sysadminsmedia · LelouBil · Sep 25, 2024
diff --git a/backend/app/api/handlers/v1/controller.go b/backend/app/api/handlers/v1/controller.go
@@ -51,6 +51,12 @@ func WithRegistration(allowRegistration bool) func(*V1Controller) {
 	}
 }
 
+func WithHeaderAuthEnabled(headerAuthEnabled bool) func(*V1Controller) {
+	return func(ctrl *V1Controller) {
+		ctrl.headerAuthEnabled = headerAuthEnabled
+	}
+}
+
 func WithSecureCookies(secure bool) func(*V1Controller) {
 	return func(ctrl *V1Controller) {
 		ctrl.cookieSecure = secure
@@ -70,6 +76,7 @@ type V1Controller struct {
 	maxUploadSize     int64
 	isDemo            bool
 	allowRegistration bool
+	headerAuthEnabled bool
 	bus               *eventbus.EventBus
 	url               string
 }
@@ -91,6 +98,7 @@ type (
 		Build             Build    `json:"build"`
 		Demo              bool     `json:"demo"`
 		AllowRegistration bool     `json:"allowRegistration"`
+		HeaderAuthEnabled bool     `json:"headerAuthEnabled"`
 	}
 )
 
@@ -125,6 +133,7 @@ func (ctrl *V1Controller) HandleBase(ready ReadyFunc, build Build) errchain.Hand
 			Build:             build,
 			Demo:              ctrl.isDemo,
 			AllowRegistration: ctrl.allowRegistration,
+			HeaderAuthEnabled: ctrl.headerAuthEnabled,
 		})
 	}
 }

diff --git a/backend/app/api/main.go b/backend/app/api/main.go
@@ -39,6 +39,7 @@ var (
 
 func build() string {
 	short := commit
+	//goland:noinspection GoBoolExpressions
 	if len(short) > 7 {
 		short = short[:7]
 	}
@@ -72,6 +73,13 @@ func run(cfg *config.Config) error {
 	app := new(cfg)
 	app.setupLogger()
 
+	if (cfg.Proxy.HeaderExternalUserName != "" || cfg.Proxy.HeaderExternalUserId != "") && len(cfg.Proxy.TrustedHosts) == 0 {
+		panic("To use External User login, Trusted Hosts must be set")
+	}
+	if cfg.Proxy.HeaderExternalUserName != "" && cfg.Proxy.HeaderExternalUserId == "" {
+		panic("External User Name header is set but External User ID Header is not set")
+	}
+
 	// =========================================================================
 	// Initialize Database & Repos
 
@@ -173,14 +181,22 @@ func run(cfg *config.Config) error {
 	logger := log.With().Caller().Logger()
 
 	router := chi.NewMux()
-	router.Use(
+	var middlewares []func(handler http.Handler) http.Handler
+	if len(app.conf.Proxy.TrustedHosts) > 0 {
+		middlewares = append(middlewares,
+			mid.TrustedIps(logger, app.conf.Proxy.TrustedHosts),
+			middleware.RealIP,
+		)
+	}
+	middlewares = append(middlewares,
 		middleware.RequestID,
-		middleware.RealIP,
 		mid.Logger(logger),
 		middleware.Recoverer,
 		middleware.StripSlashes,
 	)
 
+	router.Use(middlewares...)
+
 	chain := errchain.New(mid.Errors(logger))
 
 	app.mountRoutes(router, chain, app.repos)

diff --git a/backend/app/api/middleware.go b/backend/app/api/middleware.go
@@ -96,6 +96,21 @@ func getQuery(r *http.Request) (string, error) {
 	return token, nil
 }
 
