mirror of
https://github.com/Threnklyn/wg-ui.git
synced 2026-06-07 14:03:33 +02:00
Implement auth using oauth2_proxy w/headers
This commit is contained in:
Daniel Lundin
@@ -14,7 +14,6 @@ import (
|
||||
"strings"
|
||||
"sync"
|
||||
|
||||
"github.com/dgrijalva/jwt-go"
|
||||
"github.com/elazarl/go-bindata-assetfs"
|
||||
"github.com/google/nftables"
|
||||
"github.com/google/nftables/expr"
|
||||
@@ -30,9 +29,10 @@ import (
|
||||
var (
|
||||
dataDir = kingpin.Flag("data-dir", "Directory used for storage").Default("/var/lib/wireguard-ui").String()
|
||||
|
||||
listenAddr = kingpin.Flag("listen-address", "Address to listen to").Default(":8080").String()
|
||||
natLink = kingpin.Flag("nat-device", "Network interface to masquerade").Default("wlp2s0").String()
|
||||
clientIPRange = kingpin.Flag("client-ip-range", "Client IP CIDR").Default("172.72.72.1/24").String()
|
||||
listenAddr = kingpin.Flag("listen-address", "Address to listen to").Default(":8080").String()
|
||||
natLink = kingpin.Flag("nat-device", "Network interface to masquerade").Default("wlp2s0").String()
|
||||
clientIPRange = kingpin.Flag("client-ip-range", "Client IP CIDR").Default("172.72.72.1/24").String()
|
||||
authUserHeader = kingpin.Flag("auth-user-header", "Header containing username").Default("X-Forwarded-User").String()
|
||||
|
||||
wgLinkName = kingpin.Flag("wg-device-name", "Wireguard network device name").Default("wg0").String()
|
||||
wgListenPort = kingpin.Flag("wg-listen-port", "Wireguard UDP port to listen to").Default("51820").Int()
|
||||
@@ -278,6 +278,7 @@ func (s *Server) Start() error {
|
||||
}
|
||||
|
||||
router := httprouter.New()
|
||||
router.GET("/api/v1/whoami", s.WhoAmI)
|
||||
router.GET("/api/v1/users/:user/clients/:client", s.withAuth(s.GetClient))
|
||||
router.PUT("/api/v1/users/:user/clients/:client", s.withAuth(s.EditClient))
|
||||
router.DELETE("/api/v1/users/:user/clients/:client", s.withAuth(s.DeleteClient))
|
||||
@@ -307,52 +308,39 @@ func (s *Server) Start() error {
|
||||
}
|
||||
|
||||
log.WithField("listenAddr", *listenAddr).Info("Starting server")
|
||||
return http.ListenAndServe(*listenAddr, router)
|
||||
|
||||
return http.ListenAndServe(*listenAddr, s.userFromHeader(router))
|
||||
}
|
||||
|
||||
func userFromJwtToken(r *http.Request) string {
|
||||
authHeader := r.Header.Get("authorization")
|
||||
if authHeader == "" {
|
||||
log.Debug("No Authorization header")
|
||||
return ""
|
||||
}
|
||||
func (s *Server) userFromHeader(handler http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
user := r.Header.Get(*authUserHeader)
|
||||
if user == "" {
|
||||
log.Debug("Unauthenticated request")
|
||||
user = "anonymous"
|
||||
}
|
||||
|
||||
if !strings.HasPrefix(authHeader, "Bearer ") {
|
||||
log.Debug("Incorrect Authorization header: ", authHeader)
|
||||
return ""
|
||||
}
|
||||
cookie := http.Cookie{
|
||||
Name: "wguser",
|
||||
Value: user,
|
||||
Path: "/",
|
||||
}
|
||||
http.SetCookie(w, &cookie)
|
||||
|
||||
claims := jwt.MapClaims{}
|
||||
token, err := jwt.ParseWithClaims(authHeader[7:], &claims, func(token *jwt.Token) (interface{}, error) {
|
||||
return []byte(""), nil
|
||||
