pangolin_mirror/pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-03-10 04:36:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix: Extend Basic Auth compatibility with browsers

Browse Source
This commit is contained in:
Julien Breton
2025-12-01 01:18:09 +01:00
parent 02fbc279b5
commit 46ed27a218
31 changed files with 527 additions and 300 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
messages/bg-BG.json
View File

@@ -1,4 +1,6 @@
{ {
"headerAuthCompatibilityInfo": "Enable this to force a 401 Unauthorized response when an authentication token is missing. This is required for browsers or specific HTTP libraries that do not send credentials without a server challenge.",
"headerAuthCompatibility": "Extended compatibility",
"setupCreate": "Създайте своя организация, сайт и ресурси", "setupCreate": "Създайте своя организация, сайт и ресурси",
"setupNewOrg": "Нова организация", "setupNewOrg": "Нова организация",
"setupCreateOrg": "Създаване на организация", "setupCreateOrg": "Създаване на организация",

2
messages/cs-CZ.json
View File

@@ -1,4 +1,6 @@
{ {
"headerAuthCompatibilityInfo": "Enable this to force a 401 Unauthorized response when an authentication token is missing. This is required for browsers or specific HTTP libraries that do not send credentials without a server challenge.",
"headerAuthCompatibility": "Extended compatibility",
"setupCreate": "Vytvořte si organizaci, lokalitu a služby", "setupCreate": "Vytvořte si organizaci, lokalitu a služby",
"setupNewOrg": "Nová organizace", "setupNewOrg": "Nová organizace",
"setupCreateOrg": "Vytvořit organizaci", "setupCreateOrg": "Vytvořit organizaci",

2
messages/de-DE.json
View File

@@ -1,4 +1,6 @@
{ {
"headerAuthCompatibilityInfo": "Enable this to force a 401 Unauthorized response when an authentication token is missing. This is required for browsers or specific HTTP libraries that do not send credentials without a server challenge.",
"headerAuthCompatibility": "Extended compatibility",
"setupCreate": "Erstelle eine Organisation, einen Standort und Ressourcen", "setupCreate": "Erstelle eine Organisation, einen Standort und Ressourcen",
"setupNewOrg": "Neue Organisation", "setupNewOrg": "Neue Organisation",
"setupCreateOrg": "Organisation erstellen", "setupCreateOrg": "Organisation erstellen",

2
messages/en-US.json
View File

@@ -1,4 +1,6 @@
{ {
"headerAuthCompatibilityInfo": "Enable this to force a 401 Unauthorized response when an authentication token is missing. This is required for browsers or specific HTTP libraries that do not send credentials without a server challenge.",
"headerAuthCompatibility": "Extended compatibility",
"setupCreate": "Create your organization, site, and resources", "setupCreate": "Create your organization, site, and resources",
"setupNewOrg": "New Organization", "setupNewOrg": "New Organization",
"setupCreateOrg": "Create Organization", "setupCreateOrg": "Create Organization",

2
messages/es-ES.json
View File

@@ -1,4 +1,6 @@
{ {
"headerAuthCompatibilityInfo": "Enable this to force a 401 Unauthorized response when an authentication token is missing. This is required for browsers or specific HTTP libraries that do not send credentials without a server challenge.",
"headerAuthCompatibility": "Extended compatibility",
"setupCreate": "Crea tu organización, sitio y recursos", "setupCreate": "Crea tu organización, sitio y recursos",
"setupNewOrg": "Nueva organización", "setupNewOrg": "Nueva organización",
"setupCreateOrg": "Crear organización", "setupCreateOrg": "Crear organización",

