branchmispredictor
/
api
forked from vikunja/vikunja
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Docs and formatting

This commit is contained in:
branchmispredictor 2020-12-28 15:05:28 -05:00
parent 2fa6523cc1
commit 27891e4492
9 changed files with 28 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
docs/content/doc/setup/config.md
View File

@ -654,8 +654,7 @@ Default: `<empty>`
Identity-Aware Proxy configuration will allow users to authenticate through an identity-aware proxy in front of Vikunja.<br/> Identity-Aware Proxy configuration will allow users to authenticate through an identity-aware proxy in front of Vikunja.<br/>
The proxy needs to supply a signed JWT over HTTP headers with claims for `sub`, `iss`, and `email`. The proxy needs to supply a signed JWT over HTTP headers with claims for `sub`, `iss`, and `email`.
This JWT must be signed using ECDSA or RSA.
It must also serve the public keys for that signed JWT in the JWKS format. It must also serve the public keys for that signed JWT in the JWKS format.
Take a look at the [default config file](https://kolaente.dev/vikunja/api/src/branch/master/config.yml.sample) for more information about how to configure this authentication.
Default: `<empty>` Default: `<empty>`

12
pkg/modules/auth/auth.go
View File

@ -106,11 +106,11 @@ func NewUserAuthTokenResponse(u *user.User, c echo.Context) error {
func NewUserJWTAuthtoken(u *user.User) (token string, err error) { func NewUserJWTAuthtoken(u *user.User) (token string, err error) {
// Set claims // Set claims
claims := &AuthClaims{ claims := &AuthClaims{
Type: AuthTypeUser, Type: AuthTypeUser,
UserID: u.ID, UserID: u.ID,
UserUsername: u.Username, UserUsername: u.Username,
UserEmail: u.Email, UserEmail: u.Email,
UserName: u.Name, UserName: u.Name,
UserEmailRemindersEnabled: u.EmailRemindersEnabled, UserEmailRemindersEnabled: u.EmailRemindersEnabled,
StandardClaims: jwt.StandardClaims{ StandardClaims: jwt.StandardClaims{
ExpiresAt: time.Now().Add(time.Hour * 72).Unix(), ExpiresAt: time.Now().Add(time.Hour * 72).Unix(),
@ -249,7 +249,7 @@ func GetJWTConfig() middleware.JWTConfig {
// GetOrCreateUserFromExternalAuth returns a user after finding or creating a matching user for the provided details // GetOrCreateUserFromExternalAuth returns a user after finding or creating a matching user for the provided details
func GetOrCreateUserFromExternalAuth(s *xorm.Session, issuer, subject, email, name, preferredUsername string) (u *user.User, err error) { func GetOrCreateUserFromExternalAuth(s *xorm.Session, issuer, subject, email, name, preferredUsername string) (u *user.User, err error) {
if issuer == "" || subject == "" || email == "" { if issuer == "" || subject == "" || email == "" {
return nil, echo.NewHTTPError(http.StatusBadRequest, models.Message{Message: "Missing required data."}) return nil, echo.NewHTTPError(http.StatusBadRequest, models.Message{Message: "Missing required data."})
} }
// Check if the user exists for that issuer and subject // Check if the user exists for that issuer and subject

4
pkg/modules/auth/identityawareproxy/error.go
View File

@ -70,7 +70,7 @@ func (err ErrIAPPublicKeysetMissing) HTTPError() web.HTTPError {
} }
// ErrIAPUserFrontendMismatch represents a "IAPUserDoesNotMatchFrontendUser" kind of error. // ErrIAPUserFrontendMismatch represents a "IAPUserDoesNotMatchFrontendUser" kind of error.
type ErrIAPUserFrontendMismatch struct {} type ErrIAPUserFrontendMismatch struct{}
// IsErrIAPPublicKeysetMissing checks if an error is a ErrIAPUserFrontendMismatch. // IsErrIAPPublicKeysetMissing checks if an error is a ErrIAPUserFrontendMismatch.
func IsErrIAPUserFrontendMismatch(err error) bool { func IsErrIAPUserFrontendMismatch(err error) bool {
@ -114,7 +114,7 @@ func (err ErrIAPUnsupportedJWTSigningMethod) HTTPError() web.HTTPError {
} }
// ErrIAPJWTMissingKID represents a "ErrIAPJWTMissingKID" kind of error. // ErrIAPJWTMissingKID represents a "ErrIAPJWTMissingKID" kind of error.
type ErrIAPJWTMissingKID struct {} type ErrIAPJWTMissingKID struct{}
// IsErrIAPUnsupportedJWTSigningMethod checks if an error is a ErrIAPJWTMissingKID. // IsErrIAPUnsupportedJWTSigningMethod checks if an error is a ErrIAPJWTMissingKID.
func IsErrIAPJWTMissingKID(err error) bool { func IsErrIAPJWTMissingKID(err error) bool {

