Compare commits

..

3 Commits

5 changed files with 247 additions and 112 deletions

View File

@ -1,7 +1,7 @@
# lucidAuth [![](https://img.shields.io/badge/status-in%20production-%23003399.svg)](#) [![](https://img.shields.io/badge/contributors-1-green.svg) ](#)
> *Respect* the unexpected, mitigate your risks
Forward Authentication for use with proxies (caddy, nginx, traefik, etc)
Forward Authentication for use with loadbalancers/proxies/webservers (Apache, ~~Caddy~~, Lighttpd, NGINX, Traefik, etc)
## Usage
- Create a new folder, navigate to it in a commandprompt and run the following command:
@ -9,42 +9,69 @@ Forward Authentication for use with proxies (caddy, nginx, traefik, etc)
- Edit `include/lucidAuth.config.php.example` to reflect your configuration and save as `include/lucidAuth.config.php`
- Create a new website (within any php-capable webserver) and make sure that the documentroot points to the `public` folder
- Check if you are able to browse to `https://<fqdn>/lucidAuth.login.php` (where `<fqdn>` is the actual domain -or IP address- your webserver is listening on)
- Edit your proxy's configuration to use the new website as forward proxy:
#### ~~in Caddy/nginx~~ <small>(planned for a later stage)</small>
- Edit your webserver's/proxy's configuration to use the new website for forward authentication:
- #### ~~in Apache~~ <small>(Soon™)</small>
#### in Traefik
- #### ~~in Caddy~~ <small>(Never, due to lacking functionality)</small>
- #### ~~in Lighttpd~~ <small>(Soon™)</small>
- #### in NGINX
Add the following lines (adjust to reflect your existing configuration - more [details](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/)):
```
http {
#...
server {
#...
location /private/ {
auth_request /auth;
auth_request_set $auth_status $upstream_status;
}
location = /auth {
internal;
proxy_pass https://<fqdn>/lucidAuth.validateRequest.php;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
}
}
}
```
- #### in Traefik
Add the following lines (change to reflect your existing configuration):
##### 1.7
##### 1.7.x (more [details](https://docs.traefik.io/v1.7/configuration/entrypoints/#forward-authentication))
```
[frontends.server1]
entrypoints = ["https"]
backend = "server1"
[frontends.server1.auth.forward]
address = "https://<fqdn>/lucidAuth.validateRequest.php"
[frontends.server1.routes]
[frontends.server1.routes.ext]
rule = "Host:<fqdn>"
entrypoints = ["https"]
backend = "server1"
[frontends.server1.auth.forward]
address = "https://<fqdn>/lucidAuth.validateRequest.php"
[frontends.server1.routes]
[frontends.server1.routes.ext]
rule = "Host:<fqdn>"
```
##### 2.0
##### 2.x (more [details](https://docs.traefik.io/middlewares/forwardauth/))
Either whitelist IP's which should be trusted to send `HTTP_X-Forwarded-*` headers, ór enable insecure-mode in your static configuration:
```
entryPoints:
https:
address: :443
forwardedHeaders:
trustedIPs:
- "127.0.0.1/32"
- "192.168.1.0/24"
# insecure: true
https:
address: :443
forwardedHeaders:
trustedIPs:
- "127.0.0.1/32"
- "192.168.1.0/24"
# insecure: true
```
Define a middleware that tells Traefik to forward requests for authentication in your dynamic file provider:
```
https:
middlewares:
ldap-authentication:
forwardAuth:
address: "https://<fqdn>/lucidAuth.validateRequest.php"
trustForwardHeader: true
middlewares:
ldap-authentication:
forwardAuth:
address: "https://<fqdn>/lucidAuth.validateRequest.php"
trustForwardHeader: true
```
And finally add the new middleware to your service (different methods; this depends on your configuration):
```
@ -52,9 +79,9 @@ Forward Authentication for use with proxies (caddy, nginx, traefik, etc)
traefik.http.routers.router1.middlewares: "ldap-authentication@file"
# as yaml (when using file provider)
routers:
router1:
middlewares:
- "ldap-authentication"
router1:
middlewares:
- "ldap-authentication"
```
- #### Important!