36
messages/fr-FR.json
View File

@@ -1,4 +1,6 @@
{ {
"headerAuthCompatibilityInfo": "Activez cette option pour forcer une réponse 401 lorsqu'un jeton d'authentification est manquant. Cette option est nécessaire pour les navigateurs et certaines bibliothèques HTTP qui n'envoient pas d'informations d'identification sans challenge du serveur.",
"headerAuthCompatibility": "Compatibilité étendue",
"setupCreate": "Créez votre organisation, vos nœuds et vos ressources", "setupCreate": "Créez votre organisation, vos nœuds et vos ressources",
"setupNewOrg": "Nouvelle organisation", "setupNewOrg": "Nouvelle organisation",
"setupCreateOrg": "Créer une organisation", "setupCreateOrg": "Créer une organisation",
@@ -1834,23 +1836,23 @@
"rewritePathDescription": "Réécrivez éventuellement le chemin avant de le transmettre à la cible.", "rewritePathDescription": "Réécrivez éventuellement le chemin avant de le transmettre à la cible.",
"continueToApplication": "Continuer vers l'application", "continueToApplication": "Continuer vers l'application",
"checkingInvite": "Vérification de l'invitation", "checkingInvite": "Vérification de l'invitation",
"setResourceHeaderAuth": "Définir l\\'authentification d\\'en-tête de la ressource", "setResourceHeaderAuth": "Définir l\\'authentification via en-tête de la ressource",
"resourceHeaderAuthRemove": "Supprimer l'authentification de l'en-tête", "resourceHeaderAuthRemove": "Supprimer l'authentification via en-tête",
"resourceHeaderAuthRemoveDescription": "Authentification de l'en-tête supprimée avec succès.", "resourceHeaderAuthRemoveDescription": "En-tête d'authentification supprimée avec succès.",
"resourceErrorHeaderAuthRemove": "Échec de la suppression de l'authentification de l'en-tête", "resourceErrorHeaderAuthRemove": "Échec de la suppression de l'authentification via en-tête",
"resourceErrorHeaderAuthRemoveDescription": "Impossible de supprimer l'authentification de l'en-tête de la ressource.", "resourceErrorHeaderAuthRemoveDescription": "Impossible de supprimer l'authentification via en-tête sur la ressource.",
"resourceHeaderAuthProtectionEnabled": "Authentification de l'en-tête activée", "resourceHeaderAuthProtectionEnabled": "Authentification par en-tête Activée",
"resourceHeaderAuthProtectionDisabled": "L'authentification de l'en-tête est désactivée", "resourceHeaderAuthProtectionDisabled": "Authentification par en-tête Désactivée",
"headerAuthRemove": "Supprimer l'authentification de l'en-tête", "headerAuthRemove": "Supprimer l'authentification via en-tête",
"headerAuthAdd": "Ajouter l'authentification de l'en-tête", "headerAuthAdd": "Ajouter une en-tête d'authentification",
"resourceErrorHeaderAuthSetup": "Impossible de définir l'authentification de l'en-tête", "resourceErrorHeaderAuthSetup": "Impossible de définir l'authentification via en-tête",
"resourceErrorHeaderAuthSetupDescription": "Impossible de définir l'authentification de l'en-tête pour la ressource.", "resourceErrorHeaderAuthSetupDescription": "Impossible de définir l'authentification via en-tête pour la ressource.",
"resourceHeaderAuthSetup": "Authentification de l'en-tête définie avec succès", "resourceHeaderAuthSetup": "Authentification via en-tête définie avec succès",
"resourceHeaderAuthSetupDescription": "L'authentification de l'en-tête a été définie avec succès.", "resourceHeaderAuthSetupDescription": "L'authentification via en-tête a été définie avec succès.",
"resourceHeaderAuthSetupTitle": "Authentification de l'en-tête", "resourceHeaderAuthSetupTitle": "Authentification via en-tête",
"resourceHeaderAuthSetupTitleDescription": "Définissez les identifiants d'authentification de base (nom d'utilisateur et mot de passe) pour protéger cette ressource avec l'authentification de l'en-tête HTTP. Accédez-y en utilisant le format https://username:password@resource.example.com", "resourceHeaderAuthSetupTitleDescription": "Définissez les identifiants d'authentification de base (nom d'utilisateur et mot de passe) pour protéger cette ressource avec l'authentification via en-tête HTTP. Accédez-y en utilisant le format https://username:password@resource.example.com",
"resourceHeaderAuthSubmit": "Authentification de l'en-tête", "resourceHeaderAuthSubmit": "Activer la protection via en-tête",
"actionSetResourceHeaderAuth": "Authentification de l'en-tête", "actionSetResourceHeaderAuth": "Authentification via en-tête",
"enterpriseEdition": "Édition Entreprise", "enterpriseEdition": "Édition Entreprise",
"unlicensed": "Sans licence", "unlicensed": "Sans licence",
"beta": "Bêta", "beta": "Bêta",

2
messages/it-IT.json
View File

@@ -1,4 +1,6 @@
{ {
"headerAuthCompatibilityInfo": "Enable this to force a 401 Unauthorized response when an authentication token is missing. This is required for browsers or specific HTTP libraries that do not send credentials without a server challenge.",
"headerAuthCompatibility": "Extended compatibility",
"setupCreate": "Crea la tua organizzazione, sito e risorse", "setupCreate": "Crea la tua organizzazione, sito e risorse",
"setupNewOrg": "Nuova Organizzazione", "setupNewOrg": "Nuova Organizzazione",
"setupCreateOrg": "Crea Organizzazione", "setupCreateOrg": "Crea Organizzazione",

2
messages/ko-KR.json
View File

@@ -1,4 +1,6 @@
{ {
"headerAuthCompatibilityInfo": "Enable this to force a 401 Unauthorized response when an authentication token is missing. This is required for browsers or specific HTTP libraries that do not send credentials without a server challenge.",
"headerAuthCompatibility": "Extended compatibility",
"setupCreate": "조직, 사이트 및 리소스를 생성하십시오.", "setupCreate": "조직, 사이트 및 리소스를 생성하십시오.",
"setupNewOrg": "새 조직", "setupNewOrg": "새 조직",
"setupCreateOrg": "조직 생성", "setupCreateOrg": "조직 생성",

2
messages/nb-NO.json
View File

@@ -1,4 +1,6 @@
{ {
"headerAuthCompatibilityInfo": "Enable this to force a 401 Unauthorized response when an authentication token is missing. This is required for browsers or specific HTTP libraries that do not send credentials without a server challenge.",
"headerAuthCompatibility": "Extended compatibility",
"setupCreate": "Lag din organisasjon, område og dine ressurser", "setupCreate": "Lag din organisasjon, område og dine ressurser",
"setupNewOrg": "Ny Organisasjon", "setupNewOrg": "Ny Organisasjon",
"setupCreateOrg": "Opprett organisasjon", "setupCreateOrg": "Opprett organisasjon",

2
messages/nl-NL.json
View File

@@ -1,4 +1,6 @@
{ {
"headerAuthCompatibilityInfo": "Enable this to force a 401 Unauthorized response when an authentication token is missing. This is required for browsers or specific HTTP libraries that do not send credentials without a server challenge.",
"headerAuthCompatibility": "Extended compatibility",
"setupCreate": "Maak uw organisatie, site en bronnen aan", "setupCreate": "Maak uw organisatie, site en bronnen aan",
"setupNewOrg": "Nieuwe organisatie", "setupNewOrg": "Nieuwe organisatie",
"setupCreateOrg": "Nieuwe organisatie aanmaken", "setupCreateOrg": "Nieuwe organisatie aanmaken",

2
messages/pl-PL.json
View File

@@ -1,4 +1,6 @@
{ {
"headerAuthCompatibilityInfo": "Enable this to force a 401 Unauthorized response when an authentication token is missing. This is required for browsers or specific HTTP libraries that do not send credentials without a server challenge.",
"headerAuthCompatibility": "Extended compatibility",
"setupCreate": "Utwórz swoją organizację, witrynę i zasoby", "setupCreate": "Utwórz swoją organizację, witrynę i zasoby",
"setupNewOrg": "Nowa organizacja", "setupNewOrg": "Nowa organizacja",
"setupCreateOrg": "Utwórz organizację", "setupCreateOrg": "Utwórz organizację",

