Compare commits

...

6 Commits

Author SHA1 Message Date
Christoph Haas
08c8f8eac0 backport username display bugfix (#456) 2025-06-12 19:11:25 +02:00
Christoph Haas
d864e24145 improve logging of OAuth login issues, decrease auth-code exchange timeout (#451)
(cherry picked from commit e3b65ca337)
2025-06-12 19:07:46 +02:00
Christoph Haas
5b56e58fe9 fix self-provisioned peer-generation (#452)
(cherry picked from commit 61d8aa6589)
2025-06-09 17:41:29 +02:00
Christoph Haas
930ef7b573 Merge branch 'master' into stable 2025-05-16 09:58:14 +02:00
Christoph Haas
8816165260 fix duplicate creation of default peer (#437) 2025-05-15 17:59:00 +02:00
Christoph Haas
ab9995350f sanitize external_url, remove trailing slashes 2025-05-15 17:58:34 +02:00
9 changed files with 141 additions and 26 deletions

View File

@@ -61,6 +61,26 @@ const companyName = ref(WGPORTAL_SITE_COMPANY_NAME);
const wgVersion = ref(WGPORTAL_VERSION); const wgVersion = ref(WGPORTAL_VERSION);
const currentYear = ref(new Date().getFullYear()) const currentYear = ref(new Date().getFullYear())
const userDisplayName = computed(() => {
let displayName = "Unknown";
if (auth.IsAuthenticated) {
if (auth.User.Firstname === "" && auth.User.Lastname === "") {
displayName = auth.User.Identifier;
} else if (auth.User.Firstname === "" && auth.User.Lastname !== "") {
displayName = auth.User.Lastname;
} else if (auth.User.Firstname !== "" && auth.User.Lastname === "") {
displayName = auth.User.Firstname;
} else if (auth.User.Firstname !== "" && auth.User.Lastname !== "") {
displayName = auth.User.Firstname + " " + auth.User.Lastname;
}
}
// pad string to 20 characters so that the menu is always the same size on desktop
if (displayName.length < 20 && window.innerWidth > 992) {
displayName = displayName.padStart(20, "\u00A0");
}
return displayName;
})
</script> </script>
<template> <template>
@@ -93,7 +113,7 @@ const currentYear = ref(new Date().getFullYear())
<div class="navbar-nav d-flex justify-content-end"> <div class="navbar-nav d-flex justify-content-end">
<div v-if="auth.IsAuthenticated" class="nav-item dropdown"> <div v-if="auth.IsAuthenticated" class="nav-item dropdown">
<a aria-expanded="false" aria-haspopup="true" class="nav-link dropdown-toggle" data-bs-toggle="dropdown" <a aria-expanded="false" aria-haspopup="true" class="nav-link dropdown-toggle" data-bs-toggle="dropdown"
href="#" role="button">{{ auth.User.Firstname }} {{ auth.User.Lastname }}</a> href="#" role="button">{{ userDisplayName }}</a>
<div class="dropdown-menu"> <div class="dropdown-menu">
<RouterLink :to="{ name: 'profile' }" class="dropdown-item"><i class="fas fa-user"></i> {{ $t('menu.profile') }}</RouterLink> <RouterLink :to="{ name: 'profile' }" class="dropdown-item"><i class="fas fa-user"></i> {{ $t('menu.profile') }}</RouterLink>
<RouterLink :to="{ name: 'settings' }" class="dropdown-item" v-if="auth.IsAdmin || !settings.Setting('ApiAdminOnly')"><i class="fas fa-gears"></i> {{ $t('menu.settings') }}</RouterLink> <RouterLink :to="{ name: 'settings' }" class="dropdown-item" v-if="auth.IsAdmin || !settings.Setting('ApiAdminOnly')"><i class="fas fa-gears"></i> {{ $t('menu.settings') }}</RouterLink>

