
elseif (GROCY_MODE === 'dev' || GROCY_MODE === 'demo' || GROCY_MODE === 'prerelease' || GROCY_IS_EMBEDDED_INSTALL || GROCY_DISABLE_AUTH) }
{ else
$user = $sessionService->GetDefaultUser(); {
define('GROCY_AUTHENTICATED', true); return $sessionService->GetUserBySessionKey($_COOKIE[$this->SessionCookieName]);
define('GROCY_USER_USERNAME', $user->username); }
}
$response = $handler->handle($request);
}
else
{
if ((!isset($_COOKIE[$this->SessionCookieName]) || !$sessionService->IsValidSession($_COOKIE[$this->SessionCookieName])) && $routeName !== 'login')
{
define('GROCY_AUTHENTICATED', false);
$response = $this->ResponseFactory->createResponse();
return $response->withHeader('Location', $this->AppContainer->get('UrlManager')->ConstructUrl('/login'));
}
else
{
if ($routeName !== 'login')
{
$user = $sessionService->GetUserBySessionKey($_COOKIE[$this->SessionCookieName]);
define('GROCY_AUTHENTICATED', true);
define('GROCY_USER_USERNAME', $user->username);
define('GROCY_USER_ID', $user->id);
}
else
{
define('GROCY_AUTHENTICATED', false);
}
$response = $handler->handle($request);
}
}
return $response;
}
} }

9
routes.php
View File

@ -1,13 +1,14 @@
<?php <?php
use Grocy\Middleware\AuthMiddleware;
use Psr\Http\Message\ServerRequestInterface as Request; use Psr\Http\Message\ServerRequestInterface as Request;
use Psr\Http\Message\ResponseInterface as Response; use Psr\Http\Message\ResponseInterface as Response;
use Slim\Routing\RouteCollectorProxy; use Slim\Routing\RouteCollectorProxy;
use Grocy\Middleware\JsonMiddleware; use Grocy\Middleware\JsonMiddleware;
use Grocy\Middleware\CorsMiddleware; use Grocy\Middleware\CorsMiddleware;
use Grocy\Middleware\SessionAuthMiddleware;
use Grocy\Middleware\ApiKeyAuthMiddleware; $authMiddlewareClass = GROCY_AUTH_CLASS;
$app->group('', function(RouteCollectorProxy $group) $app->group('', function(RouteCollectorProxy $group)
{ {
@ -134,7 +135,7 @@ $app->group('', function(RouteCollectorProxy $group)
$group->get('/api', '\Grocy\Controllers\OpenApiController:DocumentationUi'); $group->get('/api', '\Grocy\Controllers\OpenApiController:DocumentationUi');
$group->get('/manageapikeys', '\Grocy\Controllers\OpenApiController:ApiKeysList'); $group->get('/manageapikeys', '\Grocy\Controllers\OpenApiController:ApiKeysList');
$group->get('/manageapikeys/new', '\Grocy\Controllers\OpenApiController:CreateNewApiKey'); $group->get('/manageapikeys/new', '\Grocy\Controllers\OpenApiController:CreateNewApiKey');
})->add(new SessionAuthMiddleware($container, $container->get('LoginControllerInstance')->GetSessionCookieName(), $app->getResponseFactory())); })->add(new $authMiddlewareClass($container, $app->getResponseFactory()));
$app->group('/api', function(RouteCollectorProxy $group) $app->group('/api', function(RouteCollectorProxy $group)
{ {
@ -255,7 +256,7 @@ $app->group('/api', function(RouteCollectorProxy $group)
$group->get('/calendar/ical/sharing-link', '\Grocy\Controllers\CalendarApiController:IcalSharingLink'); $group->get('/calendar/ical/sharing-link', '\Grocy\Controllers\CalendarApiController:IcalSharingLink');
} }
})->add(JsonMiddleware::class) })->add(JsonMiddleware::class)
->add(new ApiKeyAuthMiddleware($container, $container->get('LoginControllerInstance')->GetSessionCookieName(), $container->get('ApiKeyHeaderName'))); ->add(new $authMiddlewareClass($container, $app->getResponseFactory()));
// Handle CORS preflight OPTIONS requests // Handle CORS preflight OPTIONS requests
$app->options('/api/{routes:.+}', function(Request $request, Response $response): Response $app->options('/api/{routes:.+}', function(Request $request, Response $response): Response