2
messages/pt-PT.json
View File

@@ -1,4 +1,6 @@
{ {
"headerAuthCompatibilityInfo": "Enable this to force a 401 Unauthorized response when an authentication token is missing. This is required for browsers or specific HTTP libraries that do not send credentials without a server challenge.",
"headerAuthCompatibility": "Extended compatibility",
"setupCreate": "Crie sua organização, site e recursos", "setupCreate": "Crie sua organização, site e recursos",
"setupNewOrg": "Nova organização", "setupNewOrg": "Nova organização",
"setupCreateOrg": "Criar Organização", "setupCreateOrg": "Criar Organização",

2
messages/ru-RU.json
View File

@@ -1,4 +1,6 @@
{ {
"headerAuthCompatibilityInfo": "Enable this to force a 401 Unauthorized response when an authentication token is missing. This is required for browsers or specific HTTP libraries that do not send credentials without a server challenge.",
"headerAuthCompatibility": "Extended compatibility",
"setupCreate": "Создайте свою организацию, сайт и ресурсы", "setupCreate": "Создайте свою организацию, сайт и ресурсы",
"setupNewOrg": "Новая организация", "setupNewOrg": "Новая организация",
"setupCreateOrg": "Создать организацию", "setupCreateOrg": "Создать организацию",

2
messages/tr-TR.json
View File

@@ -1,4 +1,6 @@
{ {
"headerAuthCompatibilityInfo": "Enable this to force a 401 Unauthorized response when an authentication token is missing. This is required for browsers or specific HTTP libraries that do not send credentials without a server challenge.",
"headerAuthCompatibility": "Extended compatibility",
"setupCreate": "Organizasyonunuzu, sitenizi ve kaynaklarınızı oluşturun", "setupCreate": "Organizasyonunuzu, sitenizi ve kaynaklarınızı oluşturun",
"setupNewOrg": "Yeni Organizasyon", "setupNewOrg": "Yeni Organizasyon",
"setupCreateOrg": "Organizasyon Oluştur", "setupCreateOrg": "Organizasyon Oluştur",

2
messages/zh-CN.json
View File

@@ -1,4 +1,6 @@
{ {
"headerAuthCompatibilityInfo": "Enable this to force a 401 Unauthorized response when an authentication token is missing. This is required for browsers or specific HTTP libraries that do not send credentials without a server challenge.",
"headerAuthCompatibility": "Extended compatibility",
"setupCreate": "创建您的第一个组织、网站和资源", "setupCreate": "创建您的第一个组织、网站和资源",
"setupNewOrg": "新建组织", "setupNewOrg": "新建组织",
"setupCreateOrg": "创建组织", "setupCreateOrg": "创建组织",

9
server/db/pg/schema/schema.ts
View File

@@ -419,6 +419,14 @@ export const resourceHeaderAuth = pgTable("resourceHeaderAuth", {
headerAuthHash: varchar("headerAuthHash").notNull() headerAuthHash: varchar("headerAuthHash").notNull()
}); });
export const resourceHeaderAuthExtendedCompatibility = pgTable("resourceHeaderAuthExtendedCompatibility", {
headerAuthExtendedCompatibilityId: serial("headerAuthExtendedCompatibilityId").primaryKey(),
resourceId: integer("resourceId")
.notNull()
.references(() => resources.resourceId, { onDelete: "cascade" }),
extendedCompatibilityIsActivated: boolean("extendedCompatibilityIsActivated").notNull().default(false),
});
export const resourceAccessToken = pgTable("resourceAccessToken", { export const resourceAccessToken = pgTable("resourceAccessToken", {
accessTokenId: varchar("accessTokenId").primaryKey(), accessTokenId: varchar("accessTokenId").primaryKey(),
orgId: varchar("orgId") orgId: varchar("orgId")
@@ -781,6 +789,7 @@ export type ResourceSession = InferSelectModel<typeof resourceSessions>;
export type ResourcePincode = InferSelectModel<typeof resourcePincode>; export type ResourcePincode = InferSelectModel<typeof resourcePincode>;
export type ResourcePassword = InferSelectModel<typeof resourcePassword>; export type ResourcePassword = InferSelectModel<typeof resourcePassword>;
export type ResourceHeaderAuth = InferSelectModel<typeof resourceHeaderAuth>; export type ResourceHeaderAuth = InferSelectModel<typeof resourceHeaderAuth>;
export type ResourceHeaderAuthExtendedCompatibility = InferSelectModel<typeof resourceHeaderAuthExtendedCompatibility>;
export type ResourceOtp = InferSelectModel<typeof resourceOtp>; export type ResourceOtp = InferSelectModel<typeof resourceOtp>;
export type ResourceAccessToken = InferSelectModel<typeof resourceAccessToken>; export type ResourceAccessToken = InferSelectModel<typeof resourceAccessToken>;
export type ResourceWhitelist = InferSelectModel<typeof resourceWhitelist>; export type ResourceWhitelist = InferSelectModel<typeof resourceWhitelist>;

14
server/db/queries/verifySessionQueries.ts
View File

@@ -1,4 +1,6 @@
import { db, loginPage, LoginPage, loginPageOrg, Org, orgs } from "@server/db"; import {
db, loginPage, LoginPage, loginPageOrg, Org, orgs,
} from "@server/db";
import { import {
Resource, Resource,
ResourcePassword, ResourcePassword,
@@ -14,7 +16,9 @@ import {
sessions, sessions,
userOrgs, userOrgs,
userResources, userResources,
users users,
ResourceHeaderAuthExtendedCompatibility,
resourceHeaderAuthExtendedCompatibility
} from "@server/db"; } from "@server/db";
import { and, eq } from "drizzle-orm"; import { and, eq } from "drizzle-orm";
@@ -23,6 +27,7 @@ export type ResourceWithAuth = {
pincode: ResourcePincode | null; pincode: ResourcePincode | null;
password: ResourcePassword | null; password: ResourcePassword | null;
headerAuth: ResourceHeaderAuth | null; headerAuth: ResourceHeaderAuth | null;
headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null
org: Org; org: Org;
}; };
@@ -52,6 +57,10 @@ export async function getResourceByDomain(
resourceHeaderAuth, resourceHeaderAuth,
eq(resourceHeaderAuth.resourceId, resources.resourceId) eq(resourceHeaderAuth.resourceId, resources.resourceId)
) )
.leftJoin(
resourceHeaderAuthExtendedCompatibility,
eq(resourceHeaderAuthExtendedCompatibility.resourceId, resources.resourceId)
)
.innerJoin( .innerJoin(
orgs, orgs,
eq(orgs.orgId, resources.orgId) eq(orgs.orgId, resources.orgId)
@@ -68,6 +77,7 @@ export async function getResourceByDomain(
pincode: result.resourcePincode, pincode: result.resourcePincode,
password: result.resourcePassword, password: result.resourcePassword,
headerAuth: result.resourceHeaderAuth, headerAuth: result.resourceHeaderAuth,
headerAuthExtendedCompatibility: result.resourceHeaderAuthExtendedCompatibility,
org: result.orgs org: result.orgs
}; };
} }

