- ntfy client supports HTTP Basic auth (username/password) for servers with access control; [ntfy] config gains username/password. Scheduler + Test Ntfy use it instead of the old settings-only bearer token. - Settings page no longer has credential inputs (Apify/eBay/ntfy/Resend); they are managed in config.toml. Read-only status + Test buttons remain. - Sidebar gains a Sign out button; in forward-auth mode it routes through the Authentik outpost sign_out so the IdP session is cleared.
127 lines
3.5 KiB
Go
127 lines
3.5 KiB
Go
package handlers
|
|
|
|
import (
|
|
"net/http"
|
|
"strings"
|
|
|
|
"veola/internal/auth"
|
|
"veola/internal/models"
|
|
"veola/templates"
|
|
)
|
|
|
|
func (a *App) GetLogin(w http.ResponseWriter, r *http.Request) {
|
|
if auth.CurrentUserFromRequest(r) != nil {
|
|
http.Redirect(w, r, "/", http.StatusSeeOther)
|
|
return
|
|
}
|
|
render(w, r, templates.Login(templates.LoginData{
|
|
Page: a.page(r, "Sign in", ""),
|
|
}))
|
|
}
|
|
|
|
func (a *App) PostLogin(w http.ResponseWriter, r *http.Request) {
|
|
if err := r.ParseForm(); err != nil {
|
|
http.Error(w, "bad form", http.StatusBadRequest)
|
|
return
|
|
}
|
|
username := strings.TrimSpace(r.PostFormValue("username"))
|
|
password := r.PostFormValue("password")
|
|
u, err := a.Store.GetUserByUsername(r.Context(), username)
|
|
if err != nil || u == nil {
|
|
// Run a bcrypt comparison anyway so a missing username takes the
|
|
// same time as a wrong password (no user-enumeration oracle).
|
|
auth.EqualizeLoginTiming()
|
|
}
|
|
if err != nil || u == nil || !auth.CheckPassword(u.PasswordHash, password) {
|
|
render(w, r, templates.Login(templates.LoginData{
|
|
Page: a.page(r, "Sign in", ""),
|
|
Error: "Invalid username or password",
|
|
Username: username,
|
|
}))
|
|
return
|
|
}
|
|
if err := a.Auth.LogIn(r.Context(), u.ID); err != nil {
|
|
http.Error(w, "session error", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
http.Redirect(w, r, "/", http.StatusSeeOther)
|
|
}
|
|
|
|
func (a *App) PostLogout(w http.ResponseWriter, r *http.Request) {
|
|
_ = a.Auth.LogOut(r.Context())
|
|
// In forward-auth mode, destroying only the local session is pointless: the
|
|
// next request still carries a valid Authentik proxy session and would be
|
|
// re-provisioned immediately. Send the user through the Authentik outpost
|
|
// sign-out so the IdP session is cleared too.
|
|
if a.Cfg.Auth.ForwardAuthEnabled() {
|
|
http.Redirect(w, r, "/outpost.goauthentik.io/sign_out", http.StatusSeeOther)
|
|
return
|
|
}
|
|
http.Redirect(w, r, "/login", http.StatusSeeOther)
|
|
}
|
|
|
|
func (a *App) GetSetup(w http.ResponseWriter, r *http.Request) {
|
|
n, err := a.Store.UserCount(r.Context())
|
|
if err != nil {
|
|
http.Error(w, "db error", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
if n > 0 {
|
|
http.NotFound(w, r)
|
|
return
|
|
}
|
|
render(w, r, templates.Setup(templates.SetupData{
|
|
Page: a.page(r, "Setup", ""),
|
|
}))
|
|
}
|
|
|
|
func (a *App) PostSetup(w http.ResponseWriter, r *http.Request) {
|
|
n, err := a.Store.UserCount(r.Context())
|
|
if err != nil {
|
|
http.Error(w, "db error", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
if n > 0 {
|
|
http.NotFound(w, r)
|
|
return
|
|
}
|
|
if err := r.ParseForm(); err != nil {
|
|
http.Error(w, "bad form", http.StatusBadRequest)
|
|
return
|
|
}
|
|
username := strings.TrimSpace(r.PostFormValue("username"))
|
|
password := r.PostFormValue("password")
|
|
confirm := r.PostFormValue("password_confirm")
|
|
errMsg := ""
|
|
switch {
|
|
case username == "":
|
|
errMsg = "Username is required"
|
|
case len(password) < auth.MinPasswordLen:
|
|
errMsg = "Password must be at least 12 characters"
|
|
case password != confirm:
|
|
errMsg = "Passwords do not match"
|
|
}
|
|
if errMsg != "" {
|
|
render(w, r, templates.Setup(templates.SetupData{
|
|
Page: a.page(r, "Setup", ""),
|
|
Error: errMsg,
|
|
Username: username,
|
|
}))
|
|
return
|
|
}
|
|
hash, err := auth.HashPassword(password)
|
|
if err != nil {
|
|
http.Error(w, "hash error", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
if _, err := a.Store.CreateUser(r.Context(), username, hash, models.RoleAdmin); err != nil {
|
|
render(w, r, templates.Setup(templates.SetupData{
|
|
Page: a.page(r, "Setup", ""),
|
|
Error: "Could not create user: " + err.Error(),
|
|
Username: username,
|
|
}))
|
|
return
|
|
}
|
|
http.Redirect(w, r, "/login", http.StatusSeeOther)
|
|
}
|