Add admin user, and an option to add a user admin on startup
This commit is contained in:
@@ -28,6 +28,8 @@ Or with a volume, for example if you created a volume named `bibliomane_data`:
|
|||||||
|
|
||||||
`--add-user` or `-a` can be used to create an account on startup. It requires a string following htpasswd format `[username]:[bcrypt hashed password]`.
|
`--add-user` or `-a` can be used to create an account on startup. It requires a string following htpasswd format `[username]:[bcrypt hashed password]`.
|
||||||
|
|
||||||
|
Use `--add-admin-user` or `-A` instead to add an user as an admin.
|
||||||
|
|
||||||
The password can be generated using `htpasswd -nBC10 [username]`.
|
The password can be generated using `htpasswd -nBC10 [username]`.
|
||||||
|
|
||||||
For example, to create an user account `demo`:
|
For example, to create an user account `demo`:
|
||||||
|
|||||||
@@ -1,6 +1,7 @@
|
|||||||
--users
|
--users
|
||||||
INSERT INTO users(created_at, name, password) VALUES ('NOW', 'demo','$2a$10$7mfCBxBwIzXDU6r9az26o.zPX/r6IlNZVfU9zxSoLVtc0kRPimzba');
|
INSERT INTO users(created_at, name, password) VALUES ('NOW', 'demo','$2a$10$7mfCBxBwIzXDU6r9az26o.zPX/r6IlNZVfU9zxSoLVtc0kRPimzba');
|
||||||
INSERT INTO users(created_at, name, password) VALUES ('NOW', 'demo2','$2a$10$7mfCBxBwIzXDU6r9az26o.zPX/r6IlNZVfU9zxSoLVtc0kRPimzba');
|
INSERT INTO users(created_at, name, password) VALUES ('NOW', 'demo2','$2a$10$7mfCBxBwIzXDU6r9az26o.zPX/r6IlNZVfU9zxSoLVtc0kRPimzba');
|
||||||
|
INSERT INTO users(created_at, name, admin, password) VALUES ('NOW', 'admin', 'true', '$2a$10$7mfCBxBwIzXDU6r9az26o.zPX/r6IlNZVfU9zxSoLVtc0kRPimzba');
|
||||||
|
|
||||||
-- cover
|
-- cover
|
||||||
INSERT INTO static_files(name, path) VALUES ('odingosochateaux.jpg', 'odingosochateaux.jpg');
|
INSERT INTO static_files(name, path) VALUES ('odingosochateaux.jpg', 'odingosochateaux.jpg');
|
||||||
|
|||||||
@@ -28,4 +28,5 @@ func TestGetAppInfo_Ok(t *testing.T) {
|
|||||||
|
|
||||||
assert.Equal(t, false, appInfo.RegistrationDisabled)
|
assert.Equal(t, false, appInfo.RegistrationDisabled)
|
||||||
assert.Equal(t, false, appInfo.DemoMode)
|
assert.Equal(t, false, appInfo.DemoMode)
|
||||||
|
assert.Equal(t, false, appInfo.Admin)
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -33,6 +33,7 @@ type Config struct {
|
|||||||
DemoMode bool `toml:"demo-mode" short:"D" default:"false" help:"Activate demo mode." comment:"Activate demo mode: anyone connecting to the instance will be logged in as a single user."`
|
DemoMode bool `toml:"demo-mode" short:"D" default:"false" help:"Activate demo mode." comment:"Activate demo mode: anyone connecting to the instance will be logged in as a single user."`
|
||||||
DemoUsername string `toml:"demo-username" default:"demo" help:"Name of the single user used for the demo." comment:"Name of the single user used for the demo."`
|
DemoUsername string `toml:"demo-username" default:"demo" help:"Name of the single user used for the demo." comment:"Name of the single user used for the demo."`
|
||||||
AddUser UserListAsStrings `toml:"add-user" short:"a" help:"Add users on startup following htpasswd bcrypt format." comment:"Add users on startup following htpasswd bcrypt format, example: [\"demo:$2y$10$UHR2646SZo2W.Rhna7bn5eWNLXWJZ/Sa3oLd9RlxlXs57Bwp6isOS\",\"user:$2y$10$3WYUp.VDpzJRywtrxO1s/uWfUIKpTE4yh5B1d2RCef3hvczYbEWTC\"]"`
|
AddUser UserListAsStrings `toml:"add-user" short:"a" help:"Add users on startup following htpasswd bcrypt format." comment:"Add users on startup following htpasswd bcrypt format, example: [\"demo:$2y$10$UHR2646SZo2W.Rhna7bn5eWNLXWJZ/Sa3oLd9RlxlXs57Bwp6isOS\",\"user:$2y$10$3WYUp.VDpzJRywtrxO1s/uWfUIKpTE4yh5B1d2RCef3hvczYbEWTC\"]"`
