[feat] Adding RemoteUser authentication

louislam · Jun 22, 2022 · e94c9a4 · e94c9a4
1 parent c36d9a4
commit e94c9a4
Show file tree

Hide file tree

Showing 6 changed files with 127 additions and 71 deletions.
diff --git a/docker/dockerfile-alpine b/docker/dockerfile-alpine
@@ -1,4 +1,4 @@
-FROM louislam/uptime-kuma:base-alpine AS build
+FROM louislam/uptime-kuma:base-alpine AS build_server
 WORKDIR /app
 
 ENV PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=1
@@ -7,12 +7,20 @@ COPY . .
 RUN npm ci --production && \
     chmod +x /app/extra/entrypoint.sh
 
+FROM louislam/uptime-kuma:base-alpine AS build_app
+WORKDIR /app
+
+ENV PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=1
+
+COPY . .
+RUN npm ci && npm build
 
 FROM louislam/uptime-kuma:base-alpine AS release
 WORKDIR /app
 
 # Copy app files from build layer
-COPY --from=build /app /app
+COPY --from=build_server /app /app
+COPY --from=build_app /app/dist /app/dist
 
 EXPOSE 3001
 VOLUME ["/app/data"]

diff --git a/server/auth.js b/server/auth.js
@@ -4,6 +4,9 @@ const { R } = require("redbean-node");
 const { setting } = require("./util-server");
 const { loginRateLimiter } = require("./rate-limiter");
 
+const remoteAuthEnabled = process.env.REMOTE_AUTH_ENABLED || false;
+const remoteAuthHeader = process.env.REMOTE_AUTH_HEADER || "Remote-User";
+
 /**
  * Login to web app
  * @param {string} username
@@ -63,18 +66,35 @@ function myAuthorizer(username, password, callback) {
     });
 }
 
-exports.basicAuth = async function (req, res, next) {
-    const middleware = basicAuth({
-        authorizer: myAuthorizer,
-        authorizeAsync: true,
-        challenge: true,
-    });
-
+/**
+ * authMiddleware for express handling basicAuth and remoteAuthHeader
+ * @param {express.Request} req
+ * @param {express.Response} res
+ * @param {express.NextFunction} next
+ */
+exports.authMiddleware = async function (req, res, next) {
     const disabledAuth = await setting("disableAuth");
 
+    if (remoteAuthEnabled) {
+        const remoteUser = req.headers[remoteAuthHeader.toLowerCase()];
+        if (remoteUser !== undefined) {
+            let user = await R.findOne("user", " username = ? AND active = 1 ", [ remoteUser ]);
+            if (user) {
+                next();
+                return;
+            }
+        }
+    }
+
     if (!disabledAuth) {
+        const middleware = basicAuth({
+            authorizer: myAuthorizer,
+            authorizeAsync: true,
+            challenge: true,
+        });
         middleware(req, res, next);
-    } else {
-        next();
+        return;
     }
+
+    next();
 };
diff --git a/server/server.js b/server/server.js
@@ -77,10 +77,13 @@ log.debug("server", "Importing Background Jobs");
 const { initBackgroundJobs, stopBackgroundJobs } = require("./jobs");
 const { loginRateLimiter, twoFaRateLimiter } = require("./rate-limiter");
 
-const { basicAuth } = require("./auth");
+const { authMiddleware } = require("./auth");
 const { login } = require("./auth");
 const passwordHash = require("./password-hash");
 
+const remoteAuthEnabled = process.env.REMOTE_AUTH_ENABLED || false;
+const remoteAuthHeader = process.env.REMOTE_AUTH_HEADER || "Remote-User";
+
 const checkVersion = require("./check-version");
 log.info("server", "Version: " + checkVersion.version);
 
@@ -201,7 +204,7 @@ let needSetup = false;
 
     // Prometheus API metrics  /metrics
     // With Basic Auth using the first user's username/password
-    app.get("/metrics", basicAuth, prometheusAPIMetrics());
+    app.get("/metrics", authMiddleware, prometheusAPIMetrics());
 
     app.use("/", expressStaticGzip("dist", {
         enableBrotli: true,
@@ -1434,6 +1437,22 @@ let needSetup = false;
             log.info("auth", "Disabled Auth: auto login to admin");
             afterLogin(socket, await R.findOne("user"));
             socket.emit("autoLogin");
+        } else if (remoteAuthEnabled) {
+            log.debug("auth", socket.handshake.headers);
+            const remoteUser = socket.handshake.headers[remoteAuthHeader.toLowerCase()];
+            if (remoteUser !== undefined) {
+                const user = await R.findOne("user", " username = ? AND active = 1 ", [ remoteUser ]);
+                if (user) {
+                    log.info("auth", `Login by remote-user header. IP=${getClientIp(socket)}`);
+                    log.debug("auth", `Remote user ${remoteUser} exists, found user ${user.username}`);
+                    afterLogin(socket, user);
+                    socket.emit("autoLoginRemoteHeader", user.username);
+                } else {
+                    log.debug("auth", `Remote user ${remoteUser} doesn't exist`);
+                }
+            } else {
+                log.debug("auth", "Remote user header set but not found in headers");
+            }
         } else {
             log.debug("auth", "need auth");
         }

diff --git a/src/components/settings/Security.vue b/src/components/settings/Security.vue
@@ -5,63 +5,64 @@
             <template v-if="!settings.disableAuth">
                 <p>
                     {{ $t("Current User") }}: <strong>{{ $root.username }}</strong>
-                    <button v-if="! settings.disableAuth" id="logout-btn" class="btn btn-danger ms-4 me-2 mb-2" @click="$root.logout">{{ $t("Logout") }}</button>
+                    <button v-if="$root.socket.token.startsWith('autoLogin') === false" id="logout-btn" class="btn btn-danger ms-4 me-2 mb-2" @click="$root.logout">{{ $t("Logout") }}</button>
                 </p>
+                <template v-if="$root.socket.token.startsWith('autoLogin') === false">
+                    <h5 class="my-4 settings-subheading">{{ $t("Change Password") }}</h5>
+                    <form class="mb-3" @submit.prevent="savePassword">
+                        <div class="mb-3">
+                            <label for="current-password" class="form-label">
+                                {{ $t("Current Password") }}
+                            </label>
+                            <input
+                                id="current-password"
+                                v-model="password.currentPassword"
+                                type="password"
+                                class="form-control"
+                                required
+                            />
+                        </div>
+
+                        <div class="mb-3">
+                            <label for="new-password" class="form-label">
+                                {{ $t("New Password") }}
+                            </label>
+                            <input
+                                id="new-password"
+                                v-model="password.newPassword"
+                                type="password"
+                                class="form-control"
+                                required
+                            />
+                        </div>
+
+                        <div class="mb-3">
+                            <label for="repeat-new-password" class="form-label">
+                                {{ $t("Repeat New Password") }}
+                            </label>
+                            <input
+                                id="repeat-new-password"
+                                v-model="password.repeatNewPassword"
+                                type="password"
+                                class="form-control"
+                                :class="{ 'is-invalid': invalidPassword }"
+                                required
+                            />
+                            <div class="invalid-feedback">
+                                {{ $t("passwordNotMatchMsg") }}
+                            </div>
+                        </div>
 
-                <h5 class="my-4 settings-subheading">{{ $t("Change Password") }}</h5>
-                <form class="mb-3" @submit.prevent="savePassword">
-                    <div class="mb-3">
-                        <label for="current-password" class="form-label">
-                            {{ $t("Current Password") }}
-                        </label>
-                        <input
-                            id="current-password"
-                            v-model="password.currentPassword"
-                            type="password"
-                            class="form-control"
-                            required
-                        />
-                    </div>
-
-                    <div class="mb-3">
-                        <label for="new-password" class="form-label">
-                            {{ $t("New Password") }}
-                        </label>
-                        <input
-                            id="new-password"
-                            v-model="password.newPassword"
-                            type="password"
-                            class="form-control"
-                            required
-                        />
-                    </div>
-
-                    <div class="mb-3">
-                        <label for="repeat-new-password" class="form-label">
-                            {{ $t("Repeat New Password") }}
-                        </label>
-                        <input
-                            id="repeat-new-password"
-                            v-model="password.repeatNewPassword"
-                            type="password"
-                            class="form-control"
-                            :class="{ 'is-invalid': invalidPassword }"
-                            required
-                        />
-                        <div class="invalid-feedback">
-                            {{ $t("passwordNotMatchMsg") }}
+                        <div>
+                            <button class="btn btn-primary" type="submit">
+                                {{ $t("Update Password") }}
+                            </button>
                         </div>
-                    </div>
-
-                    <div>
-                        <button class="btn btn-primary" type="submit">
-                            {{ $t("Update Password") }}
-                        </button>
-                    </div>
-                </form>
+                    </form>
+                </template>
             </template>
 
