Readd URL token and cleanup

Fix session values.

internal/auth/auth.go

@@ -97,26 +97,29 @@ func (auth *Authentication) AuthViaSession(
 	if session.IsNew {
 		return nil, nil
 	}
-
-	var username string
-	var projects, roles []string
-
-	if val, ok := session.Values["username"]; ok {
-		username, _ = val.(string)
-	} else {
-		return nil, errors.New("No key username in session")
-	}
-	if val, ok := session.Values["projects"]; ok {
-		projects, _ = val.([]string)
-	} else {
-		return nil, errors.New("No key projects in session")
-	}
-	if val, ok := session.Values["projects"]; ok {
-		roles, _ = val.([]string)
-	} else {
-		return nil, errors.New("No key roles in session")
-	}
-
+	//
+	// var username string
+	// var projects, roles []string
+	//
+	// if val, ok := session.Values["username"]; ok {
+	// 	username, _ = val.(string)
+	// } else {
+	// 	return nil, errors.New("no key username in session")
+	// }
+	// if val, ok := session.Values["projects"]; ok {
+	// 	projects, _ = val.([]string)
+	// } else {
+	// 	return nil, errors.New("no key projects in session")
+	// }
+	// if val, ok := session.Values["projects"]; ok {
+	// 	roles, _ = val.([]string)
+	// } else {
+	// 	return nil, errors.New("no key roles in session")
+	// }
+	//
+	username, _ := session.Values["username"].(string)
+	projects, _ := session.Values["projects"].([]string)
+	roles, _ := session.Values["roles"].([]string)
 	return &User{
 		Username:   username,
 		Projects:   projects,
@@ -261,6 +264,12 @@ func (auth *Authentication) Auth(
 	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 
 		user, err := auth.JwtAuth.AuthViaJWT(rw, r)
+		if err != nil {
+			log.Infof("authentication failed: %s", err.Error())
+			http.Error(rw, err.Error(), http.StatusUnauthorized)
+			return
+		}
+
 		if user == nil {
 			user, err = auth.AuthViaSession(rw, r)
 			if err != nil {
@@ -276,7 +285,7 @@ func (auth *Authentication) Auth(
 			return
 		}
 
-		log.Debug("authentication failed: no authenticator applied")
+		log.Debug("authentication failed")
 		onfailure(rw, r, errors.New("unauthorized (please login first)"))
 	})
 }

internal/auth/jwt.go

@@ -62,6 +62,11 @@ func (ja *JWTAuthenticator) AuthViaJWT(
 		rawtoken = strings.TrimPrefix(rawtoken, "Bearer ")
 	}
 
+	// there is no token
+	if rawtoken == "" {
+		return nil, nil
+	}
+
 	token, err := jwt.Parse(rawtoken, func(t *jwt.Token) (interface{}, error) {
 		if t.Method != jwt.SigningMethodEdDSA {
 			return nil, errors.New("only Ed25519/EdDSA supported")
@@ -81,6 +86,11 @@ func (ja *JWTAuthenticator) AuthViaJWT(
 	// Token is valid, extract payload
 	claims := token.Claims.(jwt.MapClaims)
 	sub, _ := claims["sub"].(string)
+	exp, _ := claims["exp"].(float64)
+
+	if exp < float64(time.Now().Unix()) {
+		return nil, errors.New("token is expired")
+	}
 
 	var roles []string
 
@@ -109,8 +119,8 @@ func (ja *JWTAuthenticator) AuthViaJWT(
 	return &User{
 		Username:   sub,
 		Roles:      roles,
-		AuthType:   AuthSession,
-		AuthSource: AuthViaToken,
+		AuthType:   AuthToken,
+		AuthSource: -1,
 	}, nil
 }
 

internal/auth/jwtCookieSession.go

@@ -24,8 +24,6 @@ type JWTCookieSessionAuthenticator struct {
 	privateKey          ed25519.PrivateKey
 	publicKeyCrossLogin ed25519.PublicKey // For accepting externally generated JWTs
 
-	loginTokenKey []byte // HS256 key
-
 	config *schema.JWTAuthConfig
 }
 
@@ -55,15 +53,6 @@ func (ja *JWTCookieSessionAuthenticator) Init(auth *Authentication, conf interfa
 		ja.privateKey = ed25519.PrivateKey(bytes)
 	}
 
-	if pubKey = os.Getenv("CROSS_LOGIN_JWT_HS512_KEY"); pubKey != "" {
-		bytes, err := base64.StdEncoding.DecodeString(pubKey)
-		if err != nil {
-			log.Warn("Could not decode cross login JWT HS512 key")
-			return err
-		}
-		ja.loginTokenKey = bytes
-	}
-
 	// Look for external public keys
 	pubKeyCrossLogin, keyFound := os.LookupEnv("CROSS_LOGIN_JWT_PUBLIC_KEY")
 	if keyFound && pubKeyCrossLogin != "" {
@@ -105,13 +94,6 @@ func (ja *JWTCookieSessionAuthenticator) CanLogin(
 	rw http.ResponseWriter,
 	r *http.Request) bool {
 
-	if ja.publicKeyCrossLogin == nil ||
-		ja.config == nil ||
-		ja.config.TrustedExternalIssuer == "" {
-
-		return false
-	}
-
 	cookieName := ""
 	if ja.config != nil && ja.config.CookieName != "" {
 		cookieName = ja.config.CookieName

internal/auth/jwtSession.go

@@ -45,7 +45,7 @@ func (ja *JWTSessionAuthenticator) CanLogin(
 	rw http.ResponseWriter,
 	r *http.Request) bool {
 
-	return r.Header.Get("Authorization") != ""
+	return r.Header.Get("Authorization") != "" || r.URL.Query().Get("login-token") != ""
 }
 
 func (ja *JWTSessionAuthenticator) Login(
@@ -54,6 +54,10 @@ func (ja *JWTSessionAuthenticator) Login(
 	r *http.Request) (*User, error) {
 
 	rawtoken := strings.TrimPrefix(r.Header.Get("Authorization"), "Bearer ")
+	if rawtoken == "" {
+		rawtoken = r.URL.Query().Get("login-token")
+	}
+
 	token, err := jwt.Parse(rawtoken, func(t *jwt.Token) (interface{}, error) {
 		if t.Method == jwt.SigningMethodHS256 || t.Method == jwt.SigningMethodHS512 {
 			return ja.loginTokenKey, nil

internal/auth/local.go

@@ -39,7 +39,8 @@ func (la *LocalAuthenticator) Login(
 	rw http.ResponseWriter,
 	r *http.Request) (*User, error) {
 
-	if e := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(r.FormValue("password"))); e != nil {
+	if e := bcrypt.CompareHashAndPassword([]byte(user.Password),
+		[]byte(r.FormValue("password"))); e != nil {
 		log.Errorf("AUTH/LOCAL > Authentication for user %s failed!", user.Username)
 		return nil, fmt.Errorf("AUTH/LOCAL > Authentication failed")
 	}