ctx := context.WithValue(r.Context(), "user", user)
|
||||
handler.ServeHTTP(w, r.WithContext(ctx))
|
||||
})
|
||||
|
||||
if token == nil {
|
||||
log.Debug("Error parsing JWT token: ", err)
|
||||
return ""
|
||||
}
|
||||
|
||||
user, ok := claims["email"]
|
||||
if ok {
|
||||
return user.(string)
|
||||
}
|
||||
|
||||
user, ok = claims["sub"]
|
||||
if ok {
|
||||
return user.(string)
|
||||
}
|
||||
|
||||
return ""
|
||||
}
|
||||
|
||||
func (s *Server) withAuth(handler httprouter.Handle) httprouter.Handle {
|
||||
return func(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
|
||||
log.Debug("Auth required")
|
||||
|
||||
user := userFromJwtToken(r)
|
||||
if user == "" {
|
||||
user = "anonymous"
|
||||
log.Info("Unauthenticated user: ", user)
|
||||
user := r.Context().Value("user")
|
||||
if user == nil {
|
||||
log.Error("Error getting username from request context")
|
||||
w.WriteHeader(http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
if user != ps.ByName("user") {
|
||||
@@ -361,8 +349,17 @@ func (s *Server) withAuth(handler httprouter.Handle) httprouter.Handle {
|
||||
return
|
||||
}
|
||||
|
||||
ctx := context.WithValue(r.Context(), "user", user)
|
||||
handler(w, r.WithContext(ctx), ps)
|
||||
handler(w, r, ps)
|
||||
}
|
||||
}
|
||||
|
||||
func (s *Server) WhoAmI(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
|
||||
user := r.Context().Value("user").(string)
|
||||
log.Debug(user)
|
||||
err := json.NewEncoder(w).Encode(struct{ User string }{user})
|
||||
if err != nil {
|
||||
log.Error(err)
|
||||
w.WriteHeader(http.StatusInternalServerError)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Generated
+19
@@ -30,6 +30,11 @@
|
||||
"integrity": "sha512-oZLYFEAzUKyi3SKnXvj32ZCEGH6RDnao7COuCVhDydMS9NrCSVXhM79VaKyP5+Zc33m0QXEd2DN3UkU7OsHcfw==",
|
||||
"dev": true
|
||||
},
|
||||
"@types/cookie": {
|
||||
"version": "0.3.3",
|
||||
"resolved": "https://registry.npmjs.org/@types/cookie/-/cookie-0.3.3.tgz",
|
||||
"integrity": "sha512-LKVP3cgXBT9RYj+t+9FDKwS5tdI+rPBXaNSkma7hvqy35lc7mAokC2zsqWJH0LaqIt3B962nuYI77hsJoT1gow=="
|
||||
},
|
||||
"@types/estree": {
|
||||
"version": "0.0.39",
|
||||
"resolved": "https://registry.npmjs.org/@types/estree/-/estree-0.0.39.tgz",
|
||||
@@ -380,6 +385,20 @@
|
||||
"integrity": "sha512-pMD+MVR538ipqkG5JXeOEbKWS5um1H4LUUccUQG68qpeqBYbzYy79Gh55jkd2TtPdRfUaLWdv6LPP//5Zt0aPQ==",
|
||||
"dev": true
|
||||
},
|
||||
"cookie": {
|
||||
"version": "0.3.1",
|
||||
"resolved": "https://registry.npmjs.org/cookie/-/cookie-0.3.1.tgz",
|
||||
"integrity": "sha1-5+Ch+e9DtMi6klxcWpboBtFoc7s="
|
||||
},
|
||||
"cookie-universal": {
|
||||
"version": "2.0.16",
|
||||
"resolved": "https://registry.npmjs.org/cookie-universal/-/cookie-universal-2.0.16.tgz",
|
||||
"integrity": "sha512-EHtQ5Tg3UoUHG7LmeV3rlV3iYthkhUuYZ0y86EseypxGcUuvzxuHExEb6mHKDhDPrIrdewAHdG/aCHuG/T4zEg==",
|
||||
"requires": {
|
||||
"@types/cookie": "^0.3.1",
|
||||
"cookie": "^0.3.1"
|
||||
}
|
||||
},
|
||||
"copy-descriptor": {
|
||||
"version": "0.1.1",
|
||||
"resolved": "https://registry.npmjs.org/copy-descriptor/-/copy-descriptor-0.1.1.tgz",
|
||||
|
||||
@@ -22,6 +22,7 @@
|
||||
"start:dev": "sirv public --dev"
|
||||
},