+func getHeader(external_user_id_header string, external_user_name_header string, user_service *services.UserService) func(r *http.Request) (string, error) {
+	return func(r *http.Request) (string, error) {
+		externalId := r.Header.Get(external_user_id_header)
+		if externalId == "" {
+			return "", errors.New("external user id header is required")
+		}
+		userToken, err := user_service.LoginWithExternalIDHeader(r.Context(), externalId)
+		if err != nil {
+			//todo create user
+			return "", errors.New("no user with provided external user id")
+		}
+		return userToken.Raw, nil
+	}
+}
+
 // mwAuthToken is a middleware that will check the database for a stateful token
 // and attach it's user to the request context, or return an appropriate error.
 // Authorization support is by token via Headers or Query Parameter
@@ -116,10 +131,13 @@ func (a *app) mwAuthToken(next errchain.Handler) errchain.Handler {
 		}
 
 		if requestToken == "" {
-			keyFuncs := [...]KeyFunc{
+			keyFuncs := []KeyFunc{
 				getBearer,
 				getQuery,
 			}
+			if len(a.conf.Proxy.TrustedHosts) > 0 {
+				keyFuncs = append(keyFuncs, getHeader(a.conf.Proxy.HeaderExternalUserId, a.conf.Proxy.HeaderExternalUserName, a.services.User))
+			}
 
 			for _, keyFunc := range keyFuncs {
 				token, err := keyFunc(r)

diff --git a/backend/app/api/routes.go b/backend/app/api/routes.go
@@ -54,6 +54,7 @@ func (a *app) mountRoutes(r *chi.Mux, chain *errchain.ErrChain, repos *repo.AllR
 		a.bus,
 		v1.WithMaxUploadSize(a.conf.Web.MaxUploadSize),
 		v1.WithRegistration(a.conf.Options.AllowRegistration),
+		v1.WithHeaderAuthEnabled(a.conf.Proxy.HeaderExternalUserId != ""),
 		v1.WithDemoStatus(a.conf.Demo), // Disable Password Change in Demo Mode
 		v1.WithURL(fmt.Sprintf("%s:%s", a.conf.Web.Host, a.conf.Web.Port)),
 	)

diff --git a/backend/app/api/static/docs/docs.go b/backend/app/api/static/docs/docs.go
@@ -2944,6 +2944,9 @@ const docTemplate = `{
                 "demo": {
                     "type": "boolean"
                 },
+                "headerAuthEnabled": {
+                    "type": "boolean"
+                },
                 "health": {
                     "type": "boolean"
                 },

diff --git a/backend/app/api/static/docs/swagger.json b/backend/app/api/static/docs/swagger.json
@@ -2937,6 +2937,9 @@
                 "demo": {
                     "type": "boolean"
                 },
+                "headerAuthEnabled": {
+                    "type": "boolean"
+                },
                 "health": {
                     "type": "boolean"
                 },

diff --git a/backend/app/api/static/docs/swagger.yaml b/backend/app/api/static/docs/swagger.yaml
@@ -671,6 +671,8 @@ definitions:
         $ref: '#/definitions/v1.Build'
       demo:
         type: boolean
+      headerAuthEnabled:
+        type: boolean
       health:
         type: boolean
       message:

diff --git a/backend/internal/core/services/service_user.go b/backend/internal/core/services/service_user.go
@@ -197,6 +197,15 @@ func (svc *UserService) Login(ctx context.Context, username, password string, ex
 	return svc.createSessionToken(ctx, usr.ID, extendedSession)
 }
 
+// LoginWithExternalIDHeader returns the user matching the external id provided
+func (svc *UserService) LoginWithExternalIDHeader(ctx context.Context, id string) (UserAuthTokenDetail, error) {
+	usr, err := svc.repos.Users.GetOneExternalID(ctx, id)
+	if err != nil {
+		return UserAuthTokenDetail{}, ErrorInvalidLogin
+	}
+	return svc.createSessionToken(ctx, usr.ID, false)
+}
+
 func (svc *UserService) Logout(ctx context.Context, token string) error {
 	hash := hasher.HashToken(token)
 	err := svc.repos.AuthTokens.DeleteToken(ctx, hash)

diff --git a/backend/internal/data/ent/migrate/schema.go b/backend/internal/data/ent/migrate/schema.go
diff --git a/backend/internal/data/ent/mutation.go b/backend/internal/data/ent/mutation.go
diff --git a/backend/internal/data/ent/schema/user.go b/backend/internal/data/ent/schema/user.go
@@ -45,6 +45,9 @@ func (User) Fields() []ent.Field {
 			Values("user", "owner"),
 		field.Time("activated_on").
 			Optional(),
+		field.String("external_user_id").
+			Optional().
+			Sensitive(),
 	}
 }
 

diff --git a/backend/internal/data/ent/user.go b/backend/internal/data/ent/user.go