feat(auth): add authentication, RBAC, API tokens, and default admin
Add a complete authentication and authorization system to Silo with three pluggable backends (local bcrypt, LDAP/FreeIPA, OIDC/Keycloak), session management, API token support, and role-based access control. Authentication backends: - Local: bcrypt (cost 12) password verification against users table - LDAP: FreeIPA simple bind with group-to-role mapping - OIDC: Keycloak redirect flow with realm role mapping - Backends are tried in order; users upserted to DB on first login Session and token management: - PostgreSQL-backed sessions via alexedwards/scs + pgxstore - Opaque API tokens (silo_ prefix, SHA-256 hashed, shown once) - 24h session lifetime, HttpOnly/SameSite=Lax/Secure cookies Role-based access control (admin > editor > viewer): - RequireAuth middleware: Bearer token -> session -> redirect/401 - RequireRole middleware: per-route-group minimum role enforcement - CSRF protection via justinas/nosurf on web forms, API exempt - CORS locked to configured origins when auth enabled Route restructuring: - Public: /health, /ready, /login, /auth/oidc, /auth/callback - Web (auth + CSRF): /, /projects, /schemas, /settings - API read (viewer): GET /api/** - API write (editor): POST/PUT/PATCH/DELETE /api/** User context wiring: - created_by/updated_by columns on items, projects, relationships - All create/update handlers populate tracking fields from context - CSV and BOM import handlers pass authenticated username - Revision creation tracks user across all code paths Default admin account: - Configurable via auth.local.default_admin_username/password - Env var overrides: SILO_ADMIN_USERNAME, SILO_ADMIN_PASSWORD - Idempotent: created on first startup, skipped if exists CLI and FreeCAD plugin: - silo token create/list/revoke subcommands (HTTP API client) - FreeCAD SiloClient sends Bearer token on all requests - Token read from ApiToken preference or SILO_API_TOKEN env var Web UI: - Login page (Catppuccin Mocha themed, OIDC button conditional) - Settings page with account info and API token management - User display name, role badge, and logout button in header - One-time token display banner with copy-to-clipboard Database (migration 009): - users table with role, auth_source, oidc_subject, password_hash - api_tokens table with SHA-256 hash, prefix, expiry, scopes - sessions table (scs pgxstore schema) - audit_log table (schema ready for future use) - created_by/updated_by ALTER on items, relationships, projects New dependencies: scs/v2, scs/pgxstore, go-oidc/v3, go-ldap/v3, justinas/nosurf, golang.org/x/oauth2
This commit is contained in:
Forbes
@@ -10,7 +10,10 @@ import (
|
||||
"strconv"
|
||||
"strings"
|
||||
|
||||
"github.com/alexedwards/scs/v2"
|
||||
"github.com/go-chi/chi/v5"
|
||||
"github.com/kindredsystems/silo/internal/auth"
|
||||
"github.com/kindredsystems/silo/internal/config"
|
||||
"github.com/kindredsystems/silo/internal/db"
|
||||
"github.com/kindredsystems/silo/internal/partnum"
|
||||
"github.com/kindredsystems/silo/internal/schema"
|
||||
@@ -30,6 +33,11 @@ type Server struct {
|
||||
schemasDir string
|
||||
partgen *partnum.Generator
|
||||
storage *storage.Storage
|
||||
auth *auth.Service
|
||||
sessions *scs.SessionManager
|
||||
oidc *auth.OIDCBackend
|
||||
authConfig *config.AuthConfig
|
||||
webHandler *WebHandler
|
||||
}
|
||||
|
||||
// NewServer creates a new API server.
