go-shiori · PterX · Mar 17, 2024 · Mar 18, 2024 · Mar 18, 2024 · Mar 30, 2024
diff --git a/docs/Configuration.md b/docs/Configuration.md
@@ -42,6 +42,8 @@ Most configuration can be set directly using environment variables or flags. The
 | `SHIORI_HTTP_IDLE_TIMEOUT`                 | 10s     | No       | Maximum amount of time to wait for the next request   |
 | `SHIORI_HTTP_DISABLE_KEEP_ALIVE`           | true    | No       | Disable HTTP keep-alive connections                   |
 | `SHIORI_HTTP_DISABLE_PARSE_MULTIPART_FORM` | true    | No       | Disable pre-parsing of multipart form                 |
+| `SHIORI_TRUSTED_PROXIES`                   | ""      | No       | oidc trust proxy ip address                           |
+| `SHIORI_REVERSE_PROXY_AUTH_USER`           | ""      | No       | user id key of oidc auth header, ie. Remote-User      |
 
 ### Storage Configuration
 

diff --git a/internal/config/config.go b/internal/config/config.go
@@ -49,13 +49,15 @@ func readDotEnv(logger *logrus.Logger) map[string]string {
 }
 
 type HttpConfig struct {
-	Enabled    bool   `env:"HTTP_ENABLED,default=True"`
-	Port       int    `env:"HTTP_PORT,default=8080"`
-	Address    string `env:"HTTP_ADDRESS,default=:"`
-	RootPath   string `env:"HTTP_ROOT_PATH,default=/"`
-	AccessLog  bool   `env:"HTTP_ACCESS_LOG,default=True"`
-	ServeWebUI bool   `env:"HTTP_SERVE_WEB_UI,default=True"`
-	SecretKey  []byte `env:"HTTP_SECRET_KEY"`
+	Enabled              bool     `env:"HTTP_ENABLED,default=True"`
+	Port                 int      `env:"HTTP_PORT,default=8080"`
+	Address              string   `env:"HTTP_ADDRESS,default=:"`
+	RootPath             string   `env:"HTTP_ROOT_PATH,default=/"`
+	AccessLog            bool     `env:"HTTP_ACCESS_LOG,default=True"`
+	ServeWebUI           bool     `env:"HTTP_SERVE_WEB_UI,default=True"`
+	SecretKey            []byte   `env:"HTTP_SECRET_KEY"`
+	TrustedProxies       []string `env:"TRUSTED_PROXIES"`
+	ReverseProxyAuthUser string   `env:"REVERSE_PROXY_AUTH_USER"`
 	// Fiber Specific
 	BodyLimit                    int           `env:"HTTP_BODY_LIMIT,default=1024"`
 	ReadTimeout                  time.Duration `env:"HTTP_READ_TIMEOUT,default=10s"`

diff --git a/internal/dependencies/dependencies.go b/internal/dependencies/dependencies.go
@@ -8,10 +8,11 @@ import (
 )
 
 type Domains struct {
-	Archiver  model.ArchiverDomain
-	Auth      model.AccountsDomain
-	Bookmarks model.BookmarksDomain
-	Storage   model.StorageDomain
+	Archiver    model.ArchiverDomain
+	Auth        model.AccountsDomain
+	Bookmarks   model.BookmarksDomain
+	Storage     model.StorageDomain
+	LegacyLogin model.LegacyLoginHandler
 }
 
 type Dependencies struct {

diff --git a/internal/http/middleware/auth.go b/internal/http/middleware/auth.go
@@ -3,6 +3,7 @@
 import (
 	"net/http"
 	"strings"
+	"time"
 
 	"github.com/gin-gonic/gin"
 	"github.com/go-shiori/shiori/internal/dependencies"
@@ -20,6 +21,9 @@
 		if token == "" {
 			token = getTokenFromCookie(c)
 		}
+		if token == "" {
+			token = getTokenFromAuthHeader(c, deps)
+		}
 
 		account, err := deps.Domains.Auth.CheckToken(c, token)
 		if err != nil {
@@ -42,6 +46,59 @@
 	}
 }
 
