mirror of
https://github.com/Luzifer/nginx-sso.git
synced 2024-12-20 12:51:17 +00:00
Add basic auth to simple provider
Signed-off-by: Knut Ahlers <knut@ahlers.me>
This commit is contained in:
parent
daa85d5016
commit
068ede3748
2 changed files with 34 additions and 8 deletions
|
@ -88,6 +88,8 @@ The simple auth provider consists of a static mapping between users and password
|
|||
```yaml
|
||||
providers:
|
||||
simple:
|
||||
enable_basic_auth: false
|
||||
|
||||
# Unique username mapped to bcrypt hashed password
|
||||
users:
|
||||
luzifer: "$2a$10$FSGAF8qDWX52aBID8.WpxOyCvfSQ3JIUVFiwyd1jolb4jM3BzJmNu"
|
||||
|
@ -101,6 +103,8 @@ providers:
|
|||
|
||||
You can see how to configure the provider the example above: No surprises, just ensure you are using bcrypt hashes for the passwords, no other hash functions are supported.
|
||||
|
||||
If `enable_basic_auth` is set to `true` the credentials can also be submitted through basic auth. This is useful for services whose clients does not support other types of authentication.
|
||||
|
||||
### Provider configuration: Token Auth (`token`)
|
||||
|
||||
The token auth provider is intended to give machines access to endpoints. Users will not be able to "login" using tokens when they see the login form.
|
||||
|
|
|
@ -14,6 +14,7 @@ func init() {
|
|||
}
|
||||
|
||||
type authSimple struct {
|
||||
EnableBasicAuth bool `yaml:"enable_basic_auth"`
|
||||
Users map[string]string `yaml:"users"`
|
||||
Groups map[string][]string `yaml:"groups"`
|
||||
}
|
||||
|
@ -41,6 +42,7 @@ func (a *authSimple) Configure(yamlSource []byte) error {
|
|||
return errAuthenticatorUnconfigured
|
||||
}
|
||||
|
||||
a.EnableBasicAuth = envelope.Providers.Simple.EnableBasicAuth
|
||||
a.Users = envelope.Providers.Simple.Users
|
||||
a.Groups = envelope.Providers.Simple.Groups
|
||||
|
||||
|
@ -52,15 +54,35 @@ func (a *authSimple) Configure(yamlSource []byte) error {
|
|||
// If no user was detected the errNoValidUserFound needs to be
|
||||
// returned
|
||||
func (a authSimple) DetectUser(r *http.Request) (string, []string, error) {
|
||||
var user string
|
||||
|
||||
if a.EnableBasicAuth {
|
||||
if basicUser, basicPass, ok := r.BasicAuth(); ok {
|
||||
for u, p := range a.Users {
|
||||
if u != basicUser {
|
||||
continue
|
||||
}
|
||||
if bcrypt.CompareHashAndPassword([]byte(p), []byte(basicPass)) != nil {
|
||||
continue
|
||||
}
|
||||
|
||||
user = basicUser
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if user == "" {
|
||||
sess, err := cookieStore.Get(r, strings.Join([]string{mainCfg.Cookie.Prefix, a.AuthenticatorID()}, "-"))
|
||||
if err != nil {
|
||||
return "", nil, errNoValidUserFound
|
||||
}
|
||||
|
||||
user, ok := sess.Values["user"].(string)
|
||||
var ok bool
|
||||
user, ok = sess.Values["user"].(string)
|
||||
if !ok {
|
||||
return "", nil, errNoValidUserFound
|
||||
}
|
||||
}
|
||||
|
||||
groups := []string{}
|
||||
for group, users := range a.Groups {
|
||||
|
|
Loading…
Reference in a new issue