11
server/db/sqlite/schema/schema.ts
View File

@@ -562,6 +562,16 @@ export const resourceHeaderAuth = sqliteTable("resourceHeaderAuth", {
headerAuthHash: text("headerAuthHash").notNull() headerAuthHash: text("headerAuthHash").notNull()
}); });
export const resourceHeaderAuthExtendedCompatibility = sqliteTable("resourceHeaderAuthExtendedCompatibility", {
headerAuthExtendedCompatibilityId: integer("headerAuthExtendedCompatibilityId").primaryKey({
autoIncrement: true
}),
resourceId: integer("resourceId")
.notNull()
.references(() => resources.resourceId, {onDelete: "cascade"}),
extendedCompatibilityIsActivated: integer("extendedCompatibilityIsActivated", {mode: "boolean"}).notNull()
});
export const resourceAccessToken = sqliteTable("resourceAccessToken", { export const resourceAccessToken = sqliteTable("resourceAccessToken", {
accessTokenId: text("accessTokenId").primaryKey(), accessTokenId: text("accessTokenId").primaryKey(),
orgId: text("orgId") orgId: text("orgId")
@@ -832,6 +842,7 @@ export type ResourceSession = InferSelectModel<typeof resourceSessions>;
export type ResourcePincode = InferSelectModel<typeof resourcePincode>; export type ResourcePincode = InferSelectModel<typeof resourcePincode>;
export type ResourcePassword = InferSelectModel<typeof resourcePassword>; export type ResourcePassword = InferSelectModel<typeof resourcePassword>;
export type ResourceHeaderAuth = InferSelectModel<typeof resourceHeaderAuth>; export type ResourceHeaderAuth = InferSelectModel<typeof resourceHeaderAuth>;
export type ResourceHeaderAuthExtendedCompatibility = InferSelectModel<typeof resourceHeaderAuthExtendedCompatibility>;
export type ResourceOtp = InferSelectModel<typeof resourceOtp>; export type ResourceOtp = InferSelectModel<typeof resourceOtp>;
export type ResourceAccessToken = InferSelectModel<typeof resourceAccessToken>; export type ResourceAccessToken = InferSelectModel<typeof resourceAccessToken>;
export type ResourceWhitelist = InferSelectModel<typeof resourceWhitelist>; export type ResourceWhitelist = InferSelectModel<typeof resourceWhitelist>;

39
server/lib/blueprints/proxyResources.ts
View File

@@ -2,7 +2,7 @@ import {
domains, domains,
orgDomains, orgDomains,
Resource, Resource,
resourceHeaderAuth, resourceHeaderAuth, resourceHeaderAuthExtendedCompatibility,
resourcePincode, resourcePincode,
resourceRules, resourceRules,
resourceWhitelist, resourceWhitelist,
@@ -285,21 +285,39 @@ export async function updateProxyResources(
existingResource.resourceId existingResource.resourceId
) )
); );
await trx
.delete(resourceHeaderAuthExtendedCompatibility)
.where(
eq(
resourceHeaderAuthExtendedCompatibility.resourceId,
existingResource.resourceId
)
);
if (resourceData.auth?.["basic-auth"]) { if (resourceData.auth?.["basic-auth"]) {
const headerAuthUser = const headerAuthUser =
resourceData.auth?.["basic-auth"]?.user; resourceData.auth?.["basic-auth"]?.user;
const headerAuthPassword = const headerAuthPassword =
resourceData.auth?.["basic-auth"]?.password; resourceData.auth?.["basic-auth"]?.password;
if (headerAuthUser && headerAuthPassword) { const headerAuthExtendedCompatibility =
resourceData.auth?.["basic-auth"]?.extendedCompatibility;
if (headerAuthUser && headerAuthPassword && headerAuthExtendedCompatibility !== null) {
const headerAuthHash = await hashPassword( const headerAuthHash = await hashPassword(
Buffer.from( Buffer.from(
`${headerAuthUser}:${headerAuthPassword}` `${headerAuthUser}:${headerAuthPassword}`
).toString("base64") ).toString("base64")
); );
await trx.insert(resourceHeaderAuth).values({ await Promise.all([
trx.insert(resourceHeaderAuth).values({
resourceId: existingResource.resourceId, resourceId: existingResource.resourceId,
headerAuthHash headerAuthHash
}); }),
trx.insert(resourceHeaderAuthExtendedCompatibility).values({
resourceId: existingResource.resourceId,
extendedCompatibilityIsActivated: headerAuthExtendedCompatibility
})
]);
} }
} }
@@ -646,18 +664,25 @@ export async function updateProxyResources(
const headerAuthUser = resourceData.auth?.["basic-auth"]?.user; const headerAuthUser = resourceData.auth?.["basic-auth"]?.user;
const headerAuthPassword = const headerAuthPassword =
resourceData.auth?.["basic-auth"]?.password; resourceData.auth?.["basic-auth"]?.password;
const headerAuthExtendedCompatibility = resourceData.auth?.["basic-auth"]?.extendedCompatibility;
if (headerAuthUser && headerAuthPassword) { if (headerAuthUser && headerAuthPassword && headerAuthExtendedCompatibility !== null) {
const headerAuthHash = await hashPassword( const headerAuthHash = await hashPassword(
Buffer.from( Buffer.from(
`${headerAuthUser}:${headerAuthPassword}` `${headerAuthUser}:${headerAuthPassword}`
).toString("base64") ).toString("base64")
); );
await trx.insert(resourceHeaderAuth).values({ await Promise.all([
trx.insert(resourceHeaderAuth).values({
resourceId: newResource.resourceId, resourceId: newResource.resourceId,
headerAuthHash headerAuthHash
}); }),
trx.insert(resourceHeaderAuthExtendedCompatibility).values({
resourceId: newResource.resourceId,
extendedCompatibilityIsActivated: headerAuthExtendedCompatibility
}),
]);
} }
} }