View File

@@ -57,6 +57,52 @@
} }
} }
}, },
"/auth/login/{provider}/callback": {
"get": {
"produces": [
"application/json"
],
"tags": [
"Authentication"
],
"summary": "Handle the OAuth callback.",
"operationId": "auth_handleOauthCallbackGet",
"responses": {
"200": {
"description": "OK",
"schema": {
"type": "array",
"items": {
"$ref": "#/definitions/model.LoginProviderInfo"
}
}
}
}
}
},
"/auth/login/{provider}/init": {
"get": {
"produces": [
"application/json"
],
"tags": [
"Authentication"
],
"summary": "Initiate the OAuth login flow.",
"operationId": "auth_handleOauthInitiateGet",
"responses": {
"200": {
"description": "OK",
"schema": {
"type": "array",
"items": {
"$ref": "#/definitions/model.LoginProviderInfo"
}
}
}
}
}
},
"/auth/logout": { "/auth/logout": {
"post": { "post": {
"produces": [ "produces": [

View File

@@ -383,6 +383,8 @@ definitions:
type: boolean type: boolean
MailLinkOnly: MailLinkOnly:
type: boolean type: boolean
MinPasswordLength:
type: integer
PersistentConfigSupported: PersistentConfigSupported:
type: boolean type: boolean
SelfProvisioning: SelfProvisioning:
@@ -456,7 +458,22 @@ paths:
summary: Get all available audit entries. Ordered by timestamp. summary: Get all available audit entries. Ordered by timestamp.
tags: tags:
- Audit - Audit
/auth/{provider}/callback: /auth/login:
post:
operationId: auth_handleLoginPost
produces:
- application/json
responses:
"200":
description: OK
schema:
items:
$ref: '#/definitions/model.LoginProviderInfo'
type: array
summary: Get all available external login providers.
tags:
- Authentication
/auth/login/{provider}/callback:
get: get:
operationId: auth_handleOauthCallbackGet operationId: auth_handleOauthCallbackGet
produces: produces:
@@ -471,7 +488,7 @@ paths:
summary: Handle the OAuth callback. summary: Handle the OAuth callback.
tags: tags:
- Authentication - Authentication
/auth/{provider}/init: /auth/login/{provider}/init:
get: get:
operationId: auth_handleOauthInitiateGet operationId: auth_handleOauthInitiateGet
produces: produces:
@@ -486,21 +503,6 @@ paths:
summary: Initiate the OAuth login flow. summary: Initiate the OAuth login flow.
tags: tags:
- Authentication - Authentication
/auth/login:
post:
operationId: auth_handleLoginPost
produces:
- application/json
responses:
"200":
description: OK
schema:
items:
$ref: '#/definitions/model.LoginProviderInfo'
type: array
summary: Get all available external login providers.
tags:
- Authentication
/auth/logout: /auth/logout:
post: post:
operationId: auth_handleLogoutPost operationId: auth_handleLogoutPost

