4f0107f1b2
Add a complete authentication and authorization system to Silo with three pluggable backends (local bcrypt, LDAP/FreeIPA, OIDC/Keycloak), session management, API token support, and role-based access control. Authentication backends: - Local: bcrypt (cost 12) password verification against users table - LDAP: FreeIPA simple bind with group-to-role mapping - OIDC: Keycloak redirect flow with realm role mapping - Backends are tried in order; users upserted to DB on first login Session and token management: - PostgreSQL-backed sessions via alexedwards/scs + pgxstore - Opaque API tokens (silo_ prefix, SHA-256 hashed, shown once) - 24h session lifetime, HttpOnly/SameSite=Lax/Secure cookies Role-based access control (admin > editor > viewer): - RequireAuth middleware: Bearer token -> session -> redirect/401 - RequireRole middleware: per-route-group minimum role enforcement - CSRF protection via justinas/nosurf on web forms, API exempt - CORS locked to configured origins when auth enabled Route restructuring: - Public: /health, /ready, /login, /auth/oidc, /auth/callback - Web (auth + CSRF): /, /projects, /schemas, /settings - API read (viewer): GET /api/** - API write (editor): POST/PUT/PATCH/DELETE /api/** User context wiring: - created_by/updated_by columns on items, projects, relationships - All create/update handlers populate tracking fields from context - CSV and BOM import handlers pass authenticated username - Revision creation tracks user across all code paths Default admin account: - Configurable via auth.local.default_admin_username/password - Env var overrides: SILO_ADMIN_USERNAME, SILO_ADMIN_PASSWORD - Idempotent: created on first startup, skipped if exists CLI and FreeCAD plugin: - silo token create/list/revoke subcommands (HTTP API client) - FreeCAD SiloClient sends Bearer token on all requests - Token read from ApiToken preference or SILO_API_TOKEN env var Web UI: - Login page (Catppuccin Mocha themed, OIDC button conditional) - Settings page with account info and API token management - User display name, role badge, and logout button in header - One-time token display banner with copy-to-clipboard Database (migration 009): - users table with role, auth_source, oidc_subject, password_hash - api_tokens table with SHA-256 hash, prefix, expiry, scopes - sessions table (scs pgxstore schema) - audit_log table (schema ready for future use) - created_by/updated_by ALTER on items, relationships, projects New dependencies: scs/v2, scs/pgxstore, go-oidc/v3, go-ldap/v3, justinas/nosurf, golang.org/x/oauth2
223 lines
6.7 KiB
HTML
223 lines
6.7 KiB
HTML
<!doctype html>
|
|
<html lang="en">
|
|
<head>
|
|
<meta charset="UTF-8" />
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
|
<title>Login - Silo</title>
|
|
<style>
|
|
:root {
|
|
--ctp-rosewater: #f5e0dc;
|
|
--ctp-flamingo: #f2cdcd;
|
|
--ctp-pink: #f5c2e7;
|
|
--ctp-mauve: #cba6f7;
|
|
--ctp-red: #f38ba8;
|
|
--ctp-maroon: #eba0ac;
|
|
--ctp-peach: #fab387;
|
|
--ctp-yellow: #f9e2af;
|
|
--ctp-green: #a6e3a1;
|
|
--ctp-teal: #94e2d5;
|
|
--ctp-sky: #89dceb;
|
|
--ctp-sapphire: #74c7ec;
|
|
--ctp-blue: #89b4fa;
|
|
--ctp-lavender: #b4befe;
|
|
--ctp-text: #cdd6f4;
|
|
--ctp-subtext1: #bac2de;
|
|
--ctp-subtext0: #a6adc8;
|
|
--ctp-overlay2: #9399b2;
|
|
--ctp-overlay1: #7f849c;
|
|
--ctp-overlay0: #6c7086;
|
|
--ctp-surface2: #585b70;
|
|
--ctp-surface1: #45475a;
|
|
--ctp-surface0: #313244;
|
|
--ctp-base: #1e1e2e;
|
|
--ctp-mantle: #181825;
|
|
--ctp-crust: #11111b;
|
|
}
|
|
|
|
* {
|
|
margin: 0;
|
|
padding: 0;
|
|
box-sizing: border-box;
|
|
}
|
|
|
|
body {
|
|
font-family:
|
|
"Inter",
|
|
-apple-system,
|
|
BlinkMacSystemFont,
