Improve the Header Authentication Method #16
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
obelisk
force-pushed
the
improve_header_auth
branch
from
d7a86e4 to
d499213
Compare
javuto
reviewed
Sep 28, 2019
cmd/admin/auth.go
Outdated
|
|
||
| if username == "" { | ||
| log.Printf("A username is required to use this system.") | ||
| w.WriteHeader(http.StatusBadRequest) |
There was a problem hiding this comment.
In other authentication methods I have used a redirect instead of writing the header:
http.Redirect(w, r, forbiddenPath, http.StatusFound)
Do you think we should use WriteHeader instead?
javuto
reviewed
Sep 28, 2019
cmd/admin/auth.go
Outdated
|
|
||
| // This user didn't present a group that has permission to use the service | ||
| if _, ok := s["level"]; !ok { | ||
| w.WriteHeader(http.StatusForbidden) |
javuto
reviewed
Sep 28, 2019
cmd/admin/auth.go
Outdated
| return | ||
| } | ||
|
|
||
| err := adminUsers.UpdateMetadata(r.RemoteAddr, r.Header.Get("User-Agent"), username) |
There was a problem hiding this comment.
Since this authentication method does not require to pre-create users, better follow these steps:
1 - Check if user already exists
2 - If not, create user
3 - Update metadata
I would replace this block (135-138) with the following code:
if !adminUsers.Exists(username) {
log.Printf("user not found, creating new user: %s", username)
email := r.Header.Get(headersConfig.TrustedPrefix + headersConfig.Email)
fullname := r.Header.Get(headersConfig.TrustedPrefix + headersConfig.DisplayName)
newUser, err := adminUsers.New(username, "", email, fullname, (s["level"] == adminLevel))
if err != nil {
log.Printf("error creating user %s: %v", username, err)
http.Redirect(w, r, forbiddenPath, http.StatusFound)
return
}
} else {
if err := adminUsers.UpdateMetadata(r.RemoteAddr, r.Header.Get("User-Agent"), username); err != nil {
log.Printf("error updating metadata for user %s: %v", username, err)
}
}
javuto
reviewed
Sep 28, 2019
This adds more of the code needed to properly authenticate a user based on headers present added by a reverse proxy.
obelisk
force-pushed
the
improve_header_auth
branch
from
d499213 to
227036d
Compare
javuto
reviewed
Oct 1, 2019
cmd/admin/auth.go
Outdated
|
|
||
| if !adminUsers.Exists(username) { | ||
| log.Printf("User not found, creating: %s", username) | ||
| _, err := adminUsers.New(username, "", fullname, (s["level"] == adminLevel)) |
There was a problem hiding this comment.
There is one string parameter missing, also my bad since I forgot that .New() just creates the AdminUser structure, and in order to complete the creation of the user, it needs a subsequent call to .Create(), for example:
email := r.Header.Get(headersConfig.TrustedPrefix + headersConfig.Email)
newUser, err := adminUsers.New(username, "", email, fullname, (s["level"] == adminLevel))
if err != nil {
log.Printf("Error with new user %s: %v", username, err)
http.Redirect(w, r, forbiddenPath, http.StatusFound)
return
}
if err := adminUsers.Create(newUser); err != nil {
log.Printf("Error creating user %s: %v", username, err)
http.Redirect(w, r, forbiddenPath, http.StatusFound)
return
}
|
Troubleshooting this build error |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds more of the code needed to properly authenticate a user based on headers present added by a reverse proxy.
I'm wary of the CSRF token line that's commented out but I must just be missing something there. Also updating users always fails and I assume that's because the login flow never runs with header authentication.
The way this is designed to work is to be put behind a proxy that handles the authentication for you that then passes the request along with newly added trusted headers from the proxy.
Admin vs User level permissions are handled by checking for the presence of specified groups passed along from the proxy.