View File

@ -106,7 +106,7 @@ function storeToken (string $secureToken, string $qualifiedUsername, string $htt
// This might seem backwards, but relying on $_SERVER directly allows spoofed values with potential security risks
return (strlen($value) > strlen($httpHost)) ? false : (0 === substr_compare($httpHost, $value, -strlen($value)));
}))[0];
if ($cookieDomain && setcookie('JWT', $secureToken, (time() + $settings->Session['Duration']), '/', '.' . $cookieDomain)) {
if ($cookieDomain && setcookie('JWT', $secureToken, (time() + $settings->Session['Duration']), '/', '.' . $cookieDomain, TRUE)) {
return ['status' => 'Success'];
} else {
return ['status' => 'Fail', 'reason' => 'Unable to store cookie(s)'];

View File

@ -3,7 +3,7 @@
include_once('../include/lucidAuth.functions.php');
if ($_POST['do'] == 'login') {
if ($_POST['do'] === 'login') {
$result = authenticateLDAP($_POST['username'], $_POST['password']);
if ($result['status'] === 'Success') {
// Store authentication token; in database serverside & in cookie clientside

View File

@ -8,72 +8,123 @@
}
if ($validateTokenResult['status'] === "Success") {
if ($_REQUEST['do'] === 'retrievesessions') {
$storedTokens = [];
$pdoQuery = $pdoDB->prepare('
SELECT SecureToken.Id, SecureToken.UserId, SecureToken.Value
FROM SecureToken
WHERE SecureToken.UserId = :userid
');
$pdoQuery->execute([
':userid' => (int) $_REQUEST['userid']
]);
foreach($pdoQuery->fetchAll(PDO::FETCH_ASSOC) as $row) {
try {
$JWTPayload = JWT::decode($row['Value'], base64_decode($settings->JWT['PrivateKey_base64']), $settings->JWT['Algorithm']);
$storedTokens[] = [
'tid' => $row['Id'],
'iat' => $JWTPayload->iat,
'iss' => $JWTPayload->iss,
'fp' => $JWTPayload->fp
];
} catch (Exception $e) {
// Invalid token
continue;
switch ($_REQUEST['do']) {
case 'mutateusers':
if (isset($_REQUEST['new']) && isset($_REQUEST['removed'])) {
// Do magic!
}
}
else {
header('Content-Type: application/json');
echo json_encode([
"Result" => "Failure",
"Reason" => "Incomplete request data"
]);
}
break;
case 'retrievesessions':
$storedTokens = [];
// Return JSON object
header('Content-Type: application/json');
echo json_encode([
"Result" => "Success",
"SessionCount" => sizeof($storedTokens),
"UserSessions" => json_encode($storedTokens)
]);
} else {
// No action requested, default action
include_once('../include/lucidAuth.template.php');
$pdoQuery = $pdoDB->prepare('
SELECT SecureToken.Id, SecureToken.UserId, SecureToken.Value
FROM SecureToken
WHERE SecureToken.UserId = :userid
');
$pdoQuery->execute([
':userid' => (int) $_REQUEST['userid']
]);
foreach($pdoQuery->fetchAll(PDO::FETCH_ASSOC) as $row) {
try {
$JWTPayload = JWT::decode($row['Value'], base64_decode($settings->JWT['PrivateKey_base64']), $settings->JWT['Algorithm']);
$storedTokens[] = [
'tid' => $row['Id'],
'iat' => $JWTPayload->iat,
'iss' => $JWTPayload->iss,
'fp' => $JWTPayload->fp
];
} catch (Exception $e) {
// Invalid token
continue;
}
}
try {
$allUsers = $pdoDB->query('
SELECT User.Id, User.Username, Role.Rolename
FROM User
LEFT JOIN Role
ON (Role.Id = User.RoleId)
')->fetchAll(PDO::FETCH_ASSOC);
} catch (Exception $e) {
// Return JSON object
header('Content-Type: application/json');
echo json_encode([
"Result" => "Success",
"SessionCount" => sizeof($storedTokens),
"UserSessions" => json_encode($storedTokens)
]);
break;
case 'deletesession':
if (isset($_REQUEST['userid']) && isset($_REQUEST['tokenid'])) {
try {
$pdoQuery = $pdoDB->prepare('
DELETE FROM SecureToken
WHERE SecureToken.UserId = :userid AND SecureToken.Id = :tokenid
');
$pdoQuery->execute([
':userid' => (int) $_REQUEST['userid'],
':tokenid' => (int) $_REQUEST['tokenid']
]);
// Return JSON object
header('Content-Type: application/json');
echo json_encode([
"Result" => "Success",
"RowCount" => $pdoQuery->RowCount()
]);
}
catch (Exception $e) {
// Return JSON object
header('Content-Type: application/json');
echo json_encode([
"Result" => "Failure",
"Reason" => "Failed deleting tokens from database"
]);
exit;
}
} else {
header('Content-Type: application/json');
echo json_encode([
"Result" => "Failure",
"Reason" => "Incomplete request data"
]);
}
break;
default:
// No action requested, default action
include_once('../include/lucidAuth.template.php');
try {
$allUsers = $pdoDB->query('
SELECT User.Id, User.Username, Role.Rolename
FROM User
LEFT JOIN Role
ON (Role.Id = User.RoleId)
')->fetchAll(PDO::FETCH_ASSOC);
} catch (Exception $e) {
// Should really do some actual errorhandling here
throw new Exception($e);
}
foreach($allUsers as $row) {
$tableRows[] = sprintf('<tr%1$s><td data-userid="%2$s">%3$s</td><td>%4$s</td><td class="immutable">%5$s</td></tr>',
$validateTokenResult['uid'] === $row['Id'] ? ' class="currentuser"': null,
$row['Id'],
explode('\\', $row['Username'])[1],
$row['Rolename'],
'<button class="bttn-simple bttn-xs bttn-primary session" data-translation="button_sessions">Sessions</button>' . ($validateTokenResult['uid'] === $row['Id'] ? null : '&nbsp;<button class="bttn-simple bttn-xs bttn-primary delete" data-translation="button_delete">Delete</button>')
);
}
throw new Exception($e);
}
foreach($allUsers as $row) {
$tableRows[] = sprintf('<tr%1$s><td data-userid="%2$s">%3$s</td><td>%4$s</td><td class="immutable">%5$s</td></tr>',
$validateTokenResult['uid'] === $row['Id'] ? ' class="currentuser"': null,
$row['Id'],
explode('\\', $row['Username'])[1],
$row['Rolename'],
'<button class="bttn-simple bttn-xs bttn-primary session" data-translation="button_sessions">Sessions</button>' . ($validateTokenResult['uid'] === $row['Id'] ? null : '&nbsp;<button class="bttn-simple bttn-xs bttn-primary delete" data-translation="button_delete">Delete</button>')
);
}
echo sprintf($pageLayout['full_alt'],
sprintf($contentLayout['manage']['header'],
$validateTokenResult['name']
),
sprintf($contentLayout['manage']['section'],
implode($tableRows)
)
);
echo sprintf($pageLayout['full_alt'],
sprintf($contentLayout['manage']['header'],
$validateTokenResult['name']
),
sprintf($contentLayout['manage']['section'],
implode($tableRows)
)
);
break;
}
} else {
// No cookie containing valid authentication token found;

