Commit graph

24 commits

Author SHA1 Message Date
soup
0391629862
chore(license): update copyright year in headers (#1929)
* chore: update copyright year in license headers

* Revert "chore: update copyright year in license headers"

This reverts commit 3e58129c431b9a491089ce36b908f9bb6ba38ed3.

* chore: update copyright year in license headers

* fix: sort go imports

* fix: add missing license headers
2025-01-06 22:23:19 +01:00
ze0s
b68ae334ca
fix(http): init oidc handler if enabled (#1888) 2024-12-22 21:59:58 +01:00
soup
43c28fc0c6
feat(auth): implement auth proxy support with OpenID Connect (#1853)
* feat(auth): implement oidc

* refactor(auth): centralize OIDC state cookie handling

* fix(web): resolve unused error variables in route handlers

* docs(readme): add OIDC authentication feature to list

* fix(auth): improve OIDC cookie handling for reverse proxy setups

The OIDC state cookie's Secure flag is now properly set when running behind a reverse proxy by checking both direct TLS and X-Forwarded-Proto header. This fixes authentication issues in common setups where:

- autobrr runs behind a reverse proxy that terminates HTTPS
- local development environments without TLS
- mixed protocol environments (internal HTTP, external HTTPS)

* fix: use crypt/random if argon2id fails

* feat(auth): show both login options when user exists in db

if user doesn't exist, e.g. canOnboard=true then we only show the OIDC button, since regular login makes no sense in that case

If user does not exist in db and the user wants to create a local user, OIDC needs to be disabled first

* feat(auth): improve OIDC provider initialization with discovery logging

* revert(issuer): do not remove trailing slash

* feat(auth): improve OIDC username resolution with additional claims

* fix(auth): handle OIDC issuer URLs with and without trailing slashes

When initializing the OIDC provider, automatically retry with/without trailing
slash if the first attempt fails.

- First attempts with original issuer URL
- If fails with trailing slash, retries without
- If fails without trailing slash, retries with

* feat(oidc): add gorilla sessions store for secure state management

Add gorilla sessions store to handle encrypted state cookies in OIDC flow,
while removing redundant session validation checks

Co-authored-by: Kyle Sanderson <kyle.leet@gmail.com>

* fix(auth): prevent duplicate OIDC state cookies for authenticated sessions

Modify OIDC config handler to check for existing authenticated sessions
before setting state cookie. Still returns OIDC enabled status to maintain
UI state, but prevents unnecessary cookie creation for authenticated users.

* feat(oidc): use random secret for temporary state cookies

Co-authored-by: Kyle Sanderson <kyle.leet@gmail.com>

* feat(auth): add rate limiting to OIDC endpoints

Co-authored-by: Kyle Sanderson <kyle.leet@gmail.com>

* fix(auth): validate OIDC authorization code presence in callback

Co-authored-by: Kyle Sanderson <kyle.leet@gmail.com>

* fix(auth): properly handle OIDC session errors

Improve error handling in OIDC login flow by properly handling cookie store
session errors. Return HTTP 500 if session cannot be retrieved instead of
silently continuing with potentially invalid state.

Co-authored-by: Kyle Sanderson <kyle.leet@gmail.com>

* feat(auth): track and display authentication method for oidc and password logins

* fix: tests

* docs(readme): add environment variable section

* go mod tidy

* chore: log style and errors

---------

Co-authored-by: Kyle Sanderson <kyle.leet@gmail.com>
Co-authored-by: ze0s <ze0s@riseup.net>
2024-12-19 14:41:31 +01:00
soup
99a9e6bc0f
fix(http): downgrade canOnboard check to warning log level (#1859) 2024-12-06 13:01:45 +01:00
martylukyy
8120c33f6b
fix(auth): cookie expiry and renewal (#1527)
* fix(auth/web): logout when expired/invalid/no cookie is present

* fix(auth/web): specify error message in invalid cookie

* fix(auth/web): reset error boundary on login

* fix(auth/web): fix onboarding

* chore: code cleanup

* fix(web): revert tanstack/router to 1.31.0

* refactor(web): remove react-error-boundary

* feat(auth): refresh cookie when close to expiry

* enhancement(web): specify defaultError message in HttpClient

* fix(web): use absolute paths for router links (#1530)

* chore(web): bump `@tanstack/react-router` to `1.31.6`

* fix(web): settings routes

* fix(web): filter routes

* fix(web): remove unused ReleasesIndexRoute

* chore(web): add documentation for HttpClient

* chore(lint): remove unnecessary whitespace
2024-05-08 10:38:02 +02:00
ze0s
f488c88f1b
fix(auth): force invalidate invalid session cookies in middleware (#1358)
* fix(auth): invalidate session cookies in middleware

* fix(auth): set path for invalid cookie
2024-01-20 20:10:26 +01:00
ze0s
45b522abf8
chore: update license header year (#1332)
* chore: update license header year

* chore: update license header year tsx files

* chore: update license header
2024-01-01 16:21:02 +01:00
Kyle Sanderson
6a94ecacca
refactor(http): auth handlers (#1311)
* fix(auth): implement invalid cookie handling

* that escalated quickly

* refactor(http): auth handlers

* add tests for auth handler
* refactor methods

* chore(tests): add header and build tag

* add build tag integration

* chore(tests): run in ci

---------

Co-authored-by: ze0s <ze0s@riseup.net>
2023-12-28 02:04:25 +01:00
KaiserBh
df2612602b
feat(auth): change password and username (#1295)
* feat(backend): added change password api endpoint.

