steve
41a4043af3
Self-hosted deployments already terminate TLS at Caddy/Traefik/nginx; making the server do TLS too means double cert config, dual ACME plumbing, and an untested code path. Drop RM_TLS_CERT/RM_TLS_KEY, remove TLSEnabled() and the ListenAndServeTLS branch. Replace the cookie's "Secure if TLS-in-process" check with a new RM_COOKIE_SECURE flag (default true). Local HTTP-only testing sets RM_COOKIE_SECURE=false; production is always behind a TLS proxy and the cookie stays Secure. Default port :8443 → :8080. docker-compose binds 127.0.0.1 only and populates RM_TRUSTED_PROXY. spec.md §4.1/§10.1 rewritten with a Caddyfile snippet and a hard "do not expose RM_LISTEN publicly" warning. enrollResponse keeps cert_pin_sha256 in the shape but the server can't introspect a cert it doesn't terminate — operator pastes the proxy's hash into -cert-pin at install time. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
193 lines
5.3 KiB
Go
193 lines
5.3 KiB
Go
package http
|
|
|
|
import (
|
|
"crypto/subtle"
|
|
"encoding/json"
|
|
stdhttp "net/http"
|
|
"time"
|
|
|
|
"github.com/oklog/ulid/v2"
|
|
|
|
"gitea.dcglab.co.uk/steve/restic-manager/internal/auth"
|
|
"gitea.dcglab.co.uk/steve/restic-manager/internal/store"
|
|
)
|
|
|
|
const (
|
|
sessionCookieName = "rm_session"
|
|
sessionTTL = 24 * time.Hour
|
|
bootstrapCookie = "rm_bootstrap_used"
|
|
)
|
|
|
|
type loginRequest struct {
|
|
Username string `json:"username"`
|
|
Password string `json:"password"`
|
|
}
|
|
|
|
type loginResponse struct {
|
|
UserID string `json:"user_id"`
|
|
Role string `json:"role"`
|
|
}
|
|
|
|
func (s *Server) handleLogin(w stdhttp.ResponseWriter, r *stdhttp.Request) {
|
|
var req loginRequest
|
|
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
|
|
writeJSONError(w, stdhttp.StatusBadRequest, "invalid_json", err.Error())
|
|
return
|
|
}
|
|
|
|
u, err := s.deps.Store.GetUserByUsername(r.Context(), req.Username)
|
|
if err != nil {
|
|
// Same response for unknown user vs bad password — don't leak
|
|
// existence to a probing attacker.
|
|
writeJSONError(w, stdhttp.StatusUnauthorized, "invalid_credentials", "")
|
|
return
|
|
}
|
|
if err := auth.VerifyPassword(u.PasswordHash, req.Password); err != nil {
|
|
writeJSONError(w, stdhttp.StatusUnauthorized, "invalid_credentials", "")
|
|
return
|
|
}
|
|
|
|
token, err := auth.NewToken()
|
|
if err != nil {
|
|
writeJSONError(w, stdhttp.StatusInternalServerError, "internal", "")
|
|
return
|
|
}
|
|
now := time.Now().UTC()
|
|
sess := store.Session{
|
|
UserID: u.ID,
|
|
CreatedAt: now,
|
|
ExpiresAt: now.Add(sessionTTL),
|
|
IP: r.RemoteAddr,
|
|
UA: r.UserAgent(),
|
|
}
|
|
if err := s.deps.Store.CreateSession(r.Context(), sess, auth.HashToken(token)); err != nil {
|
|
writeJSONError(w, stdhttp.StatusInternalServerError, "internal", "")
|
|
return
|
|
}
|
|
_ = s.deps.Store.MarkUserLogin(r.Context(), u.ID, now)
|
|
|
|
stdhttp.SetCookie(w, &stdhttp.Cookie{
|
|
Name: sessionCookieName,
|
|
Value: token,
|
|
Path: "/",
|
|
HttpOnly: true,
|
|
Secure: s.deps.Cfg.CookieSecure,
|
|
SameSite: stdhttp.SameSiteLaxMode,
|
|
Expires: sess.ExpiresAt,
|
|
})
|
|
|
|
_ = s.deps.Store.AppendAudit(r.Context(), store.AuditEntry{
|
|
ID: ulid.Make().String(),
|
|
UserID: &u.ID,
|
|
Actor: "user",
|
|
Action: "auth.login",
|
|
TS: now,
|
|
})
|
|
|
|
writeJSON(w, stdhttp.StatusOK, loginResponse{UserID: u.ID, Role: string(u.Role)})
|
|
}
|
|
|
|
func (s *Server) handleLogout(w stdhttp.ResponseWriter, r *stdhttp.Request) {
|
|
if c, err := r.Cookie(sessionCookieName); err == nil {
|
|
_ = s.deps.Store.DeleteSession(r.Context(), auth.HashToken(c.Value))
|
|
}
|
|
stdhttp.SetCookie(w, &stdhttp.Cookie{
|
|
Name: sessionCookieName,
|
|
Value: "",
|
|
Path: "/",
|
|
MaxAge: -1,
|
|
HttpOnly: true,
|
|
Secure: s.deps.Cfg.CookieSecure,
|
|
SameSite: stdhttp.SameSiteLaxMode,
|
|
})
|
|
w.WriteHeader(stdhttp.StatusNoContent)
|
|
}
|
|
|
|
type bootstrapRequest struct {
|
|
Token string `json:"token"`
|
|
Username string `json:"username"`
|
|
Password string `json:"password"`
|
|
}
|
|
|
|
// handleBootstrap creates the first admin user. The endpoint accepts
|
|
// the one-time token printed in the server logs on first run, and is
|
|
// disabled the moment a user row exists.