|
||||
@@ -39,6 +47,10 @@ func NewServer(
|
||||
schemas map[string]*schema.Schema,
|
||||
schemasDir string,
|
||||
store *storage.Storage,
|
||||
authService *auth.Service,
|
||||
sessionManager *scs.SessionManager,
|
||||
oidcBackend *auth.OIDCBackend,
|
||||
authCfg *config.AuthConfig,
|
||||
) *Server {
|
||||
items := db.NewItemRepository(database)
|
||||
projects := db.NewProjectRepository(database)
|
||||
@@ -56,6 +68,10 @@ func NewServer(
|
||||
schemasDir: schemasDir,
|
||||
partgen: partgen,
|
||||
storage: store,
|
||||
auth: authService,
|
||||
sessions: sessionManager,
|
||||
oidc: oidcBackend,
|
||||
authConfig: authCfg,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -358,6 +374,9 @@ func (s *Server) HandleCreateItem(w http.ResponseWriter, r *http.Request) {
|
||||
ItemType: itemType,
|
||||
Description: req.Description,
|
||||
}
|
||||
if user := auth.UserFromContext(ctx); user != nil {
|
||||
item.CreatedBy = &user.Username
|
||||
}
|
||||
|
||||
properties := req.Properties
|
||||
if properties == nil {
|
||||
@@ -465,7 +484,11 @@ func (s *Server) HandleUpdateItem(w http.ResponseWriter, r *http.Request) {
|
||||
}
|
||||
|
||||
// Update the item record (UUID stays the same)
|
||||
if err := s.items.Update(ctx, item.ID, newPartNumber, newItemType, newDescription); err != nil {
|
||||
var updatedBy *string
|
||||
if user := auth.UserFromContext(ctx); user != nil {
|
||||
updatedBy = &user.Username
|
||||
}
|
||||
if err := s.items.Update(ctx, item.ID, newPartNumber, newItemType, newDescription, updatedBy); err != nil {
|
||||
s.logger.Error().Err(err).Msg("failed to update item")
|
||||
writeError(w, http.StatusInternalServerError, "update_failed", err.Error())
|
||||
return
|
||||
@@ -478,6 +501,9 @@ func (s *Server) HandleUpdateItem(w http.ResponseWriter, r *http.Request) {
|
||||
Properties: req.Properties,
|
||||
Comment: &req.Comment,
|
||||
}
|
||||
if user := auth.UserFromContext(ctx); user != nil {
|
||||
rev.CreatedBy = &user.Username
|
||||
}
|
||||
|
||||
if err := s.items.CreateRevision(ctx, rev); err != nil {
|
||||
s.logger.Error().Err(err).Msg("failed to create revision")
|
||||
@@ -782,7 +808,11 @@ func (s *Server) HandleRollbackRevision(w http.ResponseWriter, r *http.Request)
|
||||
comment = fmt.Sprintf("Rollback to revision %d", revNum)
|
||||
}
|
||||
|
||||
newRev, err := s.items.CreateRevisionFromExisting(ctx, item.ID, revNum, comment, nil)
|
||||
var createdBy *string
|
||||
if user := auth.UserFromContext(ctx); user != nil {
|
||||
createdBy = &user.Username
|
||||
}
|
||||
newRev, err := s.items.CreateRevisionFromExisting(ctx, item.ID, revNum, comment, createdBy)
|
||||
if err != nil {
|
||||
s.logger.Error().Err(err).Msg("failed to create rollback revision")
|
||||
writeError(w, http.StatusBadRequest, "rollback_failed", err.Error())
|
||||
@@ -1102,6 +1132,9 @@ func (s *Server) HandleCreateRevision(w http.ResponseWriter, r *http.Request) {
|
||||
Properties: req.Properties,
|
||||
Comment: &req.Comment,
|
||||
}
|
||||
if user := auth.UserFromContext(ctx); user != nil {
|
||||
rev.CreatedBy = &user.Username
|
||||
}
|
||||
|
||||
if err := s.items.CreateRevision(ctx, rev); err != nil {
|
||||
s.logger.Error().Err(err).Msg("failed to create revision")
|
||||
@@ -1192,6 +1225,9 @@ func (s *Server) HandleUploadFile(w http.ResponseWriter, r *http.Request) {
|
||||
FileSize: &result.Size,
|
||||
Comment: &comment,
|
||||
}
|
||||
if user := auth.UserFromContext(ctx); user != nil {
|
||||
rev.CreatedBy = &user.Username
|
||||
}
|
||||
|
||||
if err := s.items.CreateRevision(ctx, rev); err != nil {
|
||||
s.logger.Error().Err(err).Msg("failed to create revision")
|
||||
@@ -1387,6 +1423,9 @@ func (s *Server) HandleCreateProject(w http.ResponseWriter, r *http.Request) {
|
||||
Name: req.Name,
|
||||
Description: req.Description,
|
||||
}
|
||||
if user := auth.UserFromContext(ctx); user != nil {
|
||||
project.CreatedBy = &user.Username
|
||||
}
|
||||
|
||||
if err := s.projects.Create(ctx, project); err != nil {
|
||||
s.logger.Error().Err(err).Msg("failed to create project")
|
||||
|
||||
Reference in New Issue
Block a user