View File

@ -1,22 +1,74 @@
jQuery.fn.inlineConfirm = function() {
return this.on('click', function(event) {
sessionID = $(this).data('sessionid');
// event.preventDefault();
$(this).off('click').parent().empty().append(
$('<button>', {
jQuery.fn.ConfirmDelete = function() {
return this.on('click', function() {
var sessionID = $(this).data('sessionid');
$(this).off('click').parent().empty()
.append($('<button>', {
text: locales[(localStorage.getItem('language') !== null ? localStorage.getItem('language') : 'en')]['button_yes'],
class: 'bttn-simple bttn-xs bttn-primary sessiondeleteconfirm',
style: 'margin-right: 3px;',
'data-translation': 'button_yes',
'data-sessionid': sessionID
})).append(
$('<button>', {
}).on('click', function() {
// Move this out of 'ConfirmDelete()'
var pressedButton = $(this);
$(pressedButton).prop('disabled', true).css({
'background': '#999 url(data:image/gif;base64,R0lGODlhEAAQAPIAAJmZmf///7CwsOPj4////9fX18rKysPDwyH+GkNyZWF0ZWQgd2l0aCBhamF4bG9hZC5pbmZvACH5BAAKAAAAIf8LTkVUU0NBUEUyLjADAQAAACwAAAAAEAAQAAADMwi63P4wyklrE2MIOggZnAdOmGYJRbExwroUmcG2LmDEwnHQLVsYOd2mBzkYDAdKa+dIAAAh+QQACgABACwAAAAAEAAQAAADNAi63P5OjCEgG4QMu7DmikRxQlFUYDEZIGBMRVsaqHwctXXf7WEYB4Ag1xjihkMZsiUkKhIAIfkEAAoAAgAsAAAAABAAEAAAAzYIujIjK8pByJDMlFYvBoVjHA70GU7xSUJhmKtwHPAKzLO9HMaoKwJZ7Rf8AYPDDzKpZBqfvwQAIfkEAAoAAwAsAAAAABAAEAAAAzMIumIlK8oyhpHsnFZfhYumCYUhDAQxRIdhHBGqRoKw0R8DYlJd8z0fMDgsGo/IpHI5TAAAIfkEAAoABAAsAAAAABAAEAAAAzIIunInK0rnZBTwGPNMgQwmdsNgXGJUlIWEuR5oWUIpz8pAEAMe6TwfwyYsGo/IpFKSAAAh+QQACgAFACwAAAAAEAAQAAADMwi6IMKQORfjdOe82p4wGccc4CEuQradylesojEMBgsUc2G7sDX3lQGBMLAJibufbSlKAAAh+QQACgAGACwAAAAAEAAQAAADMgi63P7wCRHZnFVdmgHu2nFwlWCI3WGc3TSWhUFGxTAUkGCbtgENBMJAEJsxgMLWzpEAACH5BAAKAAcALAAAAAAQABAAAAMyCLrc/jDKSatlQtScKdceCAjDII7HcQ4EMTCpyrCuUBjCYRgHVtqlAiB1YhiCnlsRkAAAOwAAAAAAAAAAAA==) no-repeat center',
'color': 'transparent',
'transform': 'rotateX(180deg)',
'cursor': 'default'
}).next().prop('disabled', true).addClass('disabled');
$.post("lucidAuth.manage.php", {
do: "deletesession",
tokenid: sessionID,
userid: $(pressedButton).closest('tr').data('userid')
})
.done(function(data,_status) {
if (data.Result === 'Success') {
$(pressedButton).css({
'background': 'green url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAaklEQVQ4jeXOMQ5AQBBG4T2BC4i76EWich7ncAKbqCRuodTqnMNTkFgJs3ZU4tXz/Rlj/hUQv8EpMAClFk9sjUAiHVcCnoFMwhZYgPYG575Xe46aIOyMdJx7ji9GwrEzUgOFCu8DkRp/qxU2BKCUyZR6ygAAAABJRU5ErkJggg==) no-repeat center',
'transform': 'rotateX(0deg)'
});
setTimeout(function() {
$(pressedButton).closest('tr').fadeOut(500, function() {
$(this).remove()});
}, 2250);
} else {
$(pressedButton).css({