View File

@@ -2,6 +2,7 @@ package handlers
import ( import (
"context" "context"
"log/slog"
"net/http" "net/http"
"net/url" "net/url"
"strconv" "strconv"
@@ -132,7 +133,7 @@ func (e AuthEndpoint) handleSessionInfoGet() http.HandlerFunc {
// @Summary Initiate the OAuth login flow. // @Summary Initiate the OAuth login flow.
// @Produce json // @Produce json
// @Success 200 {object} []model.LoginProviderInfo // @Success 200 {object} []model.LoginProviderInfo
// @Router /auth/{provider}/init [get] // @Router /auth/login/{provider}/init [get]
func (e AuthEndpoint) handleOauthInitiateGet() http.HandlerFunc { func (e AuthEndpoint) handleOauthInitiateGet() http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) { return func(w http.ResponseWriter, r *http.Request) {
currentSession := e.session.GetData(r.Context()) currentSession := e.session.GetData(r.Context())
@@ -177,6 +178,8 @@ func (e AuthEndpoint) handleOauthInitiateGet() http.HandlerFunc {
authCodeUrl, state, nonce, err := e.authService.OauthLoginStep1(context.Background(), provider) authCodeUrl, state, nonce, err := e.authService.OauthLoginStep1(context.Background(), provider)
if err != nil { if err != nil {
slog.Debug("failed to create oauth auth code URL",
"provider", provider, "error", err)
if autoRedirect && e.isValidReturnUrl(returnTo) { if autoRedirect && e.isValidReturnUrl(returnTo) {
redirectToReturn() redirectToReturn()
} else { } else {
@@ -211,7 +214,7 @@ func (e AuthEndpoint) handleOauthInitiateGet() http.HandlerFunc {
// @Summary Handle the OAuth callback. // @Summary Handle the OAuth callback.
// @Produce json // @Produce json
// @Success 200 {object} []model.LoginProviderInfo // @Success 200 {object} []model.LoginProviderInfo
// @Router /auth/{provider}/callback [get] // @Router /auth/login/{provider}/callback [get]
func (e AuthEndpoint) handleOauthCallbackGet() http.HandlerFunc { func (e AuthEndpoint) handleOauthCallbackGet() http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) { return func(w http.ResponseWriter, r *http.Request) {
currentSession := e.session.GetData(r.Context()) currentSession := e.session.GetData(r.Context())
@@ -249,6 +252,8 @@ func (e AuthEndpoint) handleOauthCallbackGet() http.HandlerFunc {
oauthState := request.Query(r, "state") oauthState := request.Query(r, "state")
if provider != currentSession.OauthProvider { if provider != currentSession.OauthProvider {
slog.Debug("invalid oauth provider in callback",
"expected", currentSession.OauthProvider, "got", provider, "state", oauthState)
if returnUrl != nil && e.isValidReturnUrl(returnUrl.String()) { if returnUrl != nil && e.isValidReturnUrl(returnUrl.String()) {
redirectToReturn() redirectToReturn()
} else { } else {
@@ -258,6 +263,8 @@ func (e AuthEndpoint) handleOauthCallbackGet() http.HandlerFunc {
return return
} }
if oauthState != currentSession.OauthState { if oauthState != currentSession.OauthState {
slog.Debug("invalid oauth state in callback",
"expected", currentSession.OauthState, "got", oauthState, "provider", provider)
if returnUrl != nil && e.isValidReturnUrl(returnUrl.String()) { if returnUrl != nil && e.isValidReturnUrl(returnUrl.String()) {
redirectToReturn() redirectToReturn()
} else { } else {
@@ -267,11 +274,13 @@ func (e AuthEndpoint) handleOauthCallbackGet() http.HandlerFunc {
return return
} }
loginCtx, cancel := context.WithTimeout(context.Background(), 1000*time.Second) loginCtx, cancel := context.WithTimeout(context.Background(), 30*time.Second) // avoid long waits
user, err := e.authService.OauthLoginStep2(loginCtx, provider, currentSession.OauthNonce, user, err := e.authService.OauthLoginStep2(loginCtx, provider, currentSession.OauthNonce,
oauthCode) oauthCode)
cancel() cancel()
if err != nil { if err != nil {
slog.Debug("failed to process oauth code",
"provider", provider, "state", oauthState, "error", err)
if returnUrl != nil && e.isValidReturnUrl(returnUrl.String()) { if returnUrl != nil && e.isValidReturnUrl(returnUrl.String()) {
redirectToReturn() redirectToReturn()
} else { } else {

View File

@@ -3,6 +3,7 @@ package wireguard
import ( import (
"context" "context"
"log/slog" "log/slog"
"sync"
"time" "time"
"github.com/h44z/wg-portal/internal/app" "github.com/h44z/wg-portal/internal/app"
@@ -76,6 +77,8 @@ type Manager struct {
db InterfaceAndPeerDatabaseRepo db InterfaceAndPeerDatabaseRepo
wg InterfaceController wg InterfaceController
quick WgQuickController quick WgQuickController
userLockMap *sync.Map
} }
func NewWireGuardManager( func NewWireGuardManager(
@@ -86,11 +89,12 @@ func NewWireGuardManager(
db InterfaceAndPeerDatabaseRepo, db InterfaceAndPeerDatabaseRepo,
) (*Manager, error) { ) (*Manager, error) {
m := &Manager{ m := &Manager{
cfg: cfg, cfg: cfg,
bus: bus, bus: bus,
wg: wg, wg: wg,
db: db, db: db,
quick: quick, quick: quick,
userLockMap: &sync.Map{},
} }
m.connectToMessageBus() m.connectToMessageBus()
@@ -117,6 +121,12 @@ func (m Manager) handleUserCreationEvent(user domain.User) {
return return
} }
_, loaded := m.userLockMap.LoadOrStore(user.Identifier, "create")
if loaded {
return // another goroutine is already handling this user
}
defer m.userLockMap.Delete(user.Identifier)
slog.Debug("handling new user event", "user", user.Identifier) slog.Debug("handling new user event", "user", user.Identifier)
ctx := domain.SetUserInfo(context.Background(), domain.SystemAdminContextUserInfo()) ctx := domain.SetUserInfo(context.Background(), domain.SystemAdminContextUserInfo())
@@ -132,6 +142,12 @@ func (m Manager) handleUserLoginEvent(userId domain.UserIdentifier) {
return return
} }
_, loaded := m.userLockMap.LoadOrStore(userId, "login")
if loaded {
return // another goroutine is already handling this user
}
defer m.userLockMap.Delete(userId)
userPeers, err := m.db.GetUserPeers(context.Background(), userId) userPeers, err := m.db.GetUserPeers(context.Background(), userId)
if err != nil { if err != nil {
slog.Error("failed to retrieve existing peers prior to default peer creation", slog.Error("failed to retrieve existing peers prior to default peer creation",