+// getAuth user from oauth proxy, if any
+func getTokenFromAuthHeader(c *gin.Context, deps *dependencies.Dependencies) string {
+	if deps.Config.Http.ReverseProxyAuthUser == "" {
+		deps.Log.Debugf("auth proxy: reverse-proxy-auth-user not set")
+		return ""
+	}
+	authUser := c.GetHeader(deps.Config.Http.ReverseProxyAuthUser)
+	if authUser == "" {
+		deps.Log.Debugf("auth proxy: can not get user header from proxy")
+		return ""
+	}
+	remoteAddr := c.ClientIP()
+	deps.Log.Debugf("auth proxy: got auth user (%s), client ip (%s)", authUser, remoteAddr)
+	cidrs, err := newCIDRs(deps.Config.Http.TrustedProxies)
+	if err != nil {
+		deps.Log.Errorf("auth proxy: trusted proxy config error (%v)", err)
+		return ""
+	}
+	canTrustProxy := false
+	if len(deps.Config.Http.TrustedProxies) == 0 || cidrs.ContainStringIP(remoteAddr) {
+		canTrustProxy = true
+	}
+	if canTrustProxy {
+		account, exit, err := deps.Database.GetAccount(c, authUser)
+		if err == nil && exit {
+			token, err := deps.Domains.Auth.CreateTokenForAccount(&account, time.Now().Add(time.Hour*24*365))
+			if err != nil {
+				deps.Log.Errorf("auth proxy: create token error %v", err)
+				return ""
+			}
+			sessionId, err := deps.Domains.LegacyLogin(account, time.Hour*24*30)
+			if err != nil {
+				deps.Log.Errorf("auth proxy: create session error %v", err)
+				return ""
+			}
+			deps.Log.Debugf("auth proxy: write session %s token %s", sessionId, token)
+			sessionCookie := &http.Cookie{Name: "session-id", Value: sessionId}
+			http.SetCookie(c.Writer, sessionCookie)
+			c.Request.AddCookie(sessionCookie)
+			tokenCookie := &http.Cookie{Name: "token", Value: token}
+			http.SetCookie(c.Writer, tokenCookie)
+			c.Request.AddCookie(tokenCookie)
+
+			return token
+		} else {
+			deps.Log.Warnf("auth proxy: no such user (%s) or error %v", authUser, err)
+		}
+	} else if authUser != "" {
+		deps.Log.Warnf("auth proxy: invalid auth request from %s", remoteAddr)
+	}
+	return ""
+}
+
 // getTokenFromHeader returns the token from the Authorization header, if any.
 func getTokenFromHeader(c *gin.Context) string {
 	authorization := c.GetHeader(model.AuthorizationHeader)

diff --git a/internal/http/middleware/cidrs.go b/internal/http/middleware/cidrs.go
@@ -0,0 +1,51 @@
+package middleware
+
+import (
+	"net"
+	"strings"
+)
+
+type CIDRs struct {
+	elements []*net.IPNet
+}
+
+func newCIDRs(addresses []string) (*CIDRs, error) {
+	cidr := make([]*net.IPNet, 0, len(addresses))
+	for _, addr := range addresses {
+		if !strings.Contains(addr, "/") {
+			ip := net.ParseIP(addr)
+			if ip == nil {
+				return nil, &net.ParseError{Type: "IP address", Text: addr}
+			}
+			if ip.To4() == nil {
+				addr += "/128"
+			} else {
+				addr += "/32"
+			}
+		}
+		_, cidrNet, err := net.ParseCIDR(addr)
+		if err != nil {
+			return nil, err
+		}
+		cidr = append(cidr, cidrNet)
+	}
+	return &CIDRs{elements: cidr}, nil
+}
+
+func (c *CIDRs) Len() int {
+	return len(c.elements)
+}
+
+func (c *CIDRs) ContainIP(ip net.IP) bool {
+	for _, el := range c.elements {
+		if el.Contains(ip) {
+			return true
+		}
+	}
+
+	return false
+}
+
+func (c *CIDRs) ContainStringIP(ip string) bool {
+	return c.ContainIP(net.ParseIP(ip))
+}
diff --git a/internal/http/server.go b/internal/http/server.go
@@ -57,6 +57,8 @@
 	// package.
 	legacyRoutes := routes.NewLegacyAPIRoutes(s.logger, deps, cfg)
 	legacyRoutes.Setup(s.engine)
+	// used for auth header save session
+	deps.Domains.LegacyLogin = legacyRoutes.HandleLogin
 