2
services/UsersService.php
View File

@ -12,7 +12,7 @@ class UsersService extends BaseService
'last_name' => $lastName, 'last_name' => $lastName,
'password' => password_hash($password, PASSWORD_DEFAULT) 'password' => password_hash($password, PASSWORD_DEFAULT)
)); ));
$newUserRow->save(); return $newUserRow->save();
} }
public function EditUser(int $userId, string $username, string $firstName, string $lastName, string $password) public function EditUser(int $userId, string $username, string $firstName, string $lastName, string $password)

4
views/layout/default.blade.php
View File

@ -313,7 +313,7 @@
</ul> </ul>
<ul class="navbar-nav ml-auto"> <ul class="navbar-nav ml-auto">
@if(GROCY_AUTHENTICATED === true && !GROCY_IS_EMBEDDED_INSTALL) @if(GROCY_AUTHENTICATED === true && !GROCY_IS_EMBEDDED_INSTALL && GROCY_SHOW_AUTH_VIEWS)
<li class="nav-item dropdown"> <li class="nav-item dropdown">
<a class="nav-link dropdown-toggle discrete-link" href="#" data-toggle="dropdown"><i class="fas fa-user"></i> {{ GROCY_USER_USERNAME }}</a> <a class="nav-link dropdown-toggle discrete-link" href="#" data-toggle="dropdown"><i class="fas fa-user"></i> {{ GROCY_USER_USERNAME }}</a>
@ -416,9 +416,11 @@
<a class="dropdown-item discrete-link" href="{{ $U('/taskssettings') }}"><i class="fas fa-tasks"></i>&nbsp;{{ $__t('Tasks settings') }}</a> <a class="dropdown-item discrete-link" href="{{ $U('/taskssettings') }}"><i class="fas fa-tasks"></i>&nbsp;{{ $__t('Tasks settings') }}</a>
@endif @endif
<div class="dropdown-divider"></div> <div class="dropdown-divider"></div>
@if(GROCY_SHOW_AUTH_VIEWS)
<a class="dropdown-item discrete-link" href="{{ $U('/users') }}"><i class="fas fa-users"></i>&nbsp;{{ $__t('Manage users') }}</a> <a class="dropdown-item discrete-link" href="{{ $U('/users') }}"><i class="fas fa-users"></i>&nbsp;{{ $__t('Manage users') }}</a>
<div class="dropdown-divider"></div> <div class="dropdown-divider"></div>
<a class="dropdown-item discrete-link" href="{{ $U('/manageapikeys') }}"><i class="fas fa-handshake"></i>&nbsp;{{ $__t('Manage API keys') }}</a> <a class="dropdown-item discrete-link" href="{{ $U('/manageapikeys') }}"><i class="fas fa-handshake"></i>&nbsp;{{ $__t('Manage API keys') }}</a>
@endif
<a class="dropdown-item discrete-link" target="_blank" href="{{ $U('/api') }}"><i class="fas fa-book"></i>&nbsp;{{ $__t('REST API & data model documentation') }}</a> <a class="dropdown-item discrete-link" target="_blank" href="{{ $U('/api') }}"><i class="fas fa-book"></i>&nbsp;{{ $__t('REST API & data model documentation') }}</a>
<a class="dropdown-item discrete-link" href="{{ $U('/barcodescannertesting') }}"><i class="fas fa-barcode"></i>&nbsp;{{ $__t('Barcode scanner testing') }}</a> <a class="dropdown-item discrete-link" href="{{ $U('/barcodescannertesting') }}"><i class="fas fa-barcode"></i>&nbsp;{{ $__t('Barcode scanner testing') }}</a>
<div class="dropdown-divider"></div> <div class="dropdown-divider"></div>