feat(auth): add authentication, RBAC, API tokens, and default admin
Add a complete authentication and authorization system to Silo with three pluggable backends (local bcrypt, LDAP/FreeIPA, OIDC/Keycloak), session management, API token support, and role-based access control. Authentication backends: - Local: bcrypt (cost 12) password verification against users table - LDAP: FreeIPA simple bind with group-to-role mapping - OIDC: Keycloak redirect flow with realm role mapping - Backends are tried in order; users upserted to DB on first login Session and token management: - PostgreSQL-backed sessions via alexedwards/scs + pgxstore - Opaque API tokens (silo_ prefix, SHA-256 hashed, shown once) - 24h session lifetime, HttpOnly/SameSite=Lax/Secure cookies Role-based access control (admin > editor > viewer): - RequireAuth middleware: Bearer token -> session -> redirect/401 - RequireRole middleware: per-route-group minimum role enforcement - CSRF protection via justinas/nosurf on web forms, API exempt - CORS locked to configured origins when auth enabled Route restructuring: - Public: /health, /ready, /login, /auth/oidc, /auth/callback - Web (auth + CSRF): /, /projects, /schemas, /settings - API read (viewer): GET /api/** - API write (editor): POST/PUT/PATCH/DELETE /api/** User context wiring: - created_by/updated_by columns on items, projects, relationships - All create/update handlers populate tracking fields from context - CSV and BOM import handlers pass authenticated username - Revision creation tracks user across all code paths Default admin account: - Configurable via auth.local.default_admin_username/password - Env var overrides: SILO_ADMIN_USERNAME, SILO_ADMIN_PASSWORD - Idempotent: created on first startup, skipped if exists CLI and FreeCAD plugin: - silo token create/list/revoke subcommands (HTTP API client) - FreeCAD SiloClient sends Bearer token on all requests - Token read from ApiToken preference or SILO_API_TOKEN env var Web UI: - Login page (Catppuccin Mocha themed, OIDC button conditional) - Settings page with account info and API token management - User display name, role badge, and logout button in header - One-time token display banner with copy-to-clipboard Database (migration 009): - users table with role, auth_source, oidc_subject, password_hash - api_tokens table with SHA-256 hash, prefix, expiry, scopes - sessions table (scs pgxstore schema) - audit_log table (schema ready for future use) - created_by/updated_by ALTER on items, relationships, projects New dependencies: scs/v2, scs/pgxstore, go-oidc/v3, go-ldap/v3, justinas/nosurf, golang.org/x/oauth2
This commit is contained in:
Forbes
@@ -6,6 +6,7 @@ import (
|
||||
"github.com/go-chi/chi/v5"
|
||||
"github.com/go-chi/chi/v5/middleware"
|
||||
"github.com/go-chi/cors"
|
||||
"github.com/kindredsystems/silo/internal/auth"
|
||||
"github.com/rs/zerolog"
|
||||
)
|
||||
|
||||
@@ -13,119 +14,170 @@ import (
|
||||
func NewRouter(server *Server, logger zerolog.Logger) http.Handler {
|
||||
r := chi.NewRouter()
|
||||
|
||||
// Middleware stack
|
||||
// Base middleware stack
|
||||
r.Use(middleware.RequestID)
|
||||
r.Use(middleware.RealIP)
|
||||
r.Use(RequestLogger(logger))
|
||||
r.Use(Recoverer(logger))
|
||||
|
||||
// CORS: configurable origins, locked down when auth is enabled
|
||||
corsOrigins := []string{"*"}
|
||||
corsCredentials := false
|
||||
if server.authConfig != nil && server.authConfig.Enabled {
|
||||
if len(server.authConfig.CORS.AllowedOrigins) > 0 {
|
||||
corsOrigins = server.authConfig.CORS.AllowedOrigins
|
||||
}
|
||||
corsCredentials = true
|
||||
}
|
||||
r.Use(cors.Handler(cors.Options{
|
||||
AllowedOrigins: []string{"*"},
|
||||
AllowedMethods: []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
|
||||
AllowedHeaders: []string{"Accept", "Authorization", "Content-Type", "X-Request-ID"},
|
||||
AllowedOrigins: corsOrigins,
|
||||
AllowedMethods: []string{"GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"},
|
||||
AllowedHeaders: []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token", "X-Request-ID"},