|
||||||
|
AddAdminUser UserListAsStrings `toml:"add-admin-user" short:"A" help:"Same as add-user but the added user has admin privilege." comment:"Same as add-user but the added user has admin privilege."`
|
||||||
}
|
}
|
||||||
|
|
||||||
type UserListAsStrings []string
|
type UserListAsStrings []string
|
||||||
|
|||||||
@@ -4,7 +4,6 @@ import (
|
|||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"net/http"
|
"net/http"
|
||||||
"slices"
|
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"git.artlef.fr/bibliomane/internal/appcontext"
|
"git.artlef.fr/bibliomane/internal/appcontext"
|
||||||
@@ -21,13 +20,19 @@ func CreateUser(ac appcontext.AppContext, username string, password string) erro
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
return CreateUserWithHashedPassword(ac, username, string(hashedPassword))
|
|
||||||
|
user := model.User{
|
||||||
|
Name: username,
|
||||||
|
Password: string(hashedPassword),
|
||||||
|
Admin: false,
|
||||||
|
}
|
||||||
|
return CreateUserWithHashedPassword(ac, &user)
|
||||||
}
|
}
|
||||||
|
|
||||||
// only call this method with hashed password
|
// only call this method with hashed password
|
||||||
func CreateUserWithHashedPassword(ac appcontext.AppContext, username string, hashedPassword string) error {
|
func CreateUserWithHashedPassword(ac appcontext.AppContext, userToCreate *model.User) error {
|
||||||
var existingUser model.User
|
var existingUser model.User
|
||||||
err := ac.Db.Where("name = ?", username).First(&existingUser).Error
|
err := ac.Db.Where("name = ?", userToCreate.Name).First(&existingUser).Error
|
||||||
if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
|
if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@@ -37,41 +42,72 @@ func CreateUserWithHashedPassword(ac appcontext.AppContext, username string, has
|
|||||||
Err: errors.New(i18nresource.GetTranslatedMessage(&ac, "UserAlreadyExists")),
|
Err: errors.New(i18nresource.GetTranslatedMessage(&ac, "UserAlreadyExists")),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
user := model.User{
|
return ac.Db.Model(&model.User{}).Save(&userToCreate).Error
|
||||||
Name: username,
|
|
||||||
Password: hashedPassword,
|
|
||||||
}
|
|
||||||
return ac.Db.Model(&model.User{}).Save(&user).Error
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func CreateDefaultUsers(ac appcontext.AppContext) error {
|
func CreateDefaultUsers(ac appcontext.AppContext) error {
|
||||||
|
usersPasswordMap, err := createNormalUsersMap(ac)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
err = createDefaultUsersFromMap(ac, usersPasswordMap, false)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
adminUsersPasswordMap, err := createDefaultUsersMap(ac, ac.Config.AddAdminUser)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
return createDefaultUsersFromMap(ac, adminUsersPasswordMap, true)
|
||||||
|
}
|
||||||
|
|
||||||
|
func createNormalUsersMap(ac appcontext.AppContext) (map[string]string, error) {
|
||||||
|
usersPasswordMap, err := createDefaultUsersMap(ac, ac.Config.AddUser)
|
||||||
|
if err != nil {
|
||||||
|
return usersPasswordMap, err
|
||||||
|
}
|
||||||
|
_, ok := usersPasswordMap[ac.Config.DemoUsername]
|
||||||
|
if !ok {
|
||||||
|
usersPasswordMap[ac.Config.DemoUsername] = ""
|
||||||
|
}
|
||||||
|
return usersPasswordMap, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func createDefaultUsersMap(ac appcontext.AppContext, adduser []string) (map[string]string, error) {
|
||||||
usersPasswordMap := make(map[string]string)
|
usersPasswordMap := make(map[string]string)
|
||||||
var usernames []string
|
for _, s := range adduser {
|
||||||
for _, s := range ac.Config.AddUser {
|
|
