mirror of
https://github.com/yusing/godoxy.git
synced 2025-05-20 12:42:34 +02:00
fb0dc7dea0
* implement OIDC middleware * auth code cleanup * allow override allowed_user in middleware, fix typos * fix tests and callbackURL * update next release docs * fix OIDC middleware not working with Authentik * feat: add groups support for OIDC claims (#41) Allow users to specify allowed groups in the env and use it to inspect the claims. This performs a logical AND of users and groups (additive). * merge feat/oidc-middleware (#49) * api: enrich provider statistifcs * fix: docker monitor now uses container status * Feat/auto schemas (#48) * use auto generated schemas * go version bump and dependencies upgrade * clarify some error messages --------- Co-authored-by: yusing <yusing@6uo.me> * cleanup some loadbalancer code * api: cleanup websocket code * api: add /v1/health/ws for health bubbles on dashboard * feat: experimental memory logger and logs api for WebUI --------- Co-authored-by: yusing <yusing@6uo.me> --------- Co-authored-by: yusing <yusing@6uo.me> Co-authored-by: Peter Olds <peter@olds.co>
70 lines
1.6 KiB
Go
70 lines
1.6 KiB
Go
package auth
|
|
|
|
import (
|
|
"net"
|
|
"net/http"
|
|
"time"
|
|
|
|
E "github.com/yusing/go-proxy/internal/error"
|
|
"github.com/yusing/go-proxy/internal/utils/strutils"
|
|
)
|
|
|
|
var (
|
|
ErrMissingToken = E.New("missing token")
|
|
ErrInvalidToken = E.New("invalid token")
|
|
ErrUserNotAllowed = E.New("user not allowed")
|
|
)
|
|
|
|
// cookieFQDN returns the fully qualified domain name of the request host
|
|
// with subdomain stripped.
|
|
//
|
|
// If the request host does not have a subdomain,
|
|
// an empty string is returned
|
|
//
|
|
// "abc.example.com" -> "example.com"
|
|
// "example.com" -> ""
|
|
func cookieFQDN(r *http.Request) string {
|
|
host, _, err := net.SplitHostPort(r.Host)
|
|
if err != nil {
|
|
host = r.Host
|
|
}
|
|
parts := strutils.SplitRune(host, '.')
|
|
if len(parts) < 2 {
|
|
return ""
|
|
}
|
|
parts[0] = ""
|
|
return strutils.JoinRune(parts, '.')
|
|
}
|
|
|
|
func setTokenCookie(w http.ResponseWriter, r *http.Request, name, value string, ttl time.Duration) {
|
|
http.SetCookie(w, &http.Cookie{
|
|
Name: name,
|
|
Value: value,
|
|
MaxAge: int(ttl.Seconds()),
|
|
Domain: cookieFQDN(r),
|
|
HttpOnly: true,
|
|
Secure: true,
|
|
SameSite: http.SameSiteLaxMode,
|
|
Path: "/",
|
|
})
|
|
}
|
|
|
|
func clearTokenCookie(w http.ResponseWriter, r *http.Request, name string) {
|
|
http.SetCookie(w, &http.Cookie{
|
|
Name: name,
|
|
Value: "",
|
|
MaxAge: -1,
|
|
Domain: cookieFQDN(r),
|
|
HttpOnly: true,
|
|
Secure: true,
|
|
SameSite: http.SameSiteLaxMode,
|
|
Path: "/",
|
|
})
|
|
}
|
|
|
|
func LogoutCallbackHandler(auth Provider) http.HandlerFunc {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
clearTokenCookie(w, r, auth.TokenCookieName())
|
|
auth.RedirectLoginPage(w, r)
|
|
}
|
|
}
|