|
|
"Segoe UI",
|
|
Roboto,
|
|
sans-serif;
|
|
background-color: var(--ctp-base);
|
|
color: var(--ctp-text);
|
|
display: flex;
|
|
justify-content: center;
|
|
align-items: center;
|
|
min-height: 100vh;
|
|
}
|
|
|
|
.login-card {
|
|
background-color: var(--ctp-surface0);
|
|
border-radius: 1rem;
|
|
padding: 2.5rem;
|
|
width: 100%;
|
|
max-width: 400px;
|
|
margin: 1rem;
|
|
}
|
|
|
|
.login-title {
|
|
color: var(--ctp-mauve);
|
|
text-align: center;
|
|
font-size: 2rem;
|
|
font-weight: 700;
|
|
margin-bottom: 0.25rem;
|
|
}
|
|
|
|
.login-subtitle {
|
|
color: var(--ctp-subtext0);
|
|
text-align: center;
|
|
font-size: 0.9rem;
|
|
margin-bottom: 2rem;
|
|
}
|
|
|
|
.error-msg {
|
|
color: var(--ctp-red);
|
|
background: rgba(243, 139, 168, 0.1);
|
|
border: 1px solid rgba(243, 139, 168, 0.2);
|
|
padding: 0.75rem 1rem;
|
|
border-radius: 0.5rem;
|
|
margin-bottom: 1rem;
|
|
font-size: 0.9rem;
|
|
}
|
|
|
|
.form-group {
|
|
margin-bottom: 1.25rem;
|
|
}
|
|
|
|
.form-label {
|
|
display: block;
|
|
margin-bottom: 0.5rem;
|
|
font-weight: 500;
|
|
color: var(--ctp-subtext1);
|
|
font-size: 0.9rem;
|
|
}
|
|
|
|
.form-input {
|
|
width: 100%;
|
|
padding: 0.75rem 1rem;
|
|
background-color: var(--ctp-base);
|
|
border: 1px solid var(--ctp-surface1);
|
|
border-radius: 0.5rem;
|
|
color: var(--ctp-text);
|
|
font-size: 1rem;
|
|
}
|
|
|
|
.form-input:focus {
|
|
outline: none;
|
|
border-color: var(--ctp-mauve);
|
|
box-shadow: 0 0 0 3px rgba(203, 166, 247, 0.2);
|
|
}
|
|
|
|
.form-input::placeholder {
|
|
color: var(--ctp-overlay0);
|
|
}
|
|
|
|
.btn {
|
|
display: block;
|
|
width: 100%;
|
|
padding: 0.75rem 1.5rem;
|
|
border-radius: 0.5rem;
|
|
font-weight: 600;
|
|
font-size: 1rem;
|
|
cursor: pointer;
|
|
border: none;
|
|
transition: all 0.2s;
|
|
text-align: center;
|
|
text-decoration: none;
|
|
}
|
|
|
|
.btn-primary {
|
|
background-color: var(--ctp-mauve);
|
|
color: var(--ctp-crust);
|
|
}
|
|
|
|
.btn-primary:hover {
|
|
background-color: var(--ctp-lavender);
|
|
}
|
|
|
|
.btn-oidc {
|
|
background-color: var(--ctp-blue);
|
|
color: var(--ctp-crust);
|
|
}
|
|
|
|
.btn-oidc:hover {
|
|
background-color: var(--ctp-sapphire);
|
|
}
|
|
|
|
.divider {
|
|
display: flex;
|
|
align-items: center;
|
|
margin: 1.5rem 0;
|
|
color: var(--ctp-overlay0);
|
|
font-size: 0.85rem;
|
|
}
|
|
|
|
.divider::before,
|
|
.divider::after {
|
|
content: "";
|
|
flex: 1;
|
|
border-top: 1px solid var(--ctp-surface1);
|
|
}
|
|
|
|
.divider span {
|
|
padding: 0 1rem;
|
|
}
|
|
</style>
|
|
</head>
|
|
<body>
|
|
<div class="login-card">
|
|
<h1 class="login-title">Silo</h1>
|
|
<p class="login-subtitle">Product Lifecycle Management</p>
|
|
|
|
{{if .Error}}
|
|
<div class="error-msg">{{.Error}}</div>
|
|
{{end}}
|
|
|
|
<form
|
|
method="POST"
|
|
action="/login{{if .Next}}?next={{.Next}}{{end}}"
|
|
>
|
|
<input type="hidden" name="csrf_token" value="{{.CSRFToken}}" />
|
|
<div class="form-group">
|
|
<label class="form-label">Username</label>
|
|
<input
|
|
type="text"
|
|
name="username"
|
|
class="form-input"
|
|
placeholder="Username or LDAP uid"
|
|
autofocus
|
|
required
|
|
value="{{.Username}}"
|
|
/>
|
|
</div>
|
|
<div class="form-group">
|
|
<label class="form-label">Password</label>
|
|
<input
|
|
type="password"
|
|
name="password"
|
|
class="form-input"
|
|
placeholder="Password"
|
|
required
|
|
/>
|
|
</div>
|
|
<button type="submit" class="btn btn-primary">Sign In</button>
|
|
</form>
|
|
|
|
{{if .OIDCEnabled}}
|
|
<div class="divider"><span>or</span></div>
|
|
<a href="/auth/oidc" class="btn btn-oidc">Sign in with Keycloak</a>
|
|
{{end}}
|
|
</div>
|
|
</body>
|
|
</html>
|