2
pkg/modules/auth/identityawareproxy/identityawareproxy_test.go
View File

@ -16,4 +16,4 @@
package identityawareproxy package identityawareproxy
// TODO test GetWebAuth() // TODO test GetWebAuth()

2
pkg/routes/api/v1/info.go
View File

@ -67,7 +67,7 @@ type openIDAuthInfo struct {
} }
type identityAwareProxyAuthInfo struct { type identityAwareProxyAuthInfo struct {
Enabled bool `json:"enabled"` Enabled bool `json:"enabled"`
} }
type legalInfo struct { type legalInfo struct {

2
pkg/routes/api/v1/login.go
View File

@ -99,7 +99,7 @@ func RenewToken(c echo.Context) (err error) {
newToken, err := auth.RenewToken(s, c) newToken, err := auth.RenewToken(s, c)
if err != nil { if err != nil {
_ = s.Rollback() _ = s.Rollback()
return handler.HandleHTTPError(err, c) return handler.HandleHTTPError(err, c)
} }
if err := s.Commit(); err != nil { if err := s.Commit(); err != nil {

18
pkg/swagger/docs.go
View File

@ -32,16 +32,11 @@ var doc = `{
"host": "{{.Host}}", "host": "{{.Host}}",
"basePath": "{{.BasePath}}", "basePath": "{{.BasePath}}",
"paths": { "paths": {
"/auth/identityawareproxy/login": { "/auth/identityawareproxy/token": {
"post": { "get": {
"security": [ "description": "Generates a short-lived JWT based on the identity from the identity-aware proxy in order to provide the front-end with user id and username info",
{
"JWTKeyAuth": []
}
],
"description": "After a redirect from the OpenID Connect provider to the frontend has been made with the authentication ` + "`" + `code` + "`" + `, this endpoint can be used to obtain a jwt token for that user and thus log them in.",
"consumes": [ "consumes": [
"application/json" "N/A"
], ],
"produces": [ "produces": [
"application/json" "application/json"
@ -49,7 +44,7 @@ var doc = `{
"tags": [ "tags": [
"auth" "auth"
], ],
"summary": "Authenticate a user with OpenID Connect", "summary": "Authenticate a user from the Identity-Aware Proxy",
"responses": { "responses": {
"200": { "200": {
"description": "OK", "description": "OK",
@ -8631,9 +8626,6 @@ var doc = `{
"properties": { "properties": {
"enabled": { "enabled": {
"type": "boolean" "type": "boolean"
},
"name": {
"type": "string"
} }
} }
}, },

18
pkg/swagger/swagger.json
View File

@ -15,16 +15,11 @@
}, },
"basePath": "/api/v1", "basePath": "/api/v1",
"paths": { "paths": {
"/auth/identityawareproxy/login": { "/auth/identityawareproxy/token": {
"post": { "get": {
"security": [ "description": "Generates a short-lived JWT based on the identity from the identity-aware proxy in order to provide the front-end with user id and username info",
{
"JWTKeyAuth": []
}
],
"description": "After a redirect from the OpenID Connect provider to the frontend has been made with the authentication `code`, this endpoint can be used to obtain a jwt token for that user and thus log them in.",
"consumes": [ "consumes": [
"application/json" "N/A"
], ],
"produces": [ "produces": [
"application/json" "application/json"
@ -32,7 +27,7 @@
"tags": [ "tags": [
"auth" "auth"
], ],
"summary": "Authenticate a user with OpenID Connect", "summary": "Authenticate a user from the Identity-Aware Proxy",
"responses": { "responses": {
"200": { "200": {
"description": "OK", "description": "OK",
@ -8614,9 +8609,6 @@
"properties": { "properties": {
"enabled": { "enabled": {
"type": "boolean" "type": "boolean"
},
"name": {
"type": "string"
} }
} }
}, },

14
pkg/swagger/swagger.yaml
View File

@ -1210,8 +1210,6 @@ definitions:
properties: properties:
enabled: enabled:
type: boolean type: boolean
name:
type: string
type: object type: object
v1.legalInfo: v1.legalInfo:
properties: properties:
@ -1338,11 +1336,11 @@ paths:
summary: User Avatar summary: User Avatar
tags: tags:
- user - user
/auth/identityawareproxy/login: /auth/identityawareproxy/token:
post: get:
consumes: consumes:
- application/json - N/A
description: After a redirect from the OpenID Connect provider to the frontend has been made with the authentication `code`, this endpoint can be used to obtain a jwt token for that user and thus log them in. description: Generates a short-lived JWT based on the identity from the identity-aware proxy in order to provide the front-end with user id and username info
produces: produces:
- application/json - application/json
responses: responses:
@ -1354,9 +1352,7 @@ paths:
description: Internal error description: Internal error
schema: schema:
$ref: '#/definitions/models.Message' $ref: '#/definitions/models.Message'
security: summary: Authenticate a user from the Identity-Aware Proxy
- JWTKeyAuth: []
summary: Authenticate a user with OpenID Connect
tags: tags:
- auth - auth
/auth/openid/{provider}/callback: /auth/openid/{provider}/callback: