extern/2FAuth
1
0
Fork 0
mirror of https://github.com/Bubka/2FAuth.git synced 2024-11-25 17:54:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add reverse-proxy guard to support authentication proxy

Browse Source
This commit is contained in:
Bubka 2022-03-19 00:14:20 +01:00
parent f3c6b9da5b
commit 911e18c9c4
12 changed files with 230 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/Api/v1/Resources/UserResource.php
View File

@ -17,7 +17,7 @@ public function toArray($request)
{
return [
'name' => $this->name,
'email' => $this->when(Auth::guard('api')->user(), $this->email),
'email' => $this->when(Auth::guard()->check(), $this->email),
];
}
}

67
app/Extensions/RemoteUserProvider.php Normal file
View File

@ -0,0 +1,67 @@
<?php
// Part of Firefly III (https://github.com/firefly-iii)
// see https://github.com/firefly-iii/firefly-iii/blob/main/app/Support/Authentication/RemoteUserProvider.php
namespace App\Extensions;
use App\Models\User;
use Illuminate\Contracts\Auth\Authenticatable;
use Illuminate\Contracts\Auth\UserProvider;
use Illuminate\Support\Str;
use Exception;
class RemoteUserProvider implements UserProvider
{
/**
* @inheritDoc
*/
public function retrieveById($identifier): User
{
$user = User::where('email', $identifier)->first();
// if (null === $user) {
// $user = User::create(
// [
// 'name' => $identifier,
// 'email' => $identifier,
// 'password' => bcrypt(Str::random(64)),
// ]
// );
// }
return $user;
}
/**
* @inheritDoc
*/
public function retrieveByToken($identifier, $token)
{
throw new Exception(sprintf('No implementation for %s', __METHOD__));
}
/**
* @inheritDoc
*/
public function updateRememberToken(Authenticatable $user, $token)
{
throw new Exception(sprintf('No implementation for %s', __METHOD__));
}
/**
* @inheritDoc
*/
public function retrieveByCredentials(array $credentials)
{
throw new Exception(sprintf('No implementation for %s', __METHOD__));
}
/**
* @inheritDoc
*/
public function validateCredentials(Authenticatable $user, array $credentials)
{
throw new Exception(sprintf('No implementation for %s', __METHOD__));
}
}

1
app/Http/Kernel.php
View File

@ -39,6 +39,7 @@ class Kernel extends HttpKernel
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
\App\Http\Middleware\LogUserLastSeen::class,
\App\Http\Middleware\CustomCreateFreshApiToken::class,
],

14
app/Http/Middleware/Authenticate.php
View File

@ -6,17 +6,5 @@
class Authenticate extends Middleware
{
/**
* Get the path the user should be redirected to when they are not authenticated.
*
* @param \Illuminate\Http\Request $request
* @return string
* @codeCoverageIgnore
*/
protected function redirectTo($request)
{
if (! $request->expectsJson()) {
return route('login');
}
}
}

14
app/Http/Middleware/LogUserLastSeen.php
View File

@ -13,14 +13,20 @@ class LogUserLastSeen
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @param string|null $guard
* @return mixed
*/
public function handle($request, Closure $next)
public function handle($request, Closure $next, ...$quards)
{
$guards = empty($guards) ? [null] : $guards;
if( Auth::guard('api')->check() && !$request->bearerToken()) {
Auth::guard('api')->user()->last_seen_at = Carbon::now()->format('Y-m-d H:i:s');
Auth::guard('api')->user()->save();
foreach ($guards as $guard) {
// Activity coming from a client authenticated with a personal access token is not logged
if( Auth::guard($guard)->check() && !$request->bearerToken()) {
Auth::guard($guard)->user()->last_seen_at = Carbon::now()->format('Y-m-d H:i:s');
Auth::guard($guard)->user()->save();
break;
}
}
return $next($request);

