feat(dev): add local auth bypass mode
Some checks failed
continuous-integration/drone/pr Build is failing
Some checks failed
continuous-integration/drone/pr Build is failing
This commit is contained in:
58
api/auth.go
58
api/auth.go
@@ -49,7 +49,45 @@ func (api *API) authorizeCredentials(ctx context.Context, username string, passw
|
||||
}
|
||||
}
|
||||
|
||||
// resolveDevAuth returns an authData for the dev user when DISABLE_AUTH is
|
||||
// set. If DISABLE_AUTH_USER names a specific user, that user is looked up;
|
||||
// otherwise the first user in the database is used.
|
||||
func (api *API) resolveDevAuth(c *gin.Context) (authData, bool) {
|
||||
if api.cfg.DisableAuthUser != "" {
|
||||
user, err := api.db.Queries.GetUser(c, api.cfg.DisableAuthUser)
|
||||
if err != nil {
|
||||
log.Errorf("DISABLE_AUTH_USER=%q not found in database: %v", api.cfg.DisableAuthUser, err)
|
||||
return authData{}, false
|
||||
}
|
||||
return authData{
|
||||
UserName: user.ID,
|
||||
IsAdmin: user.Admin,
|
||||
AuthHash: *user.AuthHash,
|
||||
}, true
|
||||
}
|
||||
|
||||
users, err := api.db.Queries.GetUsers(c)
|
||||
if err != nil || len(users) == 0 {
|
||||
return authData{}, false
|
||||
}
|
||||
return authData{
|
||||
UserName: users[0].ID,
|
||||
IsAdmin: users[0].Admin,
|
||||
AuthHash: *users[0].AuthHash,
|
||||
}, true
|
||||
}
|
||||
|
||||
func (api *API) authKOMiddleware(c *gin.Context) {
|
||||
// Dev Auth Bypass
|
||||
if api.cfg.DisableAuth {
|
||||
if auth, ok := api.resolveDevAuth(c); ok {
|
||||
c.Set("Authorization", auth)
|
||||
c.Header("Cache-Control", "private")
|
||||
c.Next()
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
session := sessions.Default(c)
|
||||
|
||||
// Check Session First
|
||||
@@ -89,6 +127,16 @@ func (api *API) authKOMiddleware(c *gin.Context) {
|
||||
}
|
||||
|
||||
func (api *API) authOPDSMiddleware(c *gin.Context) {
|
||||
// Dev Auth Bypass
|
||||
if api.cfg.DisableAuth {
|
||||
if auth, ok := api.resolveDevAuth(c); ok {
|
||||
c.Set("Authorization", auth)
|
||||
c.Header("Cache-Control", "private")
|
||||
c.Next()
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
c.Header("WWW-Authenticate", `Basic realm="restricted", charset="UTF-8"`)
|
||||
|
||||
user, rawPassword, hasAuth := c.Request.BasicAuth()
|
||||
@@ -113,6 +161,16 @@ func (api *API) authOPDSMiddleware(c *gin.Context) {
|
||||
}
|
||||
|
||||
func (api *API) authWebAppMiddleware(c *gin.Context) {
|
||||
// Dev Auth Bypass
|
||||
if api.cfg.DisableAuth {
|
||||
if auth, ok := api.resolveDevAuth(c); ok {
|
||||
c.Set("Authorization", auth)
|
||||
c.Header("Cache-Control", "private")
|
||||
c.Next()
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
session := sessions.Default(c)
|
||||
|
||||
// Check Session
|
||||
|
||||
@@ -6,6 +6,7 @@ import (
|
||||
"io/fs"
|
||||
"net/http"
|
||||
|
||||
log "github.com/sirupsen/logrus"
|
||||
"reichard.io/antholume/config"
|
||||
"reichard.io/antholume/database"
|
||||
)
|
||||
@@ -28,6 +29,10 @@ func NewServer(db *database.DBManager, cfg *config.Config, assets fs.FS) *Server
|
||||
assets: assets,
|
||||
}
|
||||
|
||||
if cfg.DisableAuth {
|
||||
log.Warn("DISABLE_AUTH is set — all API requests will bypass authentication")
|
||||
}
|
||||
|
||||
// Create strict handler with authentication middleware
|
||||
strictHandler := NewStrictHandler(s, []StrictMiddlewareFunc{s.authMiddleware})
|
||||
|
||||
@@ -51,6 +56,22 @@ func (s *Server) authMiddleware(handler StrictHandlerFunc, operationID string) S
|
||||
return handler(ctx, w, r, request)
|
||||
}
|
||||
|
||||
// Dev Auth Bypass - Inject an admin session when DISABLE_AUTH is set.
|
||||
// This avoids repeated logins during local development. Uses the
|
||||
// first user in the database so that DB queries using the user ID
|
||||
// return real data.
|
||||
if s.cfg.DisableAuth {
|
||||
devAuth, ok := s.resolveDevAuth(ctx)
|
||||
if !ok {
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
w.WriteHeader(500)
|
||||
json.NewEncoder(w).Encode(ErrorResponse{Code: 500, Message: "DISABLE_AUTH: no users in database; register one first"})
|
||||
return nil, nil
|
||||
}
|
||||
ctx = context.WithValue(ctx, "auth", devAuth)
|
||||
return handler(ctx, w, r, request)
|
||||
}
|
||||
|
||||
auth, ok := s.getSession(r)
|
||||
if !ok {
|
||||
// Write 401 response directly
|
||||
@@ -89,6 +110,26 @@ func (s *Server) authMiddleware(handler StrictHandlerFunc, operationID string) S
|
||||
}
|
||||
}
|
||||
|
||||
// resolveDevAuth determines the dev user identity when DISABLE_AUTH is set.
|
||||
// If DISABLE_AUTH_USER is specified, that user is looked up; otherwise the
|
||||
// first user in the database is used.
|
||||
func (s *Server) resolveDevAuth(ctx context.Context) (authData, bool) {
|
||||
if s.cfg.DisableAuthUser != "" {
|
||||
user, err := s.db.Queries.GetUser(ctx, s.cfg.DisableAuthUser)
|
||||
if err != nil {
|
||||
log.Errorf("DISABLE_AUTH_USER=%q not found in database: %v", s.cfg.DisableAuthUser, err)
|
||||
return authData{}, false
|
||||
}
|
||||
return authData{UserName: user.ID, IsAdmin: user.Admin}, true
|
||||
}
|
||||
|
||||
users, err := s.db.Queries.GetUsers(ctx)
|
||||
if err != nil || len(users) == 0 {
|
||||
return authData{}, false
|
||||
}
|
||||
return authData{UserName: users[0].ID, IsAdmin: users[0].Admin}, true
|
||||
}
|
||||
|
||||
// GetInfo returns server information
|
||||
func (s *Server) GetInfo(ctx context.Context, request GetInfoRequestObject) (GetInfoResponseObject, error) {
|
||||
return GetInfo200JSONResponse{
|
||||
|
||||
Reference in New Issue
Block a user