 	s.handle("/system", routes.NewSystemRoutes(s.logger))
 	s.handle("/bookmark", routes.NewBookmarkRoutes(s.logger, deps))

diff --git a/internal/view/index.html b/internal/view/index.html
@@ -146,9 +146,32 @@
 						username: username,
 						owner: owner,
 					};
-				}
+				},
+                loadToken() {
+                    function parseJWT(token) {
+						try {
+							return JSON.parse(atob(token.split('.')[1]));
+						} catch (e) {
+							return null;
+						}
+					}
+                    function getCookie(cname){
+                        var name = cname + "=";
+                        var ca = document.cookie.split(';');
+                        for(var i=0; i<ca.length; i++) {
+                            var c = ca[i].trim();
+                            if (c.indexOf(name)==0) { return c.substring(name.length,c.length); }
+                        }
+                        return "";
+                    }
+                    // Save account data
+                    var token = getCookie("token");
+                    localStorage.setItem("shiori-token", token);
+                    localStorage.setItem("shiori-account", JSON.stringify(parseJWT(token).account));
+                }
 			},
 			mounted() {
+                this.loadToken();
 				// Load setting
 				this.loadSetting();
 				this.loadAccount();

diff --git a/internal/webserver/handler-api.go b/internal/webserver/handler-api.go
@@ -63,6 +63,16 @@
 
 	// Make sure session still valid
 	err := h.validateSession(r)
+	if err != nil {
+		c := &http.Cookie{
+			Name:     "token",
+			Value:    "",
+			Path:     "/",
+			MaxAge:   -1,
+			HttpOnly: true,
+		}
+		http.SetCookie(w, c)
+	}
 	checkError(err)
 
 	// Get URL queries

diff --git a/internal/webserver/handler.go b/internal/webserver/handler.go
@@ -111,28 +111,33 @@
 			return fmt.Errorf("session has been expired")
 		}
 
-		account, err := h.dependencies.Domains.Auth.CheckToken(r.Context(), authParts[1])
-		if err != nil {
-			return fmt.Errorf("session has been expired")
-		}
+		// authelia maybe return an null AuthorizationHeader header, ignore exception
+		if authParts[1] != "null" {
 
-		if r.Method != "" && r.Method != "GET" && !account.Owner {
-			return fmt.Errorf("account level is not sufficient")
-		}
+			account, err := h.dependencies.Domains.Auth.CheckToken(r.Context(), authParts[1])
+			if err != nil {
+				return fmt.Errorf("session has been expired")
+			}
+
+			if r.Method != "" && r.Method != "GET" && !account.Owner {
+				return fmt.Errorf("account level is not sufficient")
+			}
 
-		h.dependencies.Log.WithFields(logrus.Fields{
-			"username": account.Username,
-			"method":   r.Method,
-			"path":     r.URL.Path,
-		}).Info("allowing legacy api access using JWT token")
+			h.dependencies.Log.WithFields(logrus.Fields{
+				"username": account.Username,
+				"method":   r.Method,
+				"path":     r.URL.Path,
+			}).Info("allowing legacy api access using JWT token")
 
-		return nil
+			return nil
+		}
 	}
 
 	sessionID := h.GetSessionID(r)
 	if sessionID == "" {
 		return fmt.Errorf("session is not exist")
 	}
+	h.dependencies.Log.Debugf("get session id is %s", sessionID)
 
 	// Make sure session is not expired yet
 	val, found := h.SessionCache.Get(sessionID)