bugfixes in auth/

2024-11-10 08:57:25 +01:00 · 2022-07-25 09:33:36 +02:00 · 2022-07-25 09:33:36 +02:00 · a48e94ab3e
commit a48e94ab3e
parent 2d57e4cfe8
3 changed files with 26 additions and 2 deletions
--- a/cmd/cc-backend/main.go
+++ b/cmd/cc-backend/main.go
@ -224,6 +224,7 @@ func main() {
 			if err := authentication.LdapAuth.Sync(); err != nil {
 				log.Fatal(err)
 			}
+			log.Info("LDAP sync successfull")
 		}

 		if flagGenJWT != "" {
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@ -2,7 +2,11 @@ package auth

 import (
 	"context"
+	"crypto/rand"
+	"encoding/base64"
+	"errors"
 	"net/http"
+	"os"
 	"time"

 	"github.com/ClusterCockpit/cc-backend/pkg/log"
@ -87,6 +91,22 @@ func Init(db *sqlx.DB, configs map[string]interface{}) (*Authentication, error)
 		return nil, err
 	}

+	sessKey := os.Getenv("SESSION_KEY")
+	if sessKey == "" {
+		log.Warn("environment variable 'SESSION_KEY' not set (will use non-persistent random key)")
+		bytes := make([]byte, 32)
+		if _, err := rand.Read(bytes); err != nil {
+			return nil, err
+		}
+		auth.sessionStore = sessions.NewCookieStore(bytes)
+	} else {
+		bytes, err := base64.StdEncoding.DecodeString(sessKey)
+		if err != nil {
+			return nil, err
+		}
+		auth.sessionStore = sessions.NewCookieStore(bytes)
+	}
+
 	auth.LocalAuth = &LocalAuthenticator{}
 	if err := auth.LocalAuth.Init(auth, nil); err != nil {
 		return nil, err
@ -174,6 +194,7 @@ func (auth *Authentication) Login(onsuccess http.Handler, onfailure func(rw http
 			log.Infof("login successfull: user: %#v (roles: %v)", user.Username, user.Roles)
 			ctx := context.WithValue(r.Context(), ContextUserKey, user)
 			onsuccess.ServeHTTP(rw, r.WithContext(ctx))
+			return
 		}

 		log.Warn("login failed: no authenticator applied")
@ -199,10 +220,12 @@ func (auth *Authentication) Auth(onsuccess http.Handler, onfailure func(rw http.

 			ctx := context.WithValue(r.Context(), ContextUserKey, user)
 			onsuccess.ServeHTTP(rw, r.WithContext(ctx))
+			return
 		}

 		log.Warnf("authentication failed: %s", "no authenticator applied")
-		http.Error(rw, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
+		// http.Error(rw, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
+		onfailure(rw, r, errors.New("unauthorized (login first or use a token)"))
 	})
 }

--- a/internal/auth/jwt.go
+++ b/internal/auth/jwt.go
@ -123,7 +123,7 @@ func (ja *JWTAuthenticator) Auth(rw http.ResponseWriter, r *http.Request) (*User
 	rawtoken := r.Header.Get("X-Auth-Token")
 	if rawtoken == "" {
 		rawtoken = r.Header.Get("Authorization")
-		rawtoken = strings.TrimPrefix("Bearer ", rawtoken)
+		rawtoken = strings.TrimPrefix(rawtoken, "Bearer ")
 	}

 	// Because a user can also log in via a token, the