|
|
func (s *Server) handleBootstrap(w stdhttp.ResponseWriter, r *stdhttp.Request) {
|
|
n, err := s.deps.Store.CountUsers(r.Context())
|
|
if err != nil {
|
|
writeJSONError(w, stdhttp.StatusInternalServerError, "internal", "")
|
|
return
|
|
}
|
|
if n > 0 {
|
|
writeJSONError(w, stdhttp.StatusConflict, "already_initialised",
|
|
"a user already exists; bootstrap is disabled")
|
|
return
|
|
}
|
|
if s.deps.BootstrapToken == "" {
|
|
writeJSONError(w, stdhttp.StatusServiceUnavailable, "no_token",
|
|
"bootstrap token not configured")
|
|
return
|
|
}
|
|
|
|
var req bootstrapRequest
|
|
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
|
|
writeJSONError(w, stdhttp.StatusBadRequest, "invalid_json", err.Error())
|
|
return
|
|
}
|
|
// Constant-time compare keeps timing analysis off the table.
|
|
if subtle.ConstantTimeCompare([]byte(req.Token), []byte(s.deps.BootstrapToken)) != 1 {
|
|
writeJSONError(w, stdhttp.StatusUnauthorized, "invalid_token", "")
|
|
return
|
|
}
|
|
if req.Username == "" || len(req.Password) < 12 {
|
|
writeJSONError(w, stdhttp.StatusBadRequest, "weak_password",
|
|
"password must be at least 12 characters")
|
|
return
|
|
}
|
|
|
|
hash, err := auth.HashPassword(req.Password)
|
|
if err != nil {
|
|
writeJSONError(w, stdhttp.StatusInternalServerError, "internal", "")
|
|
return
|
|
}
|
|
u := store.User{
|
|
ID: ulid.Make().String(),
|
|
Username: req.Username,
|
|
PasswordHash: hash,
|
|
Role: store.RoleAdmin,
|
|
CreatedAt: time.Now().UTC(),
|
|
}
|
|
if err := s.deps.Store.CreateUser(r.Context(), u); err != nil {
|
|
writeJSONError(w, stdhttp.StatusInternalServerError, "internal", "")
|
|
return
|
|
}
|
|
_ = s.deps.Store.AppendAudit(r.Context(), store.AuditEntry{
|
|
ID: ulid.Make().String(),
|
|
UserID: &u.ID,
|
|
Actor: "system",
|
|
Action: "auth.bootstrap",
|
|
TS: u.CreatedAt,
|
|
})
|
|
|
|
writeJSON(w, stdhttp.StatusCreated, loginResponse{
|
|
UserID: u.ID, Role: string(u.Role),
|
|
})
|
|
}
|
|
|
|
// ----- json helpers --------------------------------------------------
|
|
|
|
type jsonError struct {
|
|
Code string `json:"code"`
|
|
Message string `json:"message,omitempty"`
|
|
}
|
|
|
|
func writeJSON(w stdhttp.ResponseWriter, status int, v any) {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(status)
|
|
_ = json.NewEncoder(w).Encode(v)
|
|
}
|
|
|
|
func writeJSONError(w stdhttp.ResponseWriter, status int, code, msg string) {
|
|
writeJSON(w, status, jsonError{Code: code, Message: msg})
|
|
}
|