15
app/Providers/AuthServiceProvider.php
View File

@ -5,7 +5,9 @@
use Illuminate\Support\Facades\Gate;
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
use Illuminate\Support\Facades\Auth;
use App\Services\Auth\ReverseProxyGuard;
use App\Extensions\EloquentTwoFAuthProvider;
use App\Extensions\RemoteUserProvider;
use DarkGhostHunter\Larapass\WebAuthn\WebAuthnAssertValidator;
use Illuminate\Contracts\Hashing\Hasher;
@ -46,6 +48,19 @@ static function ($app, $config) {
);
});
//
Auth::provider('remote-user', function ($app, array $config) {
// Return an instance of Illuminate\Contracts\Auth\UserProvider...
return new RemoteUserProvider;
});
Auth::extend('reverse-proxy', function ($app, string $name, array $config) {
// Return an instance of Illuminate\Contracts\Auth\Guard...
return new ReverseProxyGuard(Auth::createUserProvider($config['provider']));
});
// Normally we should set the Passport routes here using Passport::routes().
// If so the passport routes would be set for both 'web' and 'api' middlewares without

109
app/Services/Auth/ReverseProxyGuard.php Normal file
View File

@ -0,0 +1,109 @@
<?php
namespace App\Services\Auth;
use Exception;
use Illuminate\Contracts\Auth\Authenticatable;
use Illuminate\Contracts\Auth\Guard;
use Illuminate\Contracts\Auth\UserProvider;
use Illuminate\Support\Facades\Log;
class ReverseProxyGuard implements Guard
{
/**
* The currently authenticated user.
*
* @var \Illuminate\Contracts\Auth\Authenticatable
*/
protected $user;
/**
* The user provider implementation.
*
* @var \Illuminate\Contracts\Auth\UserProvider
*/
protected $provider;
/**
* Create a new authentication guard.
*
* @param Illuminate\Contracts\Auth\UserProvider $provider
* @return void
*/
public function __construct(UserProvider $provider)
{
$this->provider = $provider;
}
/**
* @inheritDoc
*/
public function check(): bool
{
return !is_null($this->user());
}
/**
* @inheritDoc
*/
public function guest(): bool
{
return !$this->check();
}
/**
* @inheritDoc
*/
public function user()
{
// If we've already retrieved the user for the current request we can just
// return it back immediately. We do not want to fetch the user data on
// every call to this method because that would be tremendously slow.
if (!is_null($this->user)) {
return $this->user;
}
$user = null;
// Get the user identifier from $_SERVER or apache filtered headers
$header = config('auth.guard_header', 'REMOTE_USER');
$userID = request()->server($header) ?? apache_request_headers()[$header] ?? null;
if (null === $userID) {
Log::error(sprintf('No user in header "%s".', $header));
return $this->user = null;
// throw new Exception('The guard header was unexpectedly empty. See the logs.');
}
$user = $this->provider->retrieveById($userID);
return $this->user = $user;
}
/**
* @inheritDoc
*/
public function id()
{
return $this->user;
}
/**
* Validate a user's credentials.
*
* @param array $credentials
* @return Exception
*/
public function validate(array $credentials = [])
{
throw new Exception('No implementation for RemoteUserGuard::validate()');
}
/**
* @inheritDoc
*/
public function setUser(Authenticatable $user)
{
$this->user = $user;
}
}

13
config/auth.php
View File

@ -14,9 +14,11 @@
*/
'defaults' => [
'guard' => 'web',
'guard' => env('AUTHENTICATION_GUARD', 'web'),
'passwords' => 'users',
],
'guard_header' => env('AUTHENTICATION_GUARD_HEADER', 'REMOTE_USER'),
// 'guard_email' => env('AUTHENTICATION_GUARD_EMAIL_HEADER', null),
/*
|--------------------------------------------------------------------------
@ -46,6 +48,11 @@
'provider' => 'users',
'hash' => false,
],
'reverse-proxy' => [
'driver' => 'reverse-proxy',
'provider' => 'remote-user',
],
],
/*
@ -70,6 +77,10 @@
'driver' => 'eloquent-2fauth',
'model' => App\Models\User::class,
],
'remote-user' => [
'driver' => 'remote-user',
'model' => App\Models\User::class,
],
],
/*