* feat(web): added profile UI to change password.

I think we can change the username too, but I don't know if we should for now disabled the username field.

* refactor: don't leak username or password.

* refactor: protect the route.

* generic

* feat: add ChangeUsername

* fix(tests): speculative fix for TestUserRepo_Update

* Revert "feat: add ChangeUsername"

This reverts commit d4c1645002883a278aa45dec3c8c19fa1cc75d9b.

* refactor into 1 endpoint that handles both

* feat: added option to change username as well. :pain:

* refactor: frontend

* refactor: function names in backend

I think this makes it more clear what their function is

* fix: change to 2 cols with separator

* refactor: update user

* fix: test db create user

---------

Co-authored-by: Kyle Sanderson <kyle.leet@gmail.com>
Co-authored-by: soup <soup@r4tio.dev>
Co-authored-by: martylukyy <35452459+martylukyy@users.noreply.github.com>
Co-authored-by: ze0s <ze0s@riseup.net>
2023-12-26 15:50:57 +01:00
ze0s
97333d334f
fix(auth): too restrictive session handling (#933) 2023-05-15 19:09:06 +02:00
ze0s
604c7896bd
chore: add LICENSE GPLv2-or-later (#897)
* chore: add LICENSE

* chore: add LICENSE to README
2023-05-01 16:21:59 +02:00
ze0s
83e9232b98
fix(auth): invalid session error (#892)
* chore: ignore dist dir

* fix(auth): speculative invalid session
2023-05-01 14:27:30 +02:00
ze0s
7f05dd1efd
fix(onboarding): could not create user (#848)
fix: onboarding not working
2023-04-17 20:56:17 +02:00
ze0s
6b1490726f
feat(http): improve invalid login handling (#597)
* feat(http): improve invalid login handling

* fix(http): do not log password
2022-12-31 01:04:41 +01:00
ze0s
e6c48a5228
feat(http): log invalid login attempts (#587) 2022-12-28 17:58:26 +01:00
ze0s
fa20978d58
feat(api): add apikey support (#408)
* feat(api): add apikey support

* feat(web): api settings crud
2022-08-15 11:58:13 +02:00
stacksmash76
4d753b76ed
refactor(web): update to react 18 and other deps (#285)
* Started refactoring codebase for React 18.

* Migrated to react-router v6 fully

* Removed useless test setup along with relevant packages.

* Removed leftover console.log statement

* feat: use status forbidden for onboarding

* refactor(web): use react hook form on login

* fix: comply with r18 shenanigans

* chore: update packages
2022-06-10 19:31:46 +02:00
Ludvig Lundgren
91b094f4f4
feat(confg): reload on save and refactor logging (#275)
* feat(confg): reload on save

* refactor(logging): rework
2022-05-20 09:27:01 +02:00
stacksmash76
1a4f3cf55d
feat: add ability to create an account via the webui (#223)
* feat: add ability to create an account via the webui without the need for autobrrctl

* refactor redundant code block.

* fix: early return and 0 value
2022-04-10 18:26:14 +02:00
Ludvig Lundgren
2d3ab67604
feat(web): redirect to login on expired cookie (#201)
* feat(web): redirect to login on expired cookie

* refactor: simplify auth wrapper
2022-03-26 19:46:16 +01:00
Ludvig Lundgren
efa84fee8b
Feature: Improve config for http server (#67)
* feat: improve config for http server

* Feature: Support multiple action status per release (#69)

* feat: move release actions to separate table

* chore: update sqlite driver

* fix(indexers): btn api client (#71)

What:

*  Api key and torrentId in wrong order
*  Set hardcoded ID in jsonrpc request object
*  ParsetorrentId from url

Fixes #68

* feat: show irc network status in settings list

* feat: show irc channel status

* chore: go mod tidy

* feat: improve config for http server

* feat: add context to user repo

* feat: only set secure cookie if https
2022-01-09 14:41:48 +01:00
Ludvig Lundgren
4d40d41628
Refactor irc client (#19)
* refactor: update http handlers

* feat: add trace log level

* refactir: irc handler

* refactor(definitions): add irc settings and invite cmd:

* feat: add dft values to inputs

* refactor: indexer irc forms

* refactor(definitions): fix nickserv.password var:

* feat: pre fill indexer name field

* refactor: handle stopping and updates
2021-08-29 23:23:02 +02:00
Ludvig Lundgren
5f69ae9380
feat: add secure flags to cookie (#17) 2021-08-22 15:31:20 +02:00
Ludvig Lundgren
40b855bf39
Feature: Auth (#4)
* feat(api): add auth

* feat(web): add auth and refactor

* refactor(web): baseurl

* feat: add autobrrctl cli for user creation

* build: move static assets

* refactor(web): auth guard and routing

* refactor: rename var

* fix: remove subrouter

* build: update default config
2021-08-14 14:19:21 +02:00