|
||||
ExposedHeaders: []string{"Link", "X-Request-ID"},
|
||||
AllowCredentials: false,
|
||||
AllowCredentials: corsCredentials,
|
||||
MaxAge: 300,
|
||||
}))
|
||||
|
||||
// Session middleware (must come before auth middleware)
|
||||
if server.sessions != nil {
|
||||
r.Use(server.sessions.LoadAndSave)
|
||||
}
|
||||
|
||||
// Web handler for HTML pages
|
||||
webHandler, err := NewWebHandler(logger)
|
||||
webHandler, err := NewWebHandler(logger, server)
|
||||
if err != nil {
|
||||
logger.Fatal().Err(err).Msg("failed to create web handler")
|
||||
}
|
||||
|
||||
// Health endpoints
|
||||
// Health endpoints (no auth)
|
||||
r.Get("/health", server.HandleHealth)
|
||||
r.Get("/ready", server.HandleReady)
|
||||
|
||||
// Web UI routes
|
||||
r.Get("/", webHandler.HandleIndex)
|
||||
r.Get("/projects", webHandler.HandleProjectsPage)
|
||||
r.Get("/schemas", webHandler.HandleSchemasPage)
|
||||
// Auth endpoints (no auth required)
|
||||
r.Get("/login", server.HandleLoginPage)
|
||||
r.Post("/login", server.HandleLogin)
|
||||
r.Post("/logout", server.HandleLogout)
|
||||
r.Get("/auth/oidc", server.HandleOIDCLogin)
|
||||
r.Get("/auth/callback", server.HandleOIDCCallback)
|
||||
|
||||
// API routes
|
||||
// Web UI routes (require auth + CSRF)
|
||||
r.Group(func(r chi.Router) {
|
||||
r.Use(server.RequireAuth)
|
||||
r.Use(server.CSRFProtect)
|
||||
|
||||
r.Get("/", webHandler.HandleIndex)
|
||||
r.Get("/projects", webHandler.HandleProjectsPage)
|
||||
r.Get("/schemas", webHandler.HandleSchemasPage)
|
||||
r.Get("/settings", server.HandleSettingsPage)
|
||||
r.Post("/settings/tokens", server.HandleCreateTokenWeb)
|
||||
r.Post("/settings/tokens/{id}/revoke", server.HandleRevokeTokenWeb)
|
||||
})
|
||||
|
||||
// API routes (require auth, no CSRF — token auth instead)
|
||||
r.Route("/api", func(r chi.Router) {
|
||||
// Schemas
|
||||
r.Use(server.RequireAuth)
|
||||
|
||||
// Auth endpoints
|
||||
r.Get("/auth/me", server.HandleGetCurrentUser)
|
||||
r.Route("/auth/tokens", func(r chi.Router) {
|
||||
r.Get("/", server.HandleListTokens)
|
||||
r.Post("/", server.HandleCreateToken)
|
||||
r.Delete("/{id}", server.HandleRevokeToken)
|
||||
})
|
||||
|
||||
// Schemas (read: viewer, write: editor)
|
||||
r.Route("/schemas", func(r chi.Router) {
|
||||
r.Get("/", server.HandleListSchemas)
|
||||
r.Get("/{name}", server.HandleGetSchema)
|
||||
r.Get("/{name}/properties", server.HandleGetPropertySchema)
|
||||
|
||||
// Schema segment value management
|
||||
r.Route("/{name}/segments/{segment}/values", func(r chi.Router) {
|
||||
r.Post("/", server.HandleAddSchemaValue)
|
||||
r.Put("/{code}", server.HandleUpdateSchemaValue)
|
||||
r.Delete("/{code}", server.HandleDeleteSchemaValue)
|
||||
r.Group(func(r chi.Router) {
|
||||
r.Use(server.RequireRole(auth.RoleEditor))
|
||||
r.Route("/{name}/segments/{segment}/values", func(r chi.Router) {
|
||||
r.Post("/", server.HandleAddSchemaValue)
|
||||
r.Put("/{code}", server.HandleUpdateSchemaValue)
|
||||
r.Delete("/{code}", server.HandleDeleteSchemaValue)
|
||||
})
|
||||
})
|
||||
})
|
||||
|
||||
// Projects
|
||||
// Projects (read: viewer, write: editor)
|
||||
r.Route("/projects", func(r chi.Router) {
|
||||
r.Get("/", server.HandleListProjects)
|
||||
r.Post("/", server.HandleCreateProject)
|
||||
r.Get("/{code}", server.HandleGetProject)
|
||||
r.Put("/{code}", server.HandleUpdateProject)
|
||||
r.Delete("/{code}", server.HandleDeleteProject)
|
||||
r.Get("/{code}/items", server.HandleGetProjectItems)
|
||||
|
||||
r.Group(func(r chi.Router) {
|
||||
r.Use(server.RequireRole(auth.RoleEditor))
|
||||
r.Post("/", server.HandleCreateProject)
|
||||
r.Put("/{code}", server.HandleUpdateProject)
|
||||
r.Delete("/{code}", server.HandleDeleteProject)
|
||||
})
|
||||
})
|
||||
|
||||
// Items
|
||||
// Items (read: viewer, write: editor)
|
||||
r.Route("/items", func(r chi.Router) {
|
||||
r.Get("/", server.HandleListItems)
|
||||
r.Get("/search", server.HandleFuzzySearch)