3
server/lib/blueprints/types.ts
View File

@@ -47,7 +47,8 @@ export const AuthSchema = z.object({
password: z.string().min(1).optional(), password: z.string().min(1).optional(),
"basic-auth": z.object({ "basic-auth": z.object({
user: z.string().min(1), user: z.string().min(1),
password: z.string().min(1) password: z.string().min(1),
extendedCompatibility: z.boolean().default(false)
}).optional(), }).optional(),
"sso-enabled": z.boolean().optional().default(false), "sso-enabled": z.boolean().optional().default(false),
"sso-roles": z "sso-roles": z

12
server/private/routers/hybrid.ts
View File

@@ -36,8 +36,10 @@ import {
LoginPage, LoginPage,
resourceHeaderAuth, resourceHeaderAuth,
ResourceHeaderAuth, ResourceHeaderAuth,
resourceHeaderAuthExtendedCompatibility,
ResourceHeaderAuthExtendedCompatibility,
orgs, orgs,
requestAuditLog requestAuditLog,
} from "@server/db"; } from "@server/db";
import { import {
resources, resources,
@@ -188,6 +190,7 @@ export type ResourceWithAuth = {
pincode: ResourcePincode | null; pincode: ResourcePincode | null;
password: ResourcePassword | null; password: ResourcePassword | null;
headerAuth: ResourceHeaderAuth | null; headerAuth: ResourceHeaderAuth | null;
headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
}; };
export type UserSessionWithUser = { export type UserSessionWithUser = {
@@ -511,6 +514,10 @@ hybridRouter.get(
resourceHeaderAuth, resourceHeaderAuth,
eq(resourceHeaderAuth.resourceId, resources.resourceId) eq(resourceHeaderAuth.resourceId, resources.resourceId)
) )
.leftJoin(
resourceHeaderAuthExtendedCompatibility,
eq(resourceHeaderAuthExtendedCompatibility.resourceId, resources.resourceId)
)
.where(eq(resources.fullDomain, domain)) .where(eq(resources.fullDomain, domain))
.limit(1); .limit(1);
@@ -543,7 +550,8 @@ hybridRouter.get(
resource: result.resources, resource: result.resources,
pincode: result.resourcePincode, pincode: result.resourcePincode,
password: result.resourcePassword, password: result.resourcePassword,
headerAuth: result.resourceHeaderAuth headerAuth: result.resourceHeaderAuth,
headerAuthExtendedCompatibility: result.resourceHeaderAuthExtendedCompatibility
}; };
return response<ResourceWithAuth>(res, { return response<ResourceWithAuth>(res, {

2
server/routers/badger/logRequestAudit.ts
View File

@@ -9,7 +9,7 @@ Reasons:
100 - Allowed by Rule 100 - Allowed by Rule
101 - Allowed No Auth 101 - Allowed No Auth
102 - Valid Access Token 102 - Valid Access Token
103 - Valid header auth 103 - Valid Header Auth (HTTP Basic Auth)
104 - Valid Pincode 104 - Valid Pincode
105 - Valid Password 105 - Valid Password
106 - Valid email 106 - Valid email