'background': 'red url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAv0lEQVQ4jaWT0Q3CMAxELwh1BEag87AJ6hcLlE/KBLABrNEV2h26QaXHj4NMGgpS7sfJJXd24kQqRMiRQC3pIKk2apD0DCEMq25ABZyBmSVmW6vWxH1GmKLPmph7xJQReq5dnNmVPQE7oHOCzrhoMts9vQ1OSbYOCBb92OPkDe6ZkqMwJwa4SdJmtS1/YGsx7e9VUiPpYvPG4tHtGUsvcf+RkpI2mkHZQ3ImLd+fcpuKf32meM5R0iOEMOb2F+EF33vgCePVr8UAAAAASUVORK5CYII=) no-repeat center',
'transform': 'rotateX(0deg)'
});
setTimeout(function() {
$(pressedButton).closest('td').empty()
.append(
$('<button>', {
text: locales[(localStorage.getItem('language') !== null ? localStorage.getItem('language') : 'en')]['button_delete'],
class: 'bttn-simple bttn-xs bttn-primary sessiondelete',
'data-translation': 'button_delete',
'data-sessionid': sessionID
}).ConfirmDelete())
}, 2250);
}
});
}))
.append($('<button>', {
text: locales[(localStorage.getItem('language') !== null ? localStorage.getItem('language') : 'en')]['button_no'],
class: 'bttn-simple bttn-xs bttn-primary sessiondeletecancel',
'data-translation': 'button_no',
'data-sessionid': sessionID
})
);
}).on('click', function() {
// Move this out of 'ConfirmDelete()'
var pressedButton = $(this);
$(pressedButton).closest('td').empty()
.append(
$('<button>', {
text: locales[(localStorage.getItem('language') !== null ? localStorage.getItem('language') : 'en')]['button_delete'],
class: 'bttn-simple bttn-xs bttn-primary sessiondelete',
'data-translation': 'button_delete',
'data-sessionid': sessionID
}).ConfirmDelete())
}))
});
};
@ -35,9 +87,11 @@ $(document).ready(function(){
$('#sessions tbody').empty();
$('#sessions').fadeToggle();
var userID = $(this).closest('tr').find('td:nth-child(1)').data('userid');
$.post("lucidAuth.manage.php", {
do: "retrievesessions",
userid: $(this).closest('tr').find('td:nth-child(1)').data('userid')
userid: userID
})
.done(function(data,_status) {
if (data.Result === 'Success') {
@ -51,7 +105,9 @@ $(document).ready(function(){
} catch(e) {
// Do nothing
}
$('#sessiontable tbody').append($('<tr>')
$('#sessiontable tbody').append($('<tr>', {
'data-userid': userID
})
.append($('<td>', {
text: new Date(Sessions[i]['iat'] * 1000).toLocaleString('en-GB')
}))
@ -70,7 +126,7 @@ $(document).ready(function(){
}))
);
}
$('#sessiontable .sessiondelete').inlineConfirm();
$('#sessiontable .sessiondelete').ConfirmDelete();
} else {
}
});
@ -131,14 +187,15 @@ $(document).ready(function(){
});
console.log({'new': newEntries, 'removed': removedEntries});
/* $.get("psworker.php", {
do: "mutate",
mutations: {
new: newEntries,
removed: removedEntries
}
})*/
/*
$.post("lucidAuth.manage.php", {
do: "mutateusers",
new: newEntries,
removed: removedEntries
})
.done(function(data,_status) {
}
*/
});
$('#btncancel').click(function() {