# Overview The implementation of authentication is not easy to understand by just looking at the code. The authentication is implemented in `internal/auth/`. In `auth.go` an interface is defined that any authentication provider must fullfil. It also acts as a dispatcher to delegate the calls to the available authentication providers. The most important routine are: * `CanLogin()` Check if the authentication method is supported for login attempt * `Login()` Handle POST request to login user and start a new session * `Auth()` Authenticate user and put User Object in context of the request The http router calls auth in the following cases: * `r.Handle("/login", authentication.Login( ... )).Methods(http.MethodPost)`: The POST request on the `/login` route will call the Login callback. * Any route in the secured subrouter will always call Auth(), on success it will call the next handler in the chain, on falure it will render the login template. ``` secured.Use(func(next http.Handler) http.Handler { return authentication.Auth( // On success; next, // On failure: func(rw http.ResponseWriter, r *http.Request, err error) { // Render login form }) }) ``` For non API routes a JWT token can be used to initate an authenticated user session. This can either happen by calling the login/ route with a token provided in a header or the query URL or via the `Auth()` method on first access to a secured URL via aspecial cookie containing the JWT token. For API routes the access is authenticated on every request using the JWT token and no session is initiated. # Login The Login function (located in `auth.go`): * Extracts the user name and gets the user from the user database table. In case the user is not found the user obejct is set to nil. * Iterates over all authenticators and: - Calls the `CanLogin` function which checks if the authentication method is supported for this user and the user object is valid. - Calls the `Login` function to authenticate the user. On success a valid user object is returned. - Creates a new session object, stores the user attributes in the session and saves the session. - Calls the `onSuccess` http handler ## Local authenticator This authenticator is applied if ``` return user != nil && user.AuthSource == AuthViaLocalPassword ``` Compares the password provided by the login form to the password hash stored in the user database table: ``` if e := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(r.FormValue("password"))); e != nil { log.Errorf("AUTH/LOCAL > Authentication for user %s failed!", user.Username) return nil, fmt.Errorf("AUTH/LOCAL > Authentication failed") } ``` ## LDAP authenticator This authenticator is applied if ``` return user != nil && user.AuthSource == AuthViaLDAP ``` Gets the LDAP connection and tries a bind with the provided credentials: ``` if err := l.Bind(userDn, r.FormValue("password")); err != nil { log.Errorf("AUTH/LOCAL > Authentication for user %s failed: %v", user.Username, err) return nil, fmt.Errorf("AUTH/LDAP > Authentication failed") } ``` ## JWT authenticator Login via JWT token will create a session without password. For login the `X-Auth-Token` header is not supported. This authenticator is applied if either user is not nil and auth source is `AuthViaToken` or the Authorization header is present or the URL query key login-token is present: ``` return (user != nil && user.AuthSource == AuthViaToken) || r.Header.Get("Authorization") != "" || r.URL.Query().Get("login-token") != "" ``` The Login function: * Parses the token * Check if the signing method is EdDSA or HS256 or HS512 * Check if claims are valid and extracts the claims * The following claims have to be present: - `sub`: The subject, in this case this is the username - `exp`: Expiration in Unix epoch time - `roles`: String array with roles of user * In case user is not yet set, which is usually the case: - Try to fetch user from database - In case user is not yet present add user to user databse table with `AuthViaToken` AuthSource. * Return valid user object # Auth The Auth function (located in `auth.go`): * Returns a new http handler function that is defined right away * This handler iterates over all authenticators * Calls `Auth()` on every authenticator * If err is not nil and the user object is valid it puts the user object in the request context and starts the onsuccess http handler * Otherwise it calls the onfailure handler ## Local Calls the `AuthViaSession()` function in `auth.go`. This will extract username, projects and roles from the session and initialize a user object with those values. ## LDAP Calls the `AuthViaSession()` function in `auth.go`. This will extract username, projects and roles from the session and initialize a user object with those values. # JWT Check for JWT token: * Is token passed in the `X-Auth-Token` or `Authorization` header * If no token is found in a header it tries to read the token from a configured cookie. Finally it calls AuthViaSession in `auth.go` if a valid session exists. This is true if a JWT token was previously used to initiate a session. In this case the user object initialized with the session is returned rightaway. In case a token was found extract and parse the token: * Check if signing method is Ed25519/EdDSA * In case publicKeyCrossLogin is configured: - Check if `iss` issuer claim matched trusted issuer from configuration - Return public cross login key - Otherwise return standard public key * Check if claims are valid * Depending on the option `ForceJWTValidationViaDatabase ` the roles are extracted from JWT token or taken from user object fetched from database * In case the token was extracted from cookie create a new session and ask the browser to delete the JWT cookie * Return valid user object