mirror of
https://github.com/advplyr/audiobookshelf.git
synced 2026-03-03 06:29:42 +00:00
refactored proxuauthstrategy and added some env variables
This commit is contained in:
alex-sviridov
parent
4875125ae9
commit
96c5a51eac
5 changed files with 103 additions and 126 deletions
|
|
@ -2,93 +2,57 @@ const passport = require('passport')
|
|||
const Database = require('../Database')
|
||||
const Logger = require('../Logger')
|
||||
|
||||
/**
|
||||
* Custom strategy for proxy authentication
|
||||
* Reads username from configurable header set by proxy middleware
|
||||
*/
|
||||
class ProxyStrategy {
|
||||
constructor(verify) {
|
||||
this.name = 'proxy'
|
||||
this.verify = verify
|
||||
}
|
||||
|
||||
authenticate(req, options) {
|
||||
const headerName = global.ServerSettings.authProxyHeaderName
|
||||
const ip = req.ip || req.connection?.remoteAddress || 'Unknown'
|
||||
const method = req.method
|
||||
const url = req.originalUrl || req.url
|
||||
|
||||
// Log all proxy auth attempts for debugging
|
||||
Logger.debug(`[ProxyAuthStrategy] ${method} ${url} from IP ${ip}`)
|
||||
Logger.debug(`[ProxyAuthStrategy] Configured header name: ${headerName}`)
|
||||
|
||||
// Log all headers for debugging (but mask sensitive ones)
|
||||
const headers = {}
|
||||
for (const [key, value] of Object.entries(req.headers)) {
|
||||
if (key.toLowerCase().includes('authorization') || key.toLowerCase().includes('cookie')) {
|
||||
headers[key] = '[MASKED]'
|
||||
} else {
|
||||
headers[key] = value
|
||||
}
|
||||
}
|
||||
Logger.debug(`[ProxyAuthStrategy] Request headers:`, headers)
|
||||
|
||||
if (!headerName) {
|
||||
Logger.warn(`[ProxyAuthStrategy] Proxy header name not configured for ${method} ${url} from IP ${ip}`)
|
||||
return this.fail({ message: 'Proxy header name not configured' }, 500)
|
||||
}
|
||||
|
||||
const username = req.get(headerName)
|
||||
Logger.debug(`[ProxyAuthStrategy] Header ${headerName} value: "${username}"`)
|
||||
|
||||
if (!username) {
|
||||
Logger.warn(`[ProxyAuthStrategy] No ${headerName} header found for ${method} ${url} from IP ${ip}`)
|
||||
return this.fail({ message: `No ${headerName} header found` }, 401)
|
||||
}
|
||||
|
||||
const verified = (err, user, info) => {
|
||||
if (err) {
|
||||
return this.error(err)
|
||||
}
|
||||
if (!user) {
|
||||
return this.fail(info, 401)
|
||||
}
|
||||
return this.success(user, info)
|
||||
}
|
||||
|
||||
try {
|
||||
this.verify(req, username, verified)
|
||||
} catch (ex) {
|
||||
return this.error(ex)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Proxy authentication strategy using configurable header
|
||||
* Reads username from header set by proxy middleware
|
||||
*/
|
||||
class ProxyAuthStrategy {
|
||||
constructor() {
|
||||
this.name = 'proxy'
|
||||
this.strategy = null
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the passport strategy instance
|
||||
* @returns {ProxyStrategy}
|
||||
* Passport authenticate method
|
||||
* @param {import('express').Request} req
|
||||
* @param {Object} options
|
||||
*/
|
||||
getStrategy() {
|
||||
if (!this.strategy) {
|
||||
this.strategy = new ProxyStrategy(this.verifyUser.bind(this))
|
||||
authenticate(req, options) {
|
||||
const headerName = global.ServerSettings.authProxyHeaderName
|
||||
|
||||
if (!headerName) {
|
||||
Logger.warn(`[ProxyAuthStrategy] Proxy header name not configured`)
|
||||
return this.fail({ message: 'Proxy header name not configured' }, 500)
|
||||
}
|
||||
return this.strategy
|
||||
|
||||
const username = req.get(headerName)
|
||||
|
||||
if (!username) {
|
||||
Logger.warn(`[ProxyAuthStrategy] No ${headerName} header found`)
|
||||
return this.fail({ message: `No ${headerName} header found` }, 401)
|
||||
}
|
||||
|
||||
let clientIp = req.ip || req.socket?.remoteAddress || 'Unknown'
|
||||
// Clean up IPv6-mapped IPv4 addresses (::ffff:192.168.1.1 -> 192.168.1.1)
