Files
rmm-openwrt/server/internal/httpapi/auth.go
2026-06-04 15:26:43 +03:00

139 lines
4.0 KiB
Go

package httpapi
import (
"crypto/hmac"
"crypto/rand"
"crypto/sha256"
"crypto/subtle"
"encoding/base64"
"net/http"
"strconv"
"strings"
"time"
)
const (
operatorSessionCookie = "rmm_operator_session"
operatorSessionTTL = 12 * time.Hour
)
func (a *App) handleLogin(w http.ResponseWriter, r *http.Request) {
var req loginRequest
if !decodeJSON(w, r, &req) {
return
}
if !constantTimeEqual(strings.TrimSpace(req.Username), a.operatorUsername) || !constantTimeEqual(req.Password, a.operatorPassword) {
time.Sleep(250 * time.Millisecond)
writeError(w, http.StatusUnauthorized, "invalid username or password")
return
}
token, expiresAt, err := a.newOperatorSession(req.Username)
if err != nil {
writeError(w, http.StatusInternalServerError, "failed to create session")
return
}
http.SetCookie(w, &http.Cookie{
Name: operatorSessionCookie,
Value: token,
Path: "/",
HttpOnly: true,
Secure: a.cookieSecure,
SameSite: http.SameSiteLaxMode,
Expires: expiresAt,
MaxAge: int(operatorSessionTTL.Seconds()),
})
_, _ = a.store.AddAuditEvent(r.Context(), req.Username, "auth.login", "", "", mustJSON(map[string]string{
"request_id": requestID(r.Context()),
}))
writeJSON(w, http.StatusOK, map[string]any{"username": req.Username, "expires_at": expiresAt})
}
func (a *App) handleLogout(w http.ResponseWriter, r *http.Request) {
username, _ := a.operatorSessionUsername(r)
http.SetCookie(w, &http.Cookie{
Name: operatorSessionCookie,
Value: "",
Path: "/",
HttpOnly: true,
Secure: a.cookieSecure,
SameSite: http.SameSiteLaxMode,
MaxAge: -1,
Expires: time.Unix(0, 0),
})
if username != "" {
_, _ = a.store.AddAuditEvent(r.Context(), username, "auth.logout", "", "", mustJSON(map[string]string{
"request_id": requestID(r.Context()),
}))
}
writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
}
func (a *App) handleAuthMe(w http.ResponseWriter, r *http.Request) {
username, ok := a.operatorSessionUsername(r)
if !ok {
username = a.operatorUsername
}
writeJSON(w, http.StatusOK, map[string]string{"username": username})
}
func (a *App) newOperatorSession(username string) (string, time.Time, error) {
var nonce [16]byte
if _, err := rand.Read(nonce[:]); err != nil {
return "", time.Time{}, err
}
expiresAt := time.Now().UTC().Add(operatorSessionTTL)
payload := strings.Join([]string{
username,
strconv.FormatInt(expiresAt.Unix(), 10),
base64.RawURLEncoding.EncodeToString(nonce[:]),
}, "|")
encodedPayload := base64.RawURLEncoding.EncodeToString([]byte(payload))
signature := a.signSessionPayload(encodedPayload)
return encodedPayload + "." + signature, expiresAt, nil
}
func (a *App) operatorSessionUsername(r *http.Request) (string, bool) {
cookie, err := r.Cookie(operatorSessionCookie)
if err != nil || cookie.Value == "" {
return "", false
}
encodedPayload, signature, ok := strings.Cut(cookie.Value, ".")
if !ok || !hmac.Equal([]byte(signature), []byte(a.signSessionPayload(encodedPayload))) {
return "", false
}
payloadBytes, err := base64.RawURLEncoding.DecodeString(encodedPayload)
if err != nil {
return "", false
}
parts := strings.Split(string(payloadBytes), "|")
if len(parts) != 3 || !constantTimeEqual(parts[0], a.operatorUsername) {
return "", false
}
expiresUnix, err := strconv.ParseInt(parts[1], 10, 64)
if err != nil || time.Now().UTC().Unix() >= expiresUnix {
return "", false
}
return parts[0], true
}
func (a *App) signSessionPayload(payload string) string {
mac := hmac.New(sha256.New, a.sessionSecret)
_, _ = mac.Write([]byte(payload))
return base64.RawURLEncoding.EncodeToString(mac.Sum(nil))
}
func constantTimeEqual(left, right string) bool {
if len(left) != len(right) {
return false
}
return subtle.ConstantTimeCompare([]byte(left), []byte(right)) == 1
}
func (a *App) operatorAuthorized(r *http.Request) bool {
if token, ok := bearerToken(r); ok && constantTimeEqual(token, a.operatorToken) {
return true
}
_, ok := a.operatorSessionUsername(r)
return ok
}