2
resources/js/routes.js vendored
View File

@ -17,7 +17,7 @@ import Register from './views/auth/Register'
import PasswordRequest from './views/auth/password/Request'
import PasswordReset from './views/auth/password/Reset'
import WebauthnLost from './views/auth/webauthn/Lost'
import WebauthnRecover from './views/auth/webauthn/Recover'
import WebauthnRecover from './views/auth/webauthn/Recover'
import SettingsOptions from './views/settings/Options'
import SettingsAccount from './views/settings/Account'
import SettingsOAuth from './views/settings/OAuth'

3
resources/js/views/auth/Login.vue
View File

@ -129,6 +129,9 @@
const { data } = await vm.axios.get('api/v1/user/name')
if( data.name ) {
if( data.email ) {
return next({ name: 'accounts' });
}
vm.username = data.name
}
else {

6
routes/api/v1.php
View File

@ -13,11 +13,9 @@
|
*/
Route::group(['middleware' => 'guest:api'], function () {
Route::get('user/name', 'UserController@show')->name('user.show.name');
});
Route::get('user/name', 'UserController@show')->name('user.show.name');
Route::group(['middleware' => 'auth:api'], function() {
Route::group(['middleware' => 'auth:reverse-proxy,api'], function() {
Route::get('oauth/personal-access-tokens', '\Laravel\Passport\Http\Controllers\PersonalAccessTokenController@forUser')->name('passport.personal.tokens.index');
Route::post('oauth/personal-access-tokens', '\Laravel\Passport\Http\Controllers\PersonalAccessTokenController@store')->name('passport.personal.tokens.store');

24
routes/web.php
View File

@ -1,6 +1,6 @@
<?php
// use Illuminate\Support\Facades\Route;
use Illuminate\Support\Facades\Route;
use App\Http\Controllers\Auth\WebAuthnManageController;
use App\Http\Controllers\Auth\WebAuthnRegisterController;
use App\Http\Controllers\Auth\WebAuthnLoginController;
@ -18,22 +18,14 @@
|
*/
// Route::get('/', function () {
// return view('welcome');
// });
Route::post('user', 'Auth\RegisterController@register')->name('user.register');
Route::post('user/password/lost', 'Auth\ForgotPasswordController@sendResetLinkEmail')->middleware('AvoidResetPassword')->name('user.password.lost');;
Route::post('user/password/reset', 'Auth\ResetPasswordController@reset')->name('user.password.reset');
Route::post('webauthn/lost', [WebAuthnDeviceLostController::class, 'sendRecoveryEmail'])->name('webauthn.lost');
Route::post('webauthn/recover/options', [WebAuthnRecoveryController::class, 'options'])->name('webauthn.recover.options');
Route::post('webauthn/recover', [WebAuthnRecoveryController::class, 'recover'])->name('webauthn.recover');
// Route::get('twofaccount/{TwoFAccount}', 'TwoFAccountController@show');
Route::group(['middleware' => 'guest:web'], function () {
Route::post('user', 'Auth\RegisterController@register')->name('user.register');
Route::post('user/password/lost', 'Auth\ForgotPasswordController@sendResetLinkEmail')->middleware('AvoidResetPassword')->name('user.password.lost');;
Route::post('user/password/reset', 'Auth\ResetPasswordController@reset')->name('user.password.reset');
Route::post('webauthn/lost', [WebAuthnDeviceLostController::class, 'sendRecoveryEmail'])->name('webauthn.lost');
Route::post('webauthn/recover/options', [WebAuthnRecoveryController::class, 'options'])->name('webauthn.recover.options');
Route::post('webauthn/recover', [WebAuthnRecoveryController::class, 'recover'])->name('webauthn.recover');
});
Route::group(['middleware' => 'auth:web'], function () {
Route::group(['middleware' => 'auth:reverse-proxy,web'], function () {
Route::put('user', 'Auth\UserController@update')->name('user.update');
Route::patch('user/password', 'Auth\PasswordController@update')->name('user.password.update');
Route::get('user/logout', 'Auth\LoginController@logout')->name('user.logout');