62
server/routers/badger/verifySession.ts
View File

@@ -13,7 +13,7 @@ import {
LoginPage, LoginPage,
Org, Org,
Resource, Resource,
ResourceHeaderAuth, ResourceHeaderAuth, ResourceHeaderAuthExtendedCompatibility,
ResourcePassword, ResourcePassword,
ResourcePincode, ResourcePincode,
ResourceRule, ResourceRule,
@@ -65,6 +65,7 @@ type BasicUserData = {
export type VerifyUserResponse = { export type VerifyUserResponse = {
valid: boolean; valid: boolean;
headerAuthChallenged?: boolean;
redirectUrl?: string; redirectUrl?: string;
userData?: BasicUserData; userData?: BasicUserData;
}; };
@@ -142,6 +143,7 @@ export async function verifyResourceSession(
pincode: ResourcePincode | null; pincode: ResourcePincode | null;
password: ResourcePassword | null; password: ResourcePassword | null;
headerAuth: ResourceHeaderAuth | null; headerAuth: ResourceHeaderAuth | null;
headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
org: Org; org: Org;
} }
| undefined = cache.get(resourceCacheKey); | undefined = cache.get(resourceCacheKey);
@@ -171,7 +173,7 @@ export async function verifyResourceSession(
cache.set(resourceCacheKey, resourceData, 5); cache.set(resourceCacheKey, resourceData, 5);
} }
const { resource, pincode, password, headerAuth } = resourceData; const { resource, pincode, password, headerAuth, headerAuthExtendedCompatibility } = resourceData;
if (!resource) { if (!resource) {
logger.debug(`Resource not found ${cleanHost}`); logger.debug(`Resource not found ${cleanHost}`);
@@ -450,7 +452,8 @@ export async function verifyResourceSession(
!sso && !sso &&
!pincode && !pincode &&
!password && !password &&
!resource.emailWhitelistEnabled !resource.emailWhitelistEnabled &&
!headerAuthExtendedCompatibility?.extendedCompatibilityIsActivated
) { ) {
logRequestAudit( logRequestAudit(
{ {
@@ -465,13 +468,15 @@ export async function verifyResourceSession(
return notAllowed(res); return notAllowed(res);
} }
} else if (headerAuth) { }
else if (headerAuth) {
// if there are no other auth methods we need to return unauthorized if nothing is provided // if there are no other auth methods we need to return unauthorized if nothing is provided
if ( if (
!sso && !sso &&
!pincode && !pincode &&
!password && !password &&
!resource.emailWhitelistEnabled !resource.emailWhitelistEnabled &&
!headerAuthExtendedCompatibility?.extendedCompatibilityIsActivated
) { ) {
logRequestAudit( logRequestAudit(
{ {
@@ -557,7 +562,7 @@ export async function verifyResourceSession(
} }
if (resourceSession) { if (resourceSession) {
// only run this check if not SSO sesion; SSO session length is checked later // only run this check if not SSO session; SSO session length is checked later
const accessPolicy = await enforceResourceSessionLength( const accessPolicy = await enforceResourceSessionLength(
resourceSession, resourceSession,
resourceData.org resourceData.org
@@ -701,6 +706,11 @@ export async function verifyResourceSession(
} }
} }
// If headerAuthExtendedCompatibility is activated but no clientHeaderAuth provided, force client to challenge
if (headerAuthExtendedCompatibility && headerAuthExtendedCompatibility.extendedCompatibilityIsActivated && !clientHeaderAuth){
return headerAuthChallenged(res, redirectPath, resource.orgId);
}
logger.debug("No more auth to check, resource not allowed"); logger.debug("No more auth to check, resource not allowed");
if (config.getRawConfig().app.log_failed_attempts) { if (config.getRawConfig().app.log_failed_attempts) {
@@ -833,6 +843,46 @@ function allowed(res: Response, userData?: BasicUserData) {
return response<VerifyUserResponse>(res, data); return response<VerifyUserResponse>(res, data);
} }
async function headerAuthChallenged(
res: Response,
redirectPath?: string,
orgId?: string
) {
let loginPage: LoginPage | null = null;
if (orgId) {
const { tier } = await getOrgTierData(orgId); // returns null in oss
if (tier === TierId.STANDARD) {
loginPage = await getOrgLoginPage(orgId);
}
}
let redirectUrl: string | undefined = undefined;
if (redirectPath) {
let endpoint: string;
if (loginPage && loginPage.domainId && loginPage.fullDomain) {
const secure = config
.getRawConfig()
.app.dashboard_url?.startsWith("https");
const method = secure ? "https" : "http";
endpoint = `${method}://${loginPage.fullDomain}`;
} else {
endpoint = config.getRawConfig().app.dashboard_url!;
}
redirectUrl = `${endpoint}${redirectPath}`;
}
const data = {
data: { headerAuthChallenged: true, valid: false, redirectUrl },
success: true,
error: false,
message: "Access denied",
status: HttpCode.OK
};
logger.debug(JSON.stringify(data));
return response<VerifyUserResponse>(res, data);
}
async function isUserAllowedToAccessResource( async function isUserAllowedToAccessResource(
userSessionId: string, userSessionId: string,
resource: Resource, resource: Resource,

19
server/routers/resource/getResourceAuthInfo.ts
View File

@@ -2,7 +2,7 @@ import { Request, Response, NextFunction } from "express";
import {z} from "zod"; import {z} from "zod";
import { import {
db, db,
resourceHeaderAuth, resourceHeaderAuth, resourceHeaderAuthExtendedCompatibility,
resourcePassword, resourcePassword,
resourcePincode, resourcePincode,
resources resources
@@ -27,6 +27,7 @@ export type GetResourceAuthInfoResponse = {
password: boolean; password: boolean;
pincode: boolean; pincode: boolean;
headerAuth: boolean; headerAuth: boolean;
headerAuthExtendedCompatibility: boolean;
sso: boolean; sso: boolean;
blockAccess: boolean; blockAccess: boolean;
url: string; url: string;
@@ -76,6 +77,13 @@ export async function getResourceAuthInfo(
resources.resourceId resources.resourceId
) )
) )
.leftJoin(
resourceHeaderAuthExtendedCompatibility,
eq(
resourceHeaderAuthExtendedCompatibility.resourceId,
resources.resourceId
)
)
.where(eq(resources.resourceId, Number(resourceGuid))) .where(eq(resources.resourceId, Number(resourceGuid)))
.limit(1) .limit(1)
: await db : await db
@@ -97,6 +105,13 @@ export async function getResourceAuthInfo(
resources.resourceId resources.resourceId
) )
) )
.leftJoin(
resourceHeaderAuthExtendedCompatibility,
eq(
resourceHeaderAuthExtendedCompatibility.resourceId,
resources.resourceId
)
)
.where(eq(resources.resourceGuid, resourceGuid)) .where(eq(resources.resourceGuid, resourceGuid))
.limit(1); .limit(1);
@@ -110,6 +125,7 @@ export async function getResourceAuthInfo(
const pincode = result?.resourcePincode; const pincode = result?.resourcePincode;
const password = result?.resourcePassword; const password = result?.resourcePassword;
const headerAuth = result?.resourceHeaderAuth; const headerAuth = result?.resourceHeaderAuth;
const headerAuthExtendedCompatibility = result?.resourceHeaderAuthExtendedCompatibility;
const url = `${resource.ssl ? "https" : "http"}://${resource.fullDomain}`; const url = `${resource.ssl ? "https" : "http"}://${resource.fullDomain}`;
@@ -122,6 +138,7 @@ export async function getResourceAuthInfo(
password: password !== null, password: password !== null,
pincode: pincode !== null, pincode: pincode !== null,
headerAuth: headerAuth !== null, headerAuth: headerAuth !== null,
headerAuthExtendedCompatibility: headerAuthExtendedCompatibility !== null,
sso: resource.sso, sso: resource.sso,
blockAccess: resource.blockAccess, blockAccess: resource.blockAccess,
url, url,

