init

2026-01-12 13:51:52 +01:00
parent 90191c50d8
commit 06e55c441e
44 changed files with 3066 additions and 1 deletions
--- a/internal/store/admin.go
+++ b/internal/store/admin.go
@@ -0,0 +1,150 @@
+package store
+
+import (
+	"encoding/json"
+	"errors"
+	"os"
+	"path/filepath"
+	"sync"
+	"time"
+
+	"github.com/yourorg/ntfywui/internal/security"
+)
+
+type Role string
+
+const (
+	RoleViewer   Role = "viewer"
+	RoleOperator Role = "operator"
+	RoleAdmin    Role = "admin"
+)
+
+type Admin struct {
+	Username   string `json:"username"`
+	Role       Role   `json:"role"`
+	PassHash   string `json:"pass_hash"`
+	TOTPSecret string `json:"totp_secret,omitempty"` // base32, optional
+	Disabled   bool   `json:"disabled"`
+	CreatedAt  int64  `json:"created_at"`
+}
+
+type AdminStore struct {
+	mu    sync.Mutex
+	path  string
+	admin map[string]Admin
+}
+
+func NewAdminStore(path string) (*AdminStore, error) {
+	s := &AdminStore{path: path, admin: map[string]Admin{}}
+	if err := s.load(); err != nil {
+		// If file doesn't exist, start empty
+		if !errors.Is(err, os.ErrNotExist) {
+			return nil, err
+		}
+	}
+	return s, nil
+}
+
+func (s *AdminStore) load() error {
+	b, err := os.ReadFile(s.path)
+	if err != nil {
+		return err
+	}
+	var m map[string]Admin
+	if err := json.Unmarshal(b, &m); err != nil {
+		return err
+	}
+	s.admin = m
+	return nil
+}
+
+func (s *AdminStore) saveLocked() error {
+	tmp := s.path + ".tmp"
+	b, err := json.MarshalIndent(s.admin, "", "  ")
+	if err != nil {
+		return err
+	}
+	if err := os.MkdirAll(filepath.Dir(s.path), 0o750); err != nil {
+		return err
+	}
+	if err := os.WriteFile(tmp, b, 0o600); err != nil {
+		return err
+	}
+	return os.Rename(tmp, s.path)
+}
+
+func (s *AdminStore) EnsureBootstrap(username, password string) (bool, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if _, ok := s.admin[username]; ok {
+		return false, nil
+	}
+	salt := make([]byte, 16)
+	_, _ = randRead(salt)
+	hash := security.HashPasswordPBKDF2(password, salt, 120_000)
+	s.admin[username] = Admin{
+		Username:  username,
+		Role:      RoleAdmin,
+		PassHash:  hash,
+		CreatedAt: time.Now().Unix(),
+	}
+	return true, s.saveLocked()
+}
+
+func (s *AdminStore) List() []Admin {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	out := make([]Admin, 0, len(s.admin))
+	for _, a := range s.admin {
+		out = append(out, a)
+	}
+	// stable sort not necessary for UI
+	return out
+}
+
+func (s *AdminStore) Get(username string) (Admin, bool) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	a, ok := s.admin[username]
+	return a, ok
+}
+
+func (s *AdminStore) Set(a Admin) error {
+	if a.Username == "" {
+		return errors.New("username required")
+	}
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	s.admin[a.Username] = a
+	return s.saveLocked()
+}
+
+func (s *AdminStore) Delete(username string) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	delete(s.admin, username)
+	return s.saveLocked()
+}
+
+func (s *AdminStore) Authenticate(username, password, totp string) (Admin, bool) {
+	s.mu.Lock()
+	a, ok := s.admin[username]
+	s.mu.Unlock()
+	if !ok || a.Disabled {
+		return Admin{}, false
+	}
+	okpw, _ := security.VerifyPasswordPBKDF2(password, a.PassHash)
+	if !okpw {
+		return Admin{}, false
+	}
+	if a.TOTPSecret != "" {
+		if totp == "" {
+			return Admin{}, false
+		}
+		if !security.VerifyTOTP(a.TOTPSecret, totp, time.Now()) {
+			return Admin{}, false
+		}
+	}
+	return a, true
+}