Merge pull request #40 from prologic/sso_header_auth

Add support for basic SSO via Trusted Header Auth
2024-09-19 19:30:28 +05:00 · 2023-08-28 10:50:48 +05:00 · 2023-08-28 10:50:48 +05:00 · f129268c9f
parent 5df95b26d9 f8c888d6b0
commit f129268c9f
4 changed files with 23 additions and 3 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,7 @@
-*.sqlite3
+*~
 *.db
+*.bak
+*.sqlite3
+**/.DS_Store
+
+/phoenix
--- a/config/main.go
+++ b/config/main.go
@ -12,6 +12,7 @@ type Config struct {
 	LogLevel        string `default:"warning"`
 	EnableGinLogger bool   `default:"false"`
 	Production      bool   `default:"true"`
+	HeaderAuth      bool   `default:"false"`
 	DefaultUsername string
 	DefaultPassword string
 }
--- a/readme.md
+++ b/readme.md
@ -8,6 +8,7 @@ Self-hosted start page without the extra stuff.
 - No javascript
 - Relatively low resource consumption (around 7 MiB of RAM)
 - Authorization support
+  - SSO via Trusted Header Auth (_Reverse Proxy_)

 ## Configuration
 Service settings can be set through environment variables.
@ -19,6 +20,7 @@ Service settings can be set through environment variables.
 | P_LOGLEVEL          | Log level settings: `debug`, `info`, `warning`, `error`, `fatal` | `warning`                             |
 | P_ENABLEGINLOGGER   | Enable gin's logging middleware. Can create a lot of logs.       | `false`                               |
 | P_PRODUCTION        | Is this instance running in production mode?                     | `true`                                |
+| P_HEADERAUTH        | Enable Trusted Header Auth (SSO)                                 | `false`                               |
 | P_DEFAULTUSERNAME   | Data for the first user.                                         |                                       |
 | P_DEFAULTPASSWORD   | Data for the first user.                                         |                                       |

--- a/views/auth.go
+++ b/views/auth.go
@ -3,13 +3,14 @@ package views
 import (
 	"errors"
 	"fmt"
+	"net/http"
+	"time"
+
 	"github.com/gin-gonic/gin"
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/ordinary-dev/phoenix/config"
 	"github.com/ordinary-dev/phoenix/database"
 	"gorm.io/gorm"
-	"net/http"
-	"time"
 )

 func ShowRegistrationForm(c *gin.Context, db *gorm.DB) {
@ -69,6 +70,17 @@ func RequireAuth(c *gin.Context, cfg *config.Config) (*jwt.RegisteredClaims, err
 func AuthMiddleware(c *gin.Context, db *gorm.DB, cfg *config.Config) {
 	claims, err := RequireAuth(c, cfg)
 	if err != nil {
+		if cfg.HeaderAuth && c.Request.Header.Get("Remote-User") != "" {
+			// Generate access token.
+			token, err := GetJWTToken(cfg)
+			if err != nil {
+				ShowError(c, err)
+				return
+			}
+			SetTokenCookie(c, token)
+			return
+		}
+
 		if database.CountAdmins(db) < 1 {
 			c.Redirect(http.StatusFound, "/registration")
 		} else {