|
||||
"dependencies": {
|
||||
"cookie-universal": "^2.0.16",
|
||||
"ui": "^0.2.4"
|
||||
}
|
||||
}
|
||||
|
||||
+6
-1
@@ -1,10 +1,15 @@
|
||||
<script>
|
||||
import { onMount } from 'svelte';
|
||||
import { Router, Link, Route } from "svelte-routing";
|
||||
import About from "./About.svelte";
|
||||
import Clients from "./Clients.svelte";
|
||||
import EditClient from "./EditClient.svelte";
|
||||
import Nav from "./Nav.svelte";
|
||||
|
||||
import Cookie from "cookie-universal";
|
||||
const cookies = Cookie();
|
||||
export let user = cookies.get("wguser", { fromRes: true});
|
||||
|
||||
export let url = "";
|
||||
</script>
|
||||
|
||||
@@ -14,7 +19,7 @@
|
||||
<div>
|
||||
<Route path="client/:clientId" component="{EditClient}" />
|
||||
<Route path="about" component="{About}" />
|
||||
<Route path="/"><Clients /></Route>
|
||||
<Route path="/"><Clients user="{user}" /></Route>
|
||||
</div>
|
||||
</main>
|
||||
</Router>
|
||||
|
||||
@@ -11,8 +11,7 @@
|
||||
for (var i = 0; i < dev.PrivateKey.length; i++) {
|
||||
hash = dev.PrivateKey.charCodeAt(i) + ((hash << 5) - hash);
|
||||
}
|
||||
let color = "hsl(" + (hash % 360) + ",50%,95%)";
|
||||
console.log("color", color);
|
||||
const color = "hsl(" + (hash % 360) + ",50%,95%)";
|
||||
</script>
|
||||
|
||||
<style>
|
||||
@@ -23,7 +22,7 @@
|
||||
|
||||
<div class="card">
|
||||
<div class="card-body" style="background-color: {color}">
|
||||
<a href="/client/{clientId}" use:link role="button" class="btn btn-secondary material-icons float-right">edit</a>
|
||||
<a href="/client/{clientId}" use:link replace role="button" class="btn btn-secondary material-icons float-right">edit</a>
|
||||
<i class="material-icons" aria-hidden="true">devices</i>
|
||||
<h4 class="card-title">{dev.Name}</h4>
|
||||
<dl class="row">
|
||||
|
||||
@@ -2,11 +2,10 @@
|
||||
import { onMount } from 'svelte';
|
||||
import Client from './Client.svelte';
|
||||
|
||||
let user = "anonymous";
|
||||
|
||||
let clients = [];
|
||||
export let user;
|
||||
|
||||
let clientsUrl = "/api/v1/users/" + user + "/clients";
|
||||
let clients = [];
|
||||
|
||||
async function getClients() {
|
||||
const res = await fetch(clientsUrl);
|
||||
@@ -26,7 +25,7 @@
|
||||
</script>
|
||||
|
||||
|
||||
<h2>My Clients</h2>
|
||||
<h2>My Clients <small class="text-muted">({user})</small></h2>
|
||||
|
||||
<ul class="list-unstyled">
|
||||
{#each clients as dev}
|
||||
|
||||
@@ -1,12 +1,13 @@
|
||||
<script>
|
||||
import Cookie from "cookie-universal";
|
||||
import { onMount } from 'svelte';
|
||||
import { link, navigate } from "svelte-routing";
|
||||
|
||||
export let clientId;
|
||||
|
||||
let clientUrl = `/api/v1/users/` + user + `/clients/` + clientId;
|
||||
const user = Cookie().get("wguser", { fromRes: true});
|
||||
|
||||
let user = "anonymous";
|
||||
const clientUrl = `/api/v1/users/` + user + `/clients/` + clientId;
|
||||
|
||||
let client = {};
|
||||
|
||||
@@ -25,6 +26,7 @@
|
||||
body: JSON.stringify(client),
|
||||
});
|
||||
client = await res.json();
|
||||
navigate("/", { replace: true });
|
||||
console.log("Saved changes", res);
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user