8
server/routers/resource/listResources.ts
View File

@@ -1,6 +1,6 @@
import { Request, Response, NextFunction } from "express"; import { Request, Response, NextFunction } from "express";
import { z } from "zod"; import { z } from "zod";
import { db, resourceHeaderAuth } from "@server/db"; import {db, resourceHeaderAuth, resourceHeaderAuthExtendedCompatibility} from "@server/db";
import { import {
resources, resources,
userResources, userResources,
@@ -111,7 +111,7 @@ function queryResources(accessibleResourceIds: number[], orgId: string) {
domainId: resources.domainId, domainId: resources.domainId,
niceId: resources.niceId, niceId: resources.niceId,
headerAuthId: resourceHeaderAuth.headerAuthId, headerAuthId: resourceHeaderAuth.headerAuthId,
headerAuthExtendedCompatibilityId: resourceHeaderAuthExtendedCompatibility.headerAuthExtendedCompatibilityId,
targetId: targets.targetId, targetId: targets.targetId,
targetIp: targets.ip, targetIp: targets.ip,
targetPort: targets.port, targetPort: targets.port,
@@ -133,6 +133,10 @@ function queryResources(accessibleResourceIds: number[], orgId: string) {
resourceHeaderAuth, resourceHeaderAuth,
eq(resourceHeaderAuth.resourceId, resources.resourceId) eq(resourceHeaderAuth.resourceId, resources.resourceId)
) )
.leftJoin(
resourceHeaderAuthExtendedCompatibility,
eq(resourceHeaderAuthExtendedCompatibility.resourceId, resources.resourceId)
)
.leftJoin(targets, eq(targets.resourceId, resources.resourceId)) .leftJoin(targets, eq(targets.resourceId, resources.resourceId))
.leftJoin( .leftJoin(
targetHealthCheck, targetHealthCheck,

21
server/routers/resource/setResourceHeaderAuth.ts
View File

@@ -1,6 +1,6 @@
import {Request, Response, NextFunction} from "express"; import {Request, Response, NextFunction} from "express";
import {z} from "zod"; import {z} from "zod";
import { db, resourceHeaderAuth } from "@server/db"; import {db, resourceHeaderAuth, resourceHeaderAuthExtendedCompatibility} from "@server/db";
import {eq} from "drizzle-orm"; import {eq} from "drizzle-orm";
import HttpCode from "@server/types/HttpCode"; import HttpCode from "@server/types/HttpCode";
import createHttpError from "http-errors"; import createHttpError from "http-errors";
@@ -16,7 +16,8 @@ const setResourceAuthMethodsParamsSchema = z.object({
const setResourceAuthMethodsBodySchema = z.strictObject({ const setResourceAuthMethodsBodySchema = z.strictObject({
user: z.string().min(4).max(100).nullable(), user: z.string().min(4).max(100).nullable(),
password: z.string().min(4).max(100).nullable() password: z.string().min(4).max(100).nullable(),
extendedCompatibility: z.boolean().nullable()
}); });
registry.registerPath({ registry.registerPath({
@@ -67,20 +68,28 @@ export async function setResourceHeaderAuth(
} }
const {resourceId} = parsedParams.data; const {resourceId} = parsedParams.data;
const { user, password } = parsedBody.data; const {user, password, extendedCompatibility} = parsedBody.data;
await db.transaction(async (trx) => { await db.transaction(async (trx) => {
await trx await trx
.delete(resourceHeaderAuth) .delete(resourceHeaderAuth)
.where(eq(resourceHeaderAuth.resourceId, resourceId)); .where(eq(resourceHeaderAuth.resourceId, resourceId));
await trx.delete(resourceHeaderAuthExtendedCompatibility).where(eq(resourceHeaderAuthExtendedCompatibility.resourceId, resourceId));
if (user && password) { if (user && password && extendedCompatibility !== null) {
const headerAuthHash = await hashPassword(Buffer.from(`${user}:${password}`).toString("base64")); const headerAuthHash = await hashPassword(Buffer.from(`${user}:${password}`).toString("base64"));
await trx await Promise.all([
trx
.insert(resourceHeaderAuth) .insert(resourceHeaderAuth)
.values({ resourceId, headerAuthHash }); .values({resourceId, headerAuthHash}),
trx
.insert(resourceHeaderAuthExtendedCompatibility)
.values({resourceId, extendedCompatibilityIsActivated: extendedCompatibility})
]);
} }
}); });
return response(res, { return response(res, {

3
src/app/[orgId]/settings/resources/[niceId]/authentication/page.tsx
View File

@@ -439,7 +439,8 @@ export default function ResourceAuthenticationPage() {
api.post(`/resource/${resource.resourceId}/header-auth`, { api.post(`/resource/${resource.resourceId}/header-auth`, {
user: null, user: null,
password: null password: null,
extendedCompatibility: null,
}) })
.then(() => { .then(() => {
toast({ toast({

49
src/components/SetResourceHeaderAuthForm.tsx
View File

@@ -31,17 +31,21 @@ import { Resource } from "@server/db";
import {createApiClient} from "@app/lib/api"; import {createApiClient} from "@app/lib/api";
import {useEnvContext} from "@app/hooks/useEnvContext"; import {useEnvContext} from "@app/hooks/useEnvContext";
import {useTranslations} from "next-intl"; import {useTranslations} from "next-intl";
import {SwitchInput} from "@/components/SwitchInput";
import {InfoPopup} from "@/components/ui/info-popup";
const setHeaderAuthFormSchema = z.object({ const setHeaderAuthFormSchema = z.object({
user: z.string().min(4).max(100), user: z.string().min(4).max(100),
password: z.string().min(4).max(100) password: z.string().min(4).max(100),
extendedCompatibility: z.boolean()
}); });
type SetHeaderAuthFormValues = z.infer<typeof setHeaderAuthFormSchema>; type SetHeaderAuthFormValues = z.infer<typeof setHeaderAuthFormSchema>;
const defaultValues: Partial<SetHeaderAuthFormValues> = { const defaultValues: Partial<SetHeaderAuthFormValues> = {
user: "", user: "",
password: "" password: "",
extendedCompatibility: false
}; };
type SetHeaderAuthFormProps = { type SetHeaderAuthFormProps = {
@@ -80,17 +84,8 @@ export default function SetResourceHeaderAuthForm({
api.post<AxiosResponse<Resource>>(`/resource/${resourceId}/header-auth`, { api.post<AxiosResponse<Resource>>(`/resource/${resourceId}/header-auth`, {
user: data.user, user: data.user,
password: data.password password: data.password,
}) extendedCompatibility: data.extendedCompatibility
.catch((e) => {
toast({
variant: "destructive",
title: t('resourceErrorHeaderAuthSetup'),
description: formatAxiosError(
e,
t('resourceErrorHeaderAuthSetupDescription')
)
});
}) })
.then(() => { .then(() => {
toast({ toast({
@@ -102,6 +97,16 @@ export default function SetResourceHeaderAuthForm({
onSetHeaderAuth(); onSetHeaderAuth();
} }
}) })
.catch((e) => {
toast({
variant: "destructive",
title: t('resourceErrorHeaderAuthSetup'),
description: formatAxiosError(
e,
t('resourceErrorHeaderAuthSetupDescription')
)
});
})
.finally(() => setLoading(false)); .finally(() => setLoading(false));
} }
@@ -163,6 +168,24 @@ export default function SetResourceHeaderAuthForm({
</FormItem> </FormItem>
)} )}
/> />
<FormField
control={form.control}
name="extendedCompatibility"
render={({field}) => (
<FormItem>
<FormControl>
<SwitchInput
id="header-auth-compatibility-toggle"
label={t("headerAuthCompatibility")}
info={t('headerAuthCompatibilityInfo')}
checked={field.value}
onCheckedChange={field.onChange}
/>
</FormControl>
<FormMessage/>
</FormItem>
)}
/>
</form> </form>
</Form> </Form>
</CredenzaBody> </CredenzaBody>

20
src/components/SetResourcePasswordForm.tsx
View File

@@ -77,16 +77,6 @@ export default function SetResourcePasswordForm({
api.post<AxiosResponse<Resource>>(`/resource/${resourceId}/password`, { api.post<AxiosResponse<Resource>>(`/resource/${resourceId}/password`, {
password: data.password password: data.password
})
.catch((e) => {
toast({
variant: "destructive",
title: t('resourceErrorPasswordSetup'),
description: formatAxiosError(
e,
t('resourceErrorPasswordSetupDescription')
)
});
}) })
.then(() => { .then(() => {
toast({ toast({
@@ -98,6 +88,16 @@ export default function SetResourcePasswordForm({
onSetPassword(); onSetPassword();
} }
}) })
.catch((e) => {
toast({
variant: "destructive",
title: t('resourceErrorPasswordSetup'),
description: formatAxiosError(
e,
t('resourceErrorPasswordSetupDescription')
)
});
})
.finally(() => setLoading(false)); .finally(() => setLoading(false));
} }

20
src/components/SetResourcePincodeForm.tsx
View File

@@ -83,16 +83,6 @@ export default function SetResourcePincodeForm({
api.post<AxiosResponse<Resource>>(`/resource/${resourceId}/pincode`, { api.post<AxiosResponse<Resource>>(`/resource/${resourceId}/pincode`, {
pincode: data.pincode pincode: data.pincode
})
.catch((e) => {
toast({
variant: "destructive",
title: t('resourceErrorPincodeSetup'),
description: formatAxiosError(
e,
t('resourceErrorPincodeSetupDescription')
)
});
}) })
.then(() => { .then(() => {
toast({ toast({
@@ -104,6 +94,16 @@ export default function SetResourcePincodeForm({
onSetPincode(); onSetPincode();
} }
}) })
.catch((e) => {
toast({
variant: "destructive",
title: t('resourceErrorPincodeSetup'),
description: formatAxiosError(
e,
t('resourceErrorPincodeSetupDescription')
)
});
})
.finally(() => setLoading(false)); .finally(() => setLoading(false));
} }

29
src/components/SwitchInput.tsx
View File

@@ -1,11 +1,16 @@
import React from "react"; import React from "react";
import {Switch} from "./ui/switch"; import {Switch} from "./ui/switch";
import {Label} from "./ui/label"; import {Label} from "./ui/label";
import {Button} from "@/components/ui/button";
import {Info} from "lucide-react";
import {info} from "winston";
import {Popover, PopoverContent, PopoverTrigger} from "@/components/ui/popover";
interface SwitchComponentProps { interface SwitchComponentProps {
id: string; id: string;
label?: string; label?: string;
description?: string; description?: string;
info?: string;
checked?: boolean; checked?: boolean;
defaultChecked?: boolean; defaultChecked?: boolean;
disabled?: boolean; disabled?: boolean;
@@ -16,11 +21,23 @@ export function SwitchInput({
id, id,
label, label,
description, description,
info,
disabled, disabled,
checked, checked,
defaultChecked = false, defaultChecked = false,
onCheckedChange onCheckedChange
}: SwitchComponentProps) { }: SwitchComponentProps) {
const defaultTrigger = (
<Button
variant="ghost"
size="icon"
className="h-6 w-6 rounded-full p-0"
>
<Info className="h-4 w-4"/>
<span className="sr-only">Show info</span>
</Button>
);
return ( return (
<div> <div>
<div className="flex items-center space-x-2 mb-2"> <div className="flex items-center space-x-2 mb-2">
@@ -32,6 +49,18 @@ export function SwitchInput({
disabled={disabled} disabled={disabled}
/> />
{label && <Label htmlFor={id}>{label}</Label>} {label && <Label htmlFor={id}>{label}</Label>}
{info && <Popover>
<PopoverTrigger asChild>
{defaultTrigger}
</PopoverTrigger>
<PopoverContent className="w-80">
{info && (
<p className="text-sm text-muted-foreground">
{info}
</p>
)}
</PopoverContent>
</Popover>}
</div> </div>
{description && ( {description && (
<span className="text-muted-foreground text-sm"> <span className="text-muted-foreground text-sm">