-            <div v-if="! settings.disableAuth" class="mt-5 mb-3">
+            <div v-if="$root.socket.token.startsWith('autoLogin') === false" class="mt-5 mb-3">
                 <h5 class="my-4 settings-subheading">
                     {{ $t("Two Factor Authentication") }}
                 </h5>
@@ -82,7 +83,7 @@
 
                 <div class="mb-4">
                     <button v-if="settings.disableAuth" id="enableAuth-btn" class="btn btn-outline-primary me-2 mb-2" @click="enableAuth">{{ $t("Enable Auth") }}</button>
-                    <button v-if="! settings.disableAuth" id="disableAuth-btn" class="btn btn-primary me-2 mb-2" @click="confirmDisableAuth">{{ $t("Disable Auth") }}</button>
+                    <button v-if="!settings.disableAuth" id="disableAuth-btn" class="btn btn-primary me-2 mb-2" @click="confirmDisableAuth">{{ $t("Disable Auth") }}</button>
                 </div>
             </div>
         </div>

diff --git a/src/layouts/Layout.vue b/src/layouts/Layout.vue
@@ -50,7 +50,7 @@
                                     <font-awesome-icon icon="cog" /> {{ $t("Settings") }}
                                 </router-link>
                             </li>
-                            <li v-if="$root.loggedIn && $root.socket.token !== 'autoLogin'">
+                            <li v-if="$root.loggedIn && $root.socket.token.startsWith('autoLogin') === false">
                                 <button class="dropdown-item" @click="$root.logout">
                                     <font-awesome-icon icon="sign-out-alt" />
                                     {{ $t("Logout") }}

diff --git a/src/mixins/socket.js b/src/mixins/socket.js
@@ -103,17 +103,25 @@ export default {
                 this.info = info;
             });
 
-            socket.on("setup", (monitorID, data) => {
+            socket.on("setup", () => {
                 this.$router.push("/setup");
             });
 
-            socket.on("autoLogin", (monitorID, data) => {
+            socket.on("autoLogin", () => {
                 this.loggedIn = true;
                 this.storage().token = "autoLogin";
                 this.socket.token = "autoLogin";
                 this.allowLoginDialog = false;
             });
 
+            socket.on("autoLoginRemoteHeader", (username) => {
+                this.loggedIn = true;
+                this.username = username;
+                this.storage().token = "autoLoginRemoteHeader";
+                this.socket.token = "autoLoginRemoteHeader";
+                this.allowLoginDialog = false;
+            });
+
             socket.on("monitorList", (data) => {
                 // Add Helper function
                 Object.entries(data).forEach(([ monitorID, monitor ]) => {
@@ -238,7 +246,7 @@ export default {
                 let token = this.storage().token;
 
                 if (token) {
-                    if (token !== "autoLogin") {
+                    if (token.startsWith("autoLogin") === false) {
                         this.loginByToken(token);
                     } else {
                         // Timeout if it is not actually auto login
@@ -279,7 +287,7 @@ export default {
         getJWTPayload() {
             const jwtToken = this.$root.storage().token;
 
-            if (jwtToken && jwtToken !== "autoLogin") {
+            if (jwtToken && jwtToken.startsWith("autoLogin") === false) {
                 return jwtDecode(jwtToken);
             }
             return undefined;