|
||||
r.Post("/", server.HandleCreateItem)
|
||||
|
||||
// CSV Import/Export
|
||||
r.Get("/export.csv", server.HandleExportCSV)
|
||||
r.Post("/import", server.HandleImportCSV)
|
||||
r.Get("/template.csv", server.HandleCSVTemplate)
|
||||
|
||||
r.Group(func(r chi.Router) {
|
||||
r.Use(server.RequireRole(auth.RoleEditor))
|
||||
r.Post("/", server.HandleCreateItem)
|
||||
r.Post("/import", server.HandleImportCSV)
|
||||
})
|
||||
|
||||
r.Route("/{partNumber}", func(r chi.Router) {
|
||||
r.Get("/", server.HandleGetItem)
|
||||
r.Put("/", server.HandleUpdateItem)
|
||||
r.Delete("/", server.HandleDeleteItem)
|
||||
|
||||
// Item project tags
|
||||
r.Get("/projects", server.HandleGetItemProjects)
|
||||
r.Post("/projects", server.HandleAddItemProjects)
|
||||
r.Delete("/projects/{code}", server.HandleRemoveItemProject)
|
||||
|
||||
// Revisions
|
||||
r.Get("/revisions", server.HandleListRevisions)
|
||||
r.Post("/revisions", server.HandleCreateRevision)
|
||||
r.Get("/revisions/compare", server.HandleCompareRevisions)
|
||||
r.Get("/revisions/{revision}", server.HandleGetRevision)
|
||||
r.Patch("/revisions/{revision}", server.HandleUpdateRevision)
|
||||
r.Post("/revisions/{revision}/rollback", server.HandleRollbackRevision)
|
||||
|
||||
// File upload/download
|
||||
r.Post("/file", server.HandleUploadFile)
|
||||
r.Get("/file", server.HandleDownloadLatestFile)
|
||||
r.Get("/file/{revision}", server.HandleDownloadFile)
|
||||
|
||||
// BOM / Relationships
|
||||
r.Get("/bom", server.HandleGetBOM)
|
||||
r.Post("/bom", server.HandleAddBOMEntry)
|
||||
r.Get("/bom/expanded", server.HandleGetExpandedBOM)
|
||||
r.Get("/bom/where-used", server.HandleGetWhereUsed)
|
||||
r.Get("/bom/export.csv", server.HandleExportBOMCSV)
|
||||
r.Post("/bom/import", server.HandleImportBOMCSV)
|
||||
r.Put("/bom/{childPartNumber}", server.HandleUpdateBOMEntry)
|
||||
r.Delete("/bom/{childPartNumber}", server.HandleDeleteBOMEntry)
|
||||
|
||||
r.Group(func(r chi.Router) {
|
||||
r.Use(server.RequireRole(auth.RoleEditor))
|
||||
r.Put("/", server.HandleUpdateItem)
|
||||
r.Delete("/", server.HandleDeleteItem)
|
||||
r.Post("/projects", server.HandleAddItemProjects)
|
||||
r.Delete("/projects/{code}", server.HandleRemoveItemProject)
|
||||
r.Post("/revisions", server.HandleCreateRevision)
|
||||
r.Patch("/revisions/{revision}", server.HandleUpdateRevision)
|
||||
r.Post("/revisions/{revision}/rollback", server.HandleRollbackRevision)
|
||||
r.Post("/file", server.HandleUploadFile)
|
||||
r.Post("/bom", server.HandleAddBOMEntry)
|
||||
r.Post("/bom/import", server.HandleImportBOMCSV)
|
||||
r.Put("/bom/{childPartNumber}", server.HandleUpdateBOMEntry)
|
||||
r.Delete("/bom/{childPartNumber}", server.HandleDeleteBOMEntry)
|
||||
})
|
||||
})
|
||||
})
|
||||
|
||||
// Integrations
|
||||
// Integrations (read: viewer, write: editor)
|
||||
r.Route("/integrations/odoo", func(r chi.Router) {
|
||||
r.Get("/config", server.HandleGetOdooConfig)
|
||||
r.Put("/config", server.HandleUpdateOdooConfig)
|
||||
r.Get("/sync-log", server.HandleGetOdooSyncLog)
|
||||
r.Post("/test-connection", server.HandleTestOdooConnection)
|
||||
r.Post("/sync/push/{partNumber}", server.HandleOdooPush)
|
||||
r.Post("/sync/pull/{odooId}", server.HandleOdooPull)
|
||||
|
||||
r.Group(func(r chi.Router) {
|
||||
r.Use(server.RequireRole(auth.RoleEditor))
|
||||
r.Put("/config", server.HandleUpdateOdooConfig)
|
||||
r.Post("/test-connection", server.HandleTestOdooConnection)
|
||||
r.Post("/sync/push/{partNumber}", server.HandleOdooPush)
|
||||
r.Post("/sync/pull/{odooId}", server.HandleOdooPull)
|
||||
})
|
||||
})
|
||||
|
||||
// Part number generation
|
||||
r.Post("/generate-part-number", server.HandleGeneratePartNumber)
|
||||
// Part number generation (editor)
|
||||
r.Group(func(r chi.Router) {
|
||||
r.Use(server.RequireRole(auth.RoleEditor))
|
||||
r.Post("/generate-part-number", server.HandleGeneratePartNumber)
|
||||
})
|
||||
})
|
||||
|
||||
return r
|
||||
|
||||
Reference in New Issue
Block a user