initial token-based-api login handler

2018-10-21 13:37:27 +01:00
parent 5c277d7944
commit fb4e5c0793
2 changed files with 31 additions and 7 deletions
--- a/lib/App/Netdisco/Web/AuthN.pm
+++ b/lib/App/Netdisco/Web/AuthN.pm
@@ -4,6 +4,8 @@ use Dancer ':syntax';
 use Dancer::Plugin::DBIC;
 use Dancer::Plugin::Auth::Extensible;

+use MIME::Base64;
+
 hook 'before' => sub {
    params->{return_url} ||= ((request->path ne uri_for('/')->path)
      ? request->uri : uri_for('/inventory')->path);
@@ -51,10 +53,19 @@ get qr{^/(?:login(?:/denied)?)?} => sub {

 # override default login_handler so we can log access in the database
 post '/login' => sub {
-    my $mode = (request->is_ajax ? 'API' : 'Web');
-    my ($success, $realm) = authenticate_user(
-        param('username'), param('password')
-    );
+    my $mode = (request->is_ajax ? 'WebData'
+                                 : request->header('Authorization') ? 'API'
+                                                                    : 'WebUI');
+
+    # get authN data from request (HTTP BasicAuth or URL params)
+    my $authheader = request->header('Authorization');
+    my ($u, $p) = (param('username'), param('password'));
+    if (defined $authheader and $authheader =~ /^Basic (.*)$/) {
+        ($u, $p) = split(m/:/, (MIME::Base64::decode($1) || ":"));
+    }
+
+    # test authN
+    my ($success, $realm) = authenticate_user( $u, $p );

    if ($success) {
        my $user = schema('netdisco')->resultset('User')
@@ -70,10 +81,22 @@ post '/login' => sub {
          event => "Login ($mode)",
          details => param('return_url'),
        });
-
        $user->update({ last_on => \'now()' });

-        return if request->is_ajax;
+        return if $mode eq 'WebData';
+
+        # if API return a token and record its lifetime
+        if ($mode eq 'API') {
+            if (! $user->token_from or ! $user->token or
+                $user->token_from < (time - setting('api_token_lifetime'))) {
+              $user->update({
+                token_from => time,
+                token => \'md5(random()::text)',
+              });
+            }
+            return 'token:'. $user->token;
+        }
+
        redirect param('return_url');
    }
    else {
@@ -86,7 +109,7 @@ post '/login' => sub {
          details => param('return_url'),
        });

-        if (request->is_ajax) {
+        if ($mode ne 'WebUI') {
            status('unauthorized');
        }
        else {
--- a/share/config.yml
+++ b/share/config.yml
@@ -26,6 +26,7 @@ suggest_guest: false
 navbar_autocomplete: true
 trust_remote_user: false
 trust_x_remote_user: false
+api_token_lifetime: 3600
 #ldap:
 #  servers: []
 #  user_string: 'MYDOMAIN\%USER%'