||||||
splittedString := strings.Split(s, ":")
|
splittedString := strings.Split(s, ":")
|
||||||
if len(splittedString) < 2 {
|
if len(splittedString) < 2 {
|
||||||
return fmt.Errorf(i18nresource.GetTranslatedMessage(&ac, "ErrorWhenCreatingUserFromStr"), s)
|
return usersPasswordMap,
|
||||||
|
fmt.Errorf(i18nresource.GetTranslatedMessage(&ac, "ErrorWhenCreatingUserFromStr"), s)
|
||||||
}
|
}
|
||||||
usernames = append(usernames, splittedString[0])
|
|
||||||
usersPasswordMap[splittedString[0]] = splittedString[1]
|
usersPasswordMap[splittedString[0]] = splittedString[1]
|
||||||
}
|
}
|
||||||
if !slices.Contains(usernames, ac.Config.DemoUsername) {
|
return usersPasswordMap, nil
|
||||||
usernames = append(usernames, ac.Config.DemoUsername)
|
}
|
||||||
usersPasswordMap[ac.Config.DemoUsername] = ""
|
|
||||||
|
|
||||||
}
|
func createDefaultUsersFromMap(
|
||||||
|
ac appcontext.AppContext,
|
||||||
|
usersPasswordMap map[string]string,
|
||||||
|
isAdmin bool) error {
|
||||||
|
|
||||||
var existingUsers []model.User
|
var existingUsers []model.User
|
||||||
err := ac.Db.Where("name IN ?", usernames).Find(&existingUsers).Error
|
err := ac.Db.Where("name IN ?", mapToArrayKey(usersPasswordMap)).Find(&existingUsers).Error
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, username := range usernames {
|
for username, password := range usersPasswordMap {
|
||||||
if isInExistingUsers(username, existingUsers) {
|
if isInExistingUsers(username, existingUsers) {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
err = CreateUserWithHashedPassword(ac, username, usersPasswordMap[username])
|
|
||||||
|
user := model.User{
|
||||||
|
Name: username,
|
||||||
|
Password: password,
|
||||||
|
Admin: isAdmin,
|
||||||
|
}
|
||||||
|
err = CreateUserWithHashedPassword(ac, &user)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@@ -87,3 +123,11 @@ func isInExistingUsers(username string, existingUsers []model.User) bool {
|
|||||||
}
|
}
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func mapToArrayKey(m map[string]string) []string {
|
||||||
|
var a []string
|
||||||
|
for k := range m {
|
||||||
|
a = append(a, k)
|
||||||
|
}
|
||||||
|
return a
|
||||||
|
}
|
||||||
|
|||||||
@@ -4,6 +4,7 @@ type AppInfo struct {
|
|||||||
RegistrationDisabled bool `json:"registrationDisabled"`
|
RegistrationDisabled bool `json:"registrationDisabled"`
|
||||||
DemoMode bool `json:"demoMode"`
|
DemoMode bool `json:"demoMode"`
|
||||||
DemoUsername string `json:"demoUsername"`
|
DemoUsername string `json:"demoUsername"`
|
||||||
|
Admin bool `json:"admin"`
|
||||||
}
|
}
|
||||||
|
|
||||||
type FullBookGet struct {
|
type FullBookGet struct {
|
||||||
|
|||||||
@@ -1,10 +1,12 @@
|
|||||||
package jwtauth
|
package jwtauth
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"strconv"
|
||||||
|
|
||||||
"github.com/golang-jwt/jwt/v5"
|
"github.com/golang-jwt/jwt/v5"
|
||||||
)
|
)
|
||||||
|
|
||||||
func GenerateJwtToken(username string) (string, error) {
|
func GenerateJwtToken(username string, admin bool) (string, error) {
|
||||||
var s string
|
var s string
|
||||||
key, err := GetJwtKey()
|
key, err := GetJwtKey()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@@ -14,6 +16,7 @@ func GenerateJwtToken(username string) (string, error) {
|
|||||||
jwt.MapClaims{
|
jwt.MapClaims{
|
||||||
"iss": "bibliomane",
|
"iss": "bibliomane",
|
||||||
"sub": username,
|
"sub": username,
|
||||||
|
"admin": strconv.FormatBool(admin),
|
||||||
})
|
})
|
||||||
return t.SignedString(key)
|
return t.SignedString(key)
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -2,6 +2,7 @@ package middleware
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"git.artlef.fr/bibliomane/internal/jwtauth"