View File

@@ -5,6 +5,7 @@ import (
"errors" "errors"
"fmt" "fmt"
"log/slog" "log/slog"
"slices"
"time" "time"
"github.com/h44z/wg-portal/internal/app" "github.com/h44z/wg-portal/internal/app"
@@ -23,12 +24,24 @@ func (m Manager) CreateDefaultPeer(ctx context.Context, userId domain.UserIdenti
return fmt.Errorf("failed to fetch all interfaces: %w", err) return fmt.Errorf("failed to fetch all interfaces: %w", err)
} }
userPeers, err := m.db.GetUserPeers(context.Background(), userId)
if err != nil {
return fmt.Errorf("failed to retrieve existing peers prior to default peer creation: %w", err)
}
var newPeers []domain.Peer var newPeers []domain.Peer
for _, iface := range existingInterfaces { for _, iface := range existingInterfaces {
if iface.Type != domain.InterfaceTypeServer { if iface.Type != domain.InterfaceTypeServer {
continue // only create default peers for server interfaces continue // only create default peers for server interfaces
} }
peerAlreadyCreated := slices.ContainsFunc(userPeers, func(peer domain.Peer) bool {
return peer.InterfaceIdentifier == iface.Identifier
})
if peerAlreadyCreated {
continue // skip creation if a peer already exists for this interface
}
peer, err := m.PreparePeer(ctx, iface.Identifier) peer, err := m.PreparePeer(ctx, iface.Identifier)
if err != nil { if err != nil {
return fmt.Errorf("failed to create default peer for interface %s: %w", iface.Identifier, err) return fmt.Errorf("failed to create default peer for interface %s: %w", iface.Identifier, err)

View File

@@ -190,6 +190,8 @@ func GetConfig() (*Config, error) {
return nil, fmt.Errorf("failed to load config from yaml: %w", err) return nil, fmt.Errorf("failed to load config from yaml: %w", err)
} }
cfg.Web.Sanitize()
return cfg, nil return cfg, nil
} }

View File

@@ -1,5 +1,7 @@
package config package config
import "strings"
// WebConfig contains the configuration for the web server. // WebConfig contains the configuration for the web server.
type WebConfig struct { type WebConfig struct {
// RequestLogging enables logging of all HTTP requests. // RequestLogging enables logging of all HTTP requests.
@@ -26,3 +28,7 @@ type WebConfig struct {
// KeyFile is the path to the TLS certificate key file. // KeyFile is the path to the TLS certificate key file.
KeyFile string `yaml:"key_file"` KeyFile string `yaml:"key_file"`
} }
func (c *WebConfig) Sanitize() {
c.ExternalUrl = strings.TrimRight(c.ExternalUrl, "/")
}

View File

@@ -136,6 +136,7 @@ func (p *Peer) OverwriteUserEditableFields(userPeer *Peer, cfg *config.Config) {
p.Interface.PublicKey = userPeer.Interface.PublicKey p.Interface.PublicKey = userPeer.Interface.PublicKey
p.Interface.PrivateKey = userPeer.Interface.PrivateKey p.Interface.PrivateKey = userPeer.Interface.PrivateKey
p.PresharedKey = userPeer.PresharedKey p.PresharedKey = userPeer.PresharedKey
p.Identifier = userPeer.Identifier
} }
p.Interface.Mtu = userPeer.Interface.Mtu p.Interface.Mtu = userPeer.Interface.Mtu
p.PersistentKeepalive = userPeer.PersistentKeepalive p.PersistentKeepalive = userPeer.PersistentKeepalive