idanoo/autobrr
1
0
Fork 0
mirror of https://github.com/idanoo/autobrr synced 2025-07-22 16:29:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(auth): implement auth proxy support with OpenID Connect (#1853)

Browse source 
* feat(auth): implement oidc

* refactor(auth): centralize OIDC state cookie handling

* fix(web): resolve unused error variables in route handlers

* docs(readme): add OIDC authentication feature to list

* fix(auth): improve OIDC cookie handling for reverse proxy setups

The OIDC state cookie's Secure flag is now properly set when running behind a reverse proxy by checking both direct TLS and X-Forwarded-Proto header. This fixes authentication issues in common setups where:

- autobrr runs behind a reverse proxy that terminates HTTPS
- local development environments without TLS
- mixed protocol environments (internal HTTP, external HTTPS)

* fix: use crypt/random if argon2id fails

* feat(auth): show both login options when user exists in db

if user doesn't exist, e.g. canOnboard=true then we only show the OIDC button, since regular login makes no sense in that case

If user does not exist in db and the user wants to create a local user, OIDC needs to be disabled first

* feat(auth): improve OIDC provider initialization with discovery logging

* revert(issuer): do not remove trailing slash

* feat(auth): improve OIDC username resolution with additional claims

* fix(auth): handle OIDC issuer URLs with and without trailing slashes

When initializing the OIDC provider, automatically retry with/without trailing
slash if the first attempt fails.

- First attempts with original issuer URL
- If fails with trailing slash, retries without
- If fails without trailing slash, retries with

* feat(oidc): add gorilla sessions store for secure state management

Add gorilla sessions store to handle encrypted state cookies in OIDC flow,
while removing redundant session validation checks

Co-authored-by: Kyle Sanderson <kyle.leet@gmail.com>

* fix(auth): prevent duplicate OIDC state cookies for authenticated sessions

Modify OIDC config handler to check for existing authenticated sessions
before setting state cookie. Still returns OIDC enabled status to maintain
UI state, but prevents unnecessary cookie creation for authenticated users.

* feat(oidc): use random secret for temporary state cookies

Co-authored-by: Kyle Sanderson <kyle.leet@gmail.com>

* feat(auth): add rate limiting to OIDC endpoints

Co-authored-by: Kyle Sanderson <kyle.leet@gmail.com>

* fix(auth): validate OIDC authorization code presence in callback

Co-authored-by: Kyle Sanderson <kyle.leet@gmail.com>

* fix(auth): properly handle OIDC session errors

Improve error handling in OIDC login flow by properly handling cookie store
session errors. Return HTTP 500 if session cannot be retrieved instead of
silently continuing with potentially invalid state.

Co-authored-by: Kyle Sanderson <kyle.leet@gmail.com>

* feat(auth): track and display authentication method for oidc and password logins

* fix: tests

* docs(readme): add environment variable section

* go mod tidy

* chore: log style and errors

---------

Co-authored-by: Kyle Sanderson <kyle.leet@gmail.com>
Co-authored-by: ze0s <ze0s@riseup.net>
This commit is contained in:
soup 2024-12-19 14:41:31 +01:00 committed by GitHub
parent 80423d6273
commit 43c28fc0c6
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
19 changed files with 893 additions and 130 deletions
Download patch file Download diff file Expand all files Collapse all files

8
go.sum
View file

@ -91,6 +91,8 @@ github.com/containerd/cgroups/v3 v3.0.1 h1:4hfGvu8rfGIwVIDd+nLzn/B9ZXx4BcCjzt5To
github.com/containerd/cgroups/v3 v3.0.1/go.mod h1:/vtwk1VXrtoa5AaZLkypuOJgA/6DyPMZHJPGQNtlHnw=
github.com/containrrr/shoutrrr v0.8.0 h1:mfG2ATzIS7NR2Ec6XL+xyoHzN97H8WPjir8aYzJUSec=
github.com/containrrr/shoutrrr v0.8.0/go.mod h1:ioyQAyu1LJY6sILuNyKaQaw+9Ttik5QePU8atnAdO2o=
github.com/coreos/go-oidc/v3 v3.11.0 h1:Ia3MxdwpSw702YW0xgfmP1GVCMA9aEFWu12XUZ3/OtI=
github.com/coreos/go-oidc/v3 v3.11.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0=
github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
github.com/cytec/releaseparser v0.0.0-20200706155913-2341b265c370 h1:g9q5BGfDdhcXn4EmVZD8UydPXrvhSvgz3FRBn7zAJNs=
@ -134,6 +136,8 @@ github.com/go-chi/chi/v5 v5.1.0 h1:acVI1TYaD+hhedDJ3r54HyA6sExp3HfXq7QWEEY/xMw=
github.com/go-chi/chi/v5 v5.1.0/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
github.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4=
github.com/go-chi/render v1.0.3/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0=
github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk=
github.com/go-jose/go-jose/v4 v4.0.2/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
@ -217,8 +221,6 @@ github.com/icholy/digest v1.0.1 h1:HBhK5/Ab2Z4rHgw6n5UooxcJpLSeMR+TuD5rkvRc7Z8=
github.com/icholy/digest v1.0.1/go.mod h1:QNrsSGQ5v7v9cReDI0+eyjsXGUoRSUZQHeQ5C4XLa0Y=
github.com/jarcoal/httpmock v1.3.0 h1:2RJ8GP0IIaWwcC9Fp2BmVi8Kog3v2Hn7VXM3fTd+nuc=
github.com/jarcoal/httpmock v1.3.0/go.mod h1:3yb8rc4BI7TCBhFY8ng0gjuLKJNquuDNiPaZjnENuYg=
github.com/jellydator/ttlcache/v3 v3.3.0 h1:BdoC9cE81qXfrxeb9eoJi9dWrdhSuwXMAnHTbnBm4Wc=
github.com/jellydator/ttlcache/v3 v3.3.0/go.mod h1:bj2/e0l4jRnQdrnSTaGTsh4GSXvMjQcy41i7th0GVGw=
github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
github.com/jsimonetti/rtnetlink/v2 v2.0.1 h1:xda7qaHDSVOsADNouv7ukSuicKZO7GgVUCXxpaIEIlM=
@ -450,6 +452,8 @@ golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo=
golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs=
golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=