|
"git.artlef.fr/bibliomane/internal/jwtauth"
|
||||||
@@ -27,29 +28,33 @@ func Auth() gin.HandlerFunc {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
username, err := parseUserFromJwt(c)
|
jwtokenStr := jwtFromBearerToken(c.GetHeader("Authorization"))
|
||||||
|
jwtoken, err := jwt.Parse(jwtokenStr,
|
||||||
|
func(token *jwt.Token) (any, error) {
|
||||||
|
return jwtauth.GetJwtKey()
|
||||||
|
}, jwt.WithValidMethods([]string{jwt.SigningMethodHS256.Alg()}))
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
c.AbortWithStatusJSON(http.StatusUnauthorized,
|
abortError(c)
|
||||||
gin.H{"error": "You must be logged in to access this resource."})
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
//check admin rights
|
||||||
|
if strings.HasPrefix(c.FullPath(), "/ws/admin/") && !hasAdminRights(jwtoken) {
|
||||||
|
c.AbortWithStatusJSON(http.StatusForbidden,
|
||||||
|
gin.H{"error": "You do not have the right to access this resource."})
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
username, err := jwtoken.Claims.GetSubject()
|
||||||
|
if err != nil {
|
||||||
|
abortError(c)
|
||||||
} else {
|
} else {
|
||||||
c.Set("user", username)
|
c.Set("user", username)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func parseUserFromJwt(c *gin.Context) (string, error) {
|
|
||||||
|
|
||||||
jwtokenStr := jwtFromBearerToken(c.GetHeader("Authorization"))
|
|
||||||
jwtoken, parseErr := jwt.Parse(jwtokenStr,
|
|
||||||
func(token *jwt.Token) (any, error) {
|
|
||||||
return jwtauth.GetJwtKey()
|
|
||||||
}, jwt.WithValidMethods([]string{jwt.SigningMethodHS256.Alg()}))
|
|
||||||
if parseErr != nil {
|
|
||||||
return "", parseErr
|
|
||||||
}
|
|
||||||
return jwtoken.Claims.GetSubject()
|
|
||||||
}
|
|
||||||
|
|
||||||
func jwtFromBearerToken(bearerToken string) string {
|
func jwtFromBearerToken(bearerToken string) string {
|
||||||
splitToken := strings.Split(bearerToken, " ")
|
splitToken := strings.Split(bearerToken, " ")
|
||||||
if len(splitToken) == 2 {
|
if len(splitToken) == 2 {
|
||||||
@@ -58,3 +63,28 @@ func jwtFromBearerToken(bearerToken string) string {
|
|||||||
return ""
|
return ""
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func hasAdminRights(token *jwt.Token) bool {
|
||||||
|
claims, ok := token.Claims.(jwt.MapClaims)
|
||||||
|
if !ok {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
raw, ok := claims["admin"]
|
||||||
|
if !ok {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
adminStr, ok := raw.(string)
|
||||||
|
if !ok {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
isAdmin, err := strconv.ParseBool(adminStr)
|
||||||
|
if err != nil {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
return isAdmin
|
||||||
|
}
|
||||||
|
|
||||||
|
func abortError(c *gin.Context) {
|
||||||
|
c.AbortWithStatusJSON(http.StatusUnauthorized,
|
||||||
|
gin.H{"error": "You must be logged in to access this resource."})
|
||||||
|
}
|
||||||
|
|||||||
@@ -6,5 +6,5 @@ type User struct {
|
|||||||
gorm.Model
|
gorm.Model
|
||||||
Name string `gorm:"index;uniqueIndex"`
|
Name string `gorm:"index;uniqueIndex"`
|
||||||
Password string
|
Password string
|
||||||
UserBooks []UserBook
|
Admin bool
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -5,12 +5,24 @@ import (
|
|||||||
|
|
||||||
"git.artlef.fr/bibliomane/internal/appcontext"
|
"git.artlef.fr/bibliomane/internal/appcontext"
|
||||||
"git.artlef.fr/bibliomane/internal/dto"
|
"git.artlef.fr/bibliomane/internal/dto"
|
||||||
|
"git.artlef.fr/bibliomane/internal/myvalidator"
|
||||||
)
|
)
|
||||||
|
|
||||||
func GetAppInfo(ac appcontext.AppContext) {
|
func GetAppInfo(ac appcontext.AppContext) {
|
||||||
|
admin := false
|
||||||
|
_, userIsInContext := ac.C.Get("user")
|
||||||
|
if userIsInContext {
|
||||||
|
user, err := ac.GetAuthenticatedUser()
|
||||||
|
if err != nil {
|
||||||
|
myvalidator.ReturnErrorsAsJsonResponse(&ac, err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
admin = user.Admin
|
||||||
|
}
|
||||||
ac.C.JSON(http.StatusOK, dto.AppInfo{
|
ac.C.JSON(http.StatusOK, dto.AppInfo{
|
||||||
RegistrationDisabled: ac.Config.DisableRegistration,
|
RegistrationDisabled: ac.Config.DisableRegistration,
|
||||||
DemoMode: ac.Config.DemoMode,
|
DemoMode: ac.Config.DemoMode,
|
||||||
DemoUsername: ac.Config.DemoUsername,
|
DemoUsername: ac.Config.DemoUsername,
|
||||||
|
Admin: admin,
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -12,12 +12,12 @@ import (
|
|||||||
"git.artlef.fr/bibliomane/internal/myvalidator"
|
"git.artlef.fr/bibliomane/internal/myvalidator"
|
||||||
"github.com/gin-gonic/gin"
|
"github.com/gin-gonic/gin"
|
||||||
"golang.org/x/crypto/bcrypt"
|
"golang.org/x/crypto/bcrypt"
|
||||||
"gorm.io/gorm"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
func PostLoginHandler(ac appcontext.AppContext) {
|
func PostLoginHandler(ac appcontext.AppContext) {
|
||||||
|
|
||||||
var username string
|
var username string
|
||||||
|
admin := false
|
||||||
|
|
||||||
if !ac.Config.DemoMode {
|
if !ac.Config.DemoMode {
|
||||||
var user dto.UserLogin
|
var user dto.UserLogin
|
||||||
@@ -26,19 +26,23 @@ func PostLoginHandler(ac appcontext.AppContext) {
|
|||||||
myvalidator.ReturnErrorsAsJsonResponse(&ac, err)
|
myvalidator.ReturnErrorsAsJsonResponse(&ac, err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
var userDb model.User
|
||||||
|
ac.Db.Where("name = ?", user.Username).First(&userDb)
|
||||||
|
|
||||||
if !ac.Config.DemoMode && !isUserAndPasswordOk(ac.Db, user.Username, user.Password) {
|
if !ac.Config.DemoMode &&
|
||||||
|
bcrypt.CompareHashAndPassword([]byte(userDb.Password), []byte(user.Password)) != nil {
|
||||||
ac.C.JSON(http.StatusUnauthorized,
|
ac.C.JSON(http.StatusUnauthorized,
|
||||||
gin.H{"error": i18nresource.GetTranslatedMessage(&ac, "InvalidCredentials")})
|
gin.H{"error": i18nresource.GetTranslatedMessage(&ac, "InvalidCredentials")})
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
username = user.Username
|
username = user.Username
|
||||||
|
admin = userDb.Admin
|
||||||
} else {
|
} else {
|
||||||
username = ac.Config.DemoUsername
|
username = ac.Config.DemoUsername
|
||||||
}
|
}
|
||||||
|
|
||||||
var jwtToken string
|
var jwtToken string
|
||||||
jwtToken, err := jwtauth.GenerateJwtToken(username)
|
jwtToken, err := jwtauth.GenerateJwtToken(username, admin)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
ac.C.JSON(http.StatusUnauthorized,
|
ac.C.JSON(http.StatusUnauthorized,
|
||||||
gin.H{"error": fmt.Errorf("Error when generating JWT token: %w", err)})
|
gin.H{"error": fmt.Errorf("Error when generating JWT token: %w", err)})
|
||||||
@@ -46,10 +50,3 @@ func PostLoginHandler(ac appcontext.AppContext) {
|
|||||||
}
|
}
|
||||||
ac.C.JSON(http.StatusOK, gin.H{"message": i18nresource.GetTranslatedMessage(&ac, "AuthenticationSuccess"), "token": jwtToken})
|
ac.C.JSON(http.StatusOK, gin.H{"message": i18nresource.GetTranslatedMessage(&ac, "AuthenticationSuccess"), "token": jwtToken})
|
||||||
}
|
}
|
||||||
|
|
||||||
func isUserAndPasswordOk(db *gorm.DB, username string, password string) bool {
|
|
||||||
var user model.User
|
|
||||||
db.Where("name = ?", username).First(&user)
|
|
||||||
err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password))
|
|
||||||
return err == nil
|
|
||||||
}
|
|
||||||
|
|||||||
Reference in New Issue
Block a user