|
||||
if (clientIp.startsWith('::ffff:')) {
|
||||
clientIp = clientIp.substring(7)
|
||||
}
|
||||
|
||||
this.verifyUser(username)
|
||||
.then(user => {
|
||||
Logger.debug(`[ProxyAuthStrategy] Successful proxy login for "${user.username}" from IP ${clientIp}`)
|
||||
return this.success(user)
|
||||
})
|
||||
.catch(error => {
|
||||
Logger.warn(`[ProxyAuthStrategy] Failed login attempt for "${username}" from IP ${clientIp}: ${error.message}`)
|
||||
return this.fail({ message: error.message }, 401)
|
||||
})
|
||||
}
|
||||
|
||||
/**
|
||||
* Initialize the strategy with passport
|
||||
*/
|
||||
init() {
|
||||
passport.use(this.name, this.getStrategy())
|
||||
passport.use(this.name, this)
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -96,72 +60,35 @@ class ProxyAuthStrategy {
|
|||
*/
|
||||
unuse() {
|
||||
passport.unuse(this.name)
|
||||
this.strategy = null
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify user from proxy header
|
||||
* @param {import('express').Request} req
|
||||
* @param {string} username
|
||||
* @param {Function} done - Passport callback
|
||||
* @returns {Promise<Object>} User object
|
||||
*/
|
||||
async verifyUser(req, username, done) {
|
||||
try {
|
||||
// Normalize username (trim and lowercase, following existing pattern)
|
||||
const normalizedUsername = username.trim().toLowerCase()
|
||||
async verifyUser(username) {
|
||||
const normalizedUsername = username.trim().toLowerCase()
|
||||
|
||||
if (!normalizedUsername) {
|
||||
const headerName = global.ServerSettings.authProxyHeaderName
|
||||
this.logFailedLoginAttempt(req, username, `Empty username in ${headerName} header`)
|
||||
return done(null, false, { message: `Invalid username in ${headerName} header` })
|
||||
}
|
||||
|
||||
// Look up user in database
|
||||
let user = await Database.userModel.getUserByUsername(normalizedUsername)
|
||||
|
||||
if (user && !user.isActive) {
|
||||
this.logFailedLoginAttempt(req, normalizedUsername, 'User is not active')
|
||||
return done(null, false, { message: 'User account is disabled' })
|
||||
}
|
||||
|
||||
if (!user) {
|
||||
this.logFailedLoginAttempt(req, normalizedUsername, 'User not found')
|
||||
return done(null, false, { message: 'User not found' })
|
||||
}
|
||||
|
||||
// Update user's last seen
|
||||
user.lastSeen = new Date()
|
||||
await user.save()
|
||||
|
||||
this.logSuccessfulLoginAttempt(req, user.username)
|
||||
return done(null, user)
|
||||
|
||||
} catch (error) {
|
||||
Logger.error(`[ProxyAuthStrategy] Authentication error:`, error)
|
||||
return done(error)
|
||||
if (!normalizedUsername) {
|
||||
throw new Error('Empty username')
|
||||
}
|
||||
}
|
||||
|
||||
const user = await Database.userModel.getUserByUsername(normalizedUsername)
|
||||
|
||||
/**
|
||||
* Log failed login attempt
|
||||
* @param {import('express').Request} req
|
||||
* @param {string} username
|
||||
* @param {string} reason
|
||||
*/
|
||||
logFailedLoginAttempt(req, username, reason) {
|
||||
const ip = req.ip || req.connection?.remoteAddress || 'Unknown'
|
||||
Logger.warn(`[ProxyAuthStrategy] Failed login attempt for "${username}" from IP ${ip}: ${reason}`)
|
||||
}
|
||||
if (!user) {
|
||||
throw new Error('User not found')
|
||||
}
|
||||
|
||||
/**
|
||||
* Log successful login attempt
|
||||
* @param {import('express').Request} req
|
||||
* @param {string} username
|
||||
*/
|
||||
logSuccessfulLoginAttempt(req, username) {
|
||||
const ip = req.ip || req.connection?.remoteAddress || 'Unknown'
|
||||
Logger.info(`[ProxyAuthStrategy] Successful proxy login for "${username}" from IP ${ip}`)
|
||||
if (!user.isActive) {
|
||||
throw new Error('User account is disabled')
|
||||
}
|
||||
|
||||
// Update user's last seen
|
||||
user.lastSeen = new Date()
|
||||
await user.save()
|
||||
|
||||
return user
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue