restrict user with a whitelist (#282)
This commit is contained in:
Marco Piovanello
@@ -9,27 +9,28 @@ import (
|
|||||||
)
|
)
|
||||||
|
|
||||||
type Config struct {
|
type Config struct {
|
||||||
LogPath string `yaml:"log_path"`
|
LogPath string `yaml:"log_path"`
|
||||||
EnableFileLogging bool `yaml:"enable_file_logging"`
|
EnableFileLogging bool `yaml:"enable_file_logging"`
|
||||||
BaseURL string `yaml:"base_url"`
|
BaseURL string `yaml:"base_url"`
|
||||||
Host string `yaml:"host"`
|
Host string `yaml:"host"`
|
||||||
Port int `yaml:"port"`
|
Port int `yaml:"port"`
|
||||||
DownloadPath string `yaml:"downloadPath"`
|
DownloadPath string `yaml:"downloadPath"`
|
||||||
DownloaderPath string `yaml:"downloaderPath"`
|
DownloaderPath string `yaml:"downloaderPath"`
|
||||||
RequireAuth bool `yaml:"require_auth"`
|
RequireAuth bool `yaml:"require_auth"`
|
||||||
Username string `yaml:"username"`
|
Username string `yaml:"username"`
|
||||||
Password string `yaml:"password"`
|
Password string `yaml:"password"`
|
||||||
QueueSize int `yaml:"queue_size"`
|
QueueSize int `yaml:"queue_size"`
|
||||||
LocalDatabasePath string `yaml:"local_database_path"`
|
LocalDatabasePath string `yaml:"local_database_path"`
|
||||||
SessionFilePath string `yaml:"session_file_path"`
|
SessionFilePath string `yaml:"session_file_path"`
|
||||||
path string // private
|
path string // private
|
||||||
UseOpenId bool `yaml:"use_openid"`
|
UseOpenId bool `yaml:"use_openid"`
|
||||||
OpenIdProviderURL string `yaml:"openid_provider_url"`
|
OpenIdProviderURL string `yaml:"openid_provider_url"`
|
||||||
OpenIdClientId string `yaml:"openid_client_id"`
|
OpenIdClientId string `yaml:"openid_client_id"`
|
||||||
OpenIdClientSecret string `yaml:"openid_client_secret"`
|
OpenIdClientSecret string `yaml:"openid_client_secret"`
|
||||||
OpenIdRedirectURL string `yaml:"openid_redirect_url"`
|
OpenIdRedirectURL string `yaml:"openid_redirect_url"`
|
||||||
FrontendPath string `yaml:"frontend_path"`
|
OpenIdEmailWhitelist []string `yaml:"openid_email_whitelist"`
|
||||||
AutoArchive bool `yaml:"auto_archive"`
|
FrontendPath string `yaml:"frontend_path"`
|
||||||
|
AutoArchive bool `yaml:"auto_archive"`
|
||||||
}
|
}
|
||||||
|
|
||||||
var (
|
var (
|
||||||
|
|||||||
@@ -6,10 +6,12 @@ import (
|
|||||||
"encoding/json"
|
"encoding/json"
|
||||||
"errors"
|
"errors"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"slices"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/coreos/go-oidc/v3/oidc"
|
"github.com/coreos/go-oidc/v3/oidc"
|
||||||
"github.com/google/uuid"
|
"github.com/google/uuid"
|
||||||
|
"github.com/marcopiovanello/yt-dlp-web-ui/v3/server/config"
|
||||||
"golang.org/x/oauth2"
|
"golang.org/x/oauth2"
|
||||||
)
|
)
|
||||||
|
|
||||||
@@ -76,6 +78,21 @@ func doAuthentification(r *http.Request, setCookieCallback func(t *oauth2.Token)
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var claims struct {
|
||||||
|
Email string `json:"email"`
|
||||||
|
Verified bool `json:"email_verified"`
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := idToken.Claims(&claims); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
whitelist := config.Instance().OpenIdEmailWhitelist
|
||||||
|
|
||||||
|
if len(whitelist) > 0 && !slices.Contains(whitelist, claims.Email) {
|
||||||
|
return nil, errors.New("email address not found in ACL")
|
||||||
|
}
|
||||||
|
|
||||||
nonce, err := r.Cookie("nonce")
|
nonce, err := r.Cookie("nonce")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
|||||||
Reference in New Issue
Block a user