316 lines
9.0 KiB
Go
316 lines
9.0 KiB
Go
package main
|
|
|
|
import (
|
|
"fmt"
|
|
"html/template"
|
|
"log"
|
|
"net/http"
|
|
"net/url"
|
|
"strings"
|
|
"sync"
|
|
|
|
"astraltech.xyz/accountmanager/src/components"
|
|
"astraltech.xyz/accountmanager/src/email"
|
|
"astraltech.xyz/accountmanager/src/helpers"
|
|
"astraltech.xyz/accountmanager/src/ldap"
|
|
"astraltech.xyz/accountmanager/src/logging"
|
|
"astraltech.xyz/accountmanager/src/session"
|
|
)
|
|
|
|
var (
|
|
ldapServer ldap.LDAPServer
|
|
serverConfig *ServerConfig
|
|
sessionManager *session.SessionManager
|
|
noReplyEmail email.EmailAccount
|
|
)
|
|
|
|
type UserData struct {
|
|
isAuth bool
|
|
DisplayName string
|
|
Email string
|
|
}
|
|
|
|
var (
|
|
userData = make(map[string]*UserData)
|
|
userDataMutex sync.RWMutex
|
|
)
|
|
|
|
func authenticateUser(username, password string) (*UserData, error) {
|
|
logging.Event(logging.AuthenticateUser, username)
|
|
userDN := fmt.Sprintf("uid=%s,cn=users,cn=accounts,%s", username, serverConfig.LDAPConfig.BaseDN)
|
|
|
|
connected, err := ldapServer.AuthenticateUser(userDN, password)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if connected == false {
|
|
logging.Debug("Failed to authenticate user")
|
|
return nil, fmt.Errorf("Failed to authenticate user %s", username)
|
|
}
|
|
logging.Info("User authenticated successfully")
|
|
|
|
userSearch, err := ldapServer.SerchServer(
|
|
userDN, password,
|
|
serverConfig.LDAPConfig.BaseDN,
|
|
fmt.Sprintf("(&(objectClass=inetOrgPerson)(uid=%s))", ldap.LDAPEscapeFilter(username)),
|
|
[]string{"displayName", "mail", "jpegphoto"},
|
|
)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
entry := userSearch.GetEntry(0)
|
|
user := UserData{
|
|
isAuth: true,
|
|
DisplayName: entry.GetAttributeValue("displayName"),
|
|
Email: entry.GetAttributeValue("mail"),
|
|
}
|
|
|
|
photoData := entry.GetRawAttributeValue("jpegphoto")
|
|
if len(photoData) > 0 {
|
|
components.CreateUserPhoto(username, photoData)
|
|
}
|
|
return &user, nil
|
|
}
|
|
|
|
type LoginPageData struct {
|
|
IsHiddenClassList string
|
|
}
|
|
|
|
func loginHandler(w http.ResponseWriter, r *http.Request) {
|
|
logging.Info("Handing login page")
|
|
|
|
w.Header().Set("Content-Type", "text/html; charset=utf-8")
|
|
tmpl := template.Must(template.ParseFiles("src/pages/login_page.html"))
|
|
if r.Method == http.MethodGet {
|
|
logging.Info("Rending login page")
|
|
tmpl.Execute(w, LoginPageData{IsHiddenClassList: "hidden"})
|
|
return
|
|
}
|
|
|
|
// 2. Logic for processing the form
|
|
if r.Method == http.MethodPost {
|
|
username := r.FormValue("username")
|
|
if strings.Contains(username, "/") {
|
|
tmpl.Execute(w, LoginPageData{IsHiddenClassList: ""})
|
|
}
|
|
password := r.FormValue("password")
|
|
|
|
logging.Infof("New Login request for %s\n", username)
|
|
newUserData, err := authenticateUser(username, password)
|
|
userDataMutex.Lock()
|
|
userData[username] = newUserData
|
|
userDataMutex.Unlock()
|
|
if err != nil {
|
|
logging.Error(err.Error())
|
|
tmpl.Execute(w, LoginPageData{IsHiddenClassList: ""})
|
|
} else {
|
|
if newUserData.isAuth == true {
|
|
cookie, err := sessionManager.CreateSession(username)
|
|
if err != nil {
|
|
logging.Error(err.Error())
|
|
http.Error(w, "Session error", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
http.SetCookie(w, cookie)
|
|
http.Redirect(w, r, "/profile", http.StatusFound)
|
|
} else {
|
|
tmpl.Execute(w, LoginPageData{IsHiddenClassList: ""})
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
type ProfileData struct {
|
|
Username string
|
|
Email string
|
|
DisplayName string
|
|
CSRFToken string
|
|
}
|
|
|
|
func profileHandler(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Content-Type", "text/html; charset=utf-8")
|
|
sessionData, err := sessionManager.GetSession(r)
|
|
if err != nil {
|
|
logging.Error(err.Error())
|
|
http.Redirect(w, r, "/login", http.StatusSeeOther)
|
|
return
|
|
}
|
|
|
|
if r.Method == http.MethodGet {
|
|
tmpl := template.Must(template.ParseFiles("src/pages/profile_page.html"))
|
|
userDataMutex.RLock()
|
|
tmpl.Execute(w, ProfileData{
|
|
Username: sessionData.UserID,
|
|
Email: userData[sessionData.UserID].Email,
|
|
DisplayName: userData[sessionData.UserID].DisplayName,
|
|
CSRFToken: sessionData.CSRFToken,
|
|
})
|
|
userDataMutex.RUnlock()
|
|
return
|
|
}
|
|
}
|
|
|
|
func logoutHandler(w http.ResponseWriter, r *http.Request) {
|
|
cookie, err := r.Cookie("session_token")
|
|
if err != nil {
|
|
http.Redirect(w, r, "/login", http.StatusSeeOther)
|
|
return
|
|
}
|
|
token := cookie.Value
|
|
|
|
sessionData, err := sessionManager.GetSession(r)
|
|
if err != nil {
|
|
logging.Error(err.Error())
|
|
}
|
|
if r.FormValue("csrf_token") != sessionData.CSRFToken {
|
|
http.Error(w, "Unable to log user out", http.StatusForbidden)
|
|
logging.Debugf("%s attempted to logout with invalid csrf token", sessionData.UserID)
|
|
return
|
|
}
|
|
logging.Infof("handling logout event for %s", sessionData.UserID)
|
|
|
|
sessionManager.DeleteSession(token)
|
|
http.Redirect(w, r, "/login", http.StatusSeeOther)
|
|
}
|
|
|
|
func faviconHandler(w http.ResponseWriter, r *http.Request) {
|
|
logging.Info("Requesting Favicon")
|
|
http.ServeFile(w, r, serverConfig.StyleConfig.FaviconPath)
|
|
}
|
|
|
|
func logoHandler(w http.ResponseWriter, r *http.Request) {
|
|
logging.Info("Requesting Logo")
|
|
http.ServeFile(w, r, serverConfig.StyleConfig.LogoPath)
|
|
}
|
|
|
|
func changePasswordHandler(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
|
|
sessionData, err := sessionManager.GetSession(r)
|
|
if err != nil {
|
|
logging.Error(err.Error())
|
|
w.WriteHeader(http.StatusUnauthorized)
|
|
w.Write([]byte(`{"success": false, "error": "Not authenticated"}`))
|
|
return
|
|
}
|
|
|
|
err = r.ParseMultipartForm(10 << 20)
|
|
if err != nil {
|
|
w.WriteHeader(http.StatusBadRequest)
|
|
w.Write([]byte(`{"success": false, "error": "Bad request"}`))
|
|
return
|
|
}
|
|
|
|
if r.FormValue("csrf_token") != sessionData.CSRFToken {
|
|
w.WriteHeader(http.StatusForbidden)
|
|
w.Write([]byte(`{"success": false, "error": "CSRF Forbidden"}`))
|
|
return
|
|
}
|
|
|
|
oldPassword := r.FormValue("old_password")
|
|
newPassword := r.FormValue("new_password")
|
|
newPasswordRepeat := r.FormValue("new_password_repeat")
|
|
|
|
if newPassword != newPasswordRepeat {
|
|
w.WriteHeader(http.StatusBadRequest)
|
|
w.Write([]byte(`{"success": false, "error": "Passwords do not match"}`))
|
|
return
|
|
}
|
|
|
|
userDN := fmt.Sprintf(
|
|
"uid=%s,cn=users,cn=accounts,%s",
|
|
sessionData.UserID,
|
|
serverConfig.LDAPConfig.BaseDN,
|
|
)
|
|
|
|
err = ldapServer.ChangePassword(userDN, oldPassword, newPassword)
|
|
if err != nil {
|
|
w.WriteHeader(http.StatusInternalServerError)
|
|
|
|
if strings.Contains(err.Error(), "Invalid Credentials") {
|
|
w.Write([]byte(`{"success": false, "error": "Current password incorrect"}`))
|
|
} else if strings.Contains(err.Error(), "Too soon to change password") {
|
|
w.Write([]byte(`{"success": false, "error": "Too soon to change password"}`))
|
|
} else {
|
|
w.Write([]byte(`{"success": false, "error": "Internal error"}`))
|
|
}
|
|
return
|
|
}
|
|
|
|
w.WriteHeader(http.StatusOK)
|
|
w.Write([]byte(`{"success": true}`))
|
|
}
|
|
|
|
func main() {
|
|
logging.Info("Starting the server")
|
|
sessionManager = session.GetSessionManager()
|
|
sessionManager.SetStoreType(session.InMemory)
|
|
|
|
var err error
|
|
serverConfig, err = loadServerConfig("./data/config.json")
|
|
if err != nil {
|
|
log.Fatal("Could not load server config")
|
|
}
|
|
|
|
noReplyEmail = email.CreateEmailAccount(email.EmailAccountData{
|
|
Username: serverConfig.EmailConfig.Username,
|
|
Password: serverConfig.EmailConfig.Password,
|
|
Email: serverConfig.EmailConfig.Email,
|
|
}, serverConfig.EmailConfig.SMTPURL, serverConfig.EmailConfig.SMTPPort)
|
|
|
|
funcs := template.FuncMap{
|
|
"avatar": func(username string) string {
|
|
return serverConfig.WebserverConfig.BaseURL + "/avatar?user=" + url.QueryEscape(username)
|
|
},
|
|
}
|
|
|
|
data := map[string]any{
|
|
"Username": "gawells",
|
|
}
|
|
|
|
email_template, err := email.RenderTemplate("./data/email-templates/expired-password.html", data, funcs)
|
|
if err != nil {
|
|
logging.Errorf("Failed to load email template: %s", err.Error())
|
|
}
|
|
noReplyEmail.SendEmail([]string{"gawells@astraltech.xyz"}, "Test", email_template)
|
|
|
|
ldapServer = ldap.LDAPServer{
|
|
URL: serverConfig.LDAPConfig.LDAPURL,
|
|
StartTLS: serverConfig.LDAPConfig.Security == "tls",
|
|
IgnoreInsecureCert: serverConfig.LDAPConfig.IgnoreInvalidCert,
|
|
}
|
|
|
|
components.LDAPServer = &ldapServer
|
|
components.BaseDN = serverConfig.LDAPConfig.BaseDN
|
|
components.ServiceUserBindDN = serverConfig.LDAPConfig.BindDN
|
|
components.ServiceUserPassword = serverConfig.LDAPConfig.BindPassword
|
|
|
|
connected, err := ldapServer.TestConnection()
|
|
if connected != true || err != nil {
|
|
if err != nil {
|
|
logging.Error(err.Error())
|
|
}
|
|
logging.Fatal("Failed to connect to LDAP server")
|
|
}
|
|
|
|
helpers.HandleFunc("/favicon.ico", faviconHandler)
|
|
helpers.HandleFunc("/logo", logoHandler)
|
|
|
|
http.Handle("/static/", http.StripPrefix("/static/", http.FileServer(http.Dir("static"))))
|
|
helpers.HandleFunc("/login", loginHandler)
|
|
helpers.HandleFunc("/profile", profileHandler)
|
|
helpers.HandleFunc("/logout", logoutHandler)
|
|
|
|
helpers.HandleFunc("/avatar", components.AvatarHandler)
|
|
helpers.HandleFunc("/change-photo", components.UploadPhotoHandler)
|
|
helpers.HandleFunc("/change-password", changePasswordHandler)
|
|
|
|
helpers.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
|
|
http.Redirect(w, r, "/profile", http.StatusFound) // 302 redirect
|
|
})
|
|
|
|
serverAddress := fmt.Sprintf(":%d", serverConfig.WebserverConfig.Port)
|
|
logging.Fatal(http.ListenAndServe(serverAddress, nil).Error())
|
|
}
|