diff --git a/cpanfile b/cpanfile index ca248b3..ec11257 100644 --- a/cpanfile +++ b/cpanfile @@ -7,7 +7,7 @@ requires 'Mojolicious::Plugin::GzipStatic'; requires 'Mojolicious::Plugin::StaticCache'; requires 'Mojolicious::Plugin::CSPHeader', '>= 0.06'; requires 'Mojolicious::Plugin::FiatTux::Helpers', '== 0.12', url => 'https://framagit.org/fiat-tux/mojolicious/fiat-tux/mojolicious-plugin-fiattux-helpers/-/archive/0.12/mojolicious-plugin-fiattux-helpers-0.12.tar.gz'; -requires 'Mojolicious::Plugin::FiatTux::GrantAccess', '== 0.07', url => 'https://framagit.org/fiat-tux/mojolicious/fiat-tux/mojolicious-plugin-fiattux-grantaccess/-/archive/0.07/mojolicious-plugin-fiattux-grantaccess-0.07.tar.gz'; +requires 'Mojolicious::Plugin::FiatTux::GrantAccess', '== 0.08', url => 'https://framagit.org/fiat-tux/mojolicious/fiat-tux/mojolicious-plugin-fiattux-grantaccess/-/archive/0.08/mojolicious-plugin-fiattux-grantaccess-0.08.tar.gz'; requires 'Mojolicious::Plugin::FiatTux::Themes', '== 0.02', url => 'https://framagit.org/fiat-tux/mojolicious/fiat-tux/mojolicious-plugin-fiattux-themes/-/archive/0.02/mojolicious-plugin-fiattux-themes-0.02.tar.gz'; requires 'Filesys::DiskUsage'; requires 'Switch'; @@ -43,6 +43,9 @@ feature 'htpasswd', 'Htpasswd authentication support' => sub { requires 'Apache::Htpasswd'; requires 'Mojolicious::Plugin::Authentication'; }; +feature 'auth_headers', 'Header authentication support' => sub { + requires 'Mojolicious::Plugin::Authentication'; +}; feature 'postgresql', 'PostgreSQL support' => sub { requires 'Mojo::Pg'; requires 'Mojolicious::Plugin::PgURLHelper'; diff --git a/lib/Lufi.pm b/lib/Lufi.pm index a480979..b8d3c8e 100644 --- a/lib/Lufi.pm +++ b/lib/Lufi.pm @@ -124,7 +124,7 @@ sub startup { ->to('Misc#change_lang') ->name('lang'); - if (defined $self->config('ldap') || defined $self->config('htpasswd')) { + if (defined $self->config('ldap') || defined $self->config('htpasswd') || defined $self->config('auth_headers')) { # Login page $r->get('/login') ->to('Auth#login_page'); @@ -138,7 +138,7 @@ sub startup { ->to('Auth#log_out') ->name('logout'); - if (defined $self->config('ldap') && defined $self->config('invitations')) { + if ((defined $self->config('ldap') || defined $self->config('auth_headers')) && defined $self->config('invitations')) { # Invitation creation page $r->get('/invite') ->name('invite') diff --git a/lib/Lufi/Controller/Auth.pm b/lib/Lufi/Controller/Auth.pm index 9913cad..af602b8 100644 --- a/lib/Lufi/Controller/Auth.pm +++ b/lib/Lufi/Controller/Auth.pm @@ -9,10 +9,21 @@ sub login_page { if ($c->is_user_authenticated) { $c->redirect_to('/'); } else { - $c->render( - template => 'login', - redirect => $redirect - ); + if ($c->config('auth_headers')) { + if($c->authenticate('dummy', 'dummy')) { + if ($redirect eq 'invite') { + return $c->redirect_to('invite'); + } elsif ($redirect eq 'my_invitations') { + return $c->redirect_to('invite_list'); + } + return $c->redirect_to('/'); + } + } else { + $c->render( + template => 'login', + redirect => $redirect + ); + } } } diff --git a/lib/Lufi/Controller/Misc.pm b/lib/Lufi/Controller/Misc.pm index be2b9a1..3a908a3 100644 --- a/lib/Lufi/Controller/Misc.pm +++ b/lib/Lufi/Controller/Misc.pm @@ -8,7 +8,7 @@ use Lufi::DB::File; sub index { my $c = shift; - if ((!defined($c->config('ldap')) && !defined($c->config('htpasswd'))) || $c->is_user_authenticated) { + if ((!defined($c->config('ldap')) && !defined($c->config('htpasswd')) && !defined($c->config('auth_headers'))) || $c->is_user_authenticated) { $c->render(template => 'index'); } else { $c->redirect_to('login'); @@ -56,7 +56,7 @@ sub config_infos { force_burn_after_reading => $c->config('force_burn_after_reading'), keep_ip_during => $c->config('keep_ip_during'), stop_upload => (-f 'stop-upload' || -f 'stop-upload.manual') ? true : false, - need_authentication => (defined($c->config('ldap')) || defined($c->config('htpasswd'))) ? true : false, + need_authentication => (defined($c->config('ldap')) || defined($c->config('htpasswd')) || defined($c->config('auth_headers'))) ? true : false, version => $c->git_version } ); diff --git a/lufi.conf.template b/lufi.conf.template index b7401b4..2b71b03 100644 --- a/lufi.conf.template +++ b/lufi.conf.template @@ -299,6 +299,28 @@ # See 'man htpasswd' to know how to create such file #htpasswd => 'lufi.passwd', + ############################ + # HTTP header authentication + ############################ + + # Set `auth_headers` if you want to use HTTP header auth. + # Typically, these headers are set by a reverse-proxy + # acting as an authentication server. Useful for SSO. + # `auth_headers` should contains the user's username. + # + # /!\ LUFI BLINDLY TRUSTS THESE HEADERS + # /!\ IT'S UP TO YOU TO SANITIZE INCOMING HEADERS TO SECURE YOUR INSTANCE + # + #auth_headers => 'X-AUTH-PREFERRED-USERNAME', + #auth_headers_map_value => { + # # Like ldap_map_attr but for headers + # displayname => 'X-AUTH-DISPLAYNAME', + # firstname => 'X-AUTH-GIVENNAME', + # lastname => 'X-AUTH-LASTNAME', + # mail => 'X-AUTH-EMAIL' + #}, + + ####################### # HTTP Headers settings ####################### diff --git a/themes/default/templates/layouts/default.html.ep b/themes/default/templates/layouts/default.html.ep index b269f00..3e589de 100644 --- a/themes/default/templates/layouts/default.html.ep +++ b/themes/default/templates/layouts/default.html.ep @@ -29,10 +29,10 @@