alist/server/middlewares/auth.go

package middlewares

import (
	"crypto/subtle"

	"github.com/alist-org/alist/v3/internal/conf"
	"github.com/alist-org/alist/v3/internal/model"
	"github.com/alist-org/alist/v3/internal/op"
	"github.com/alist-org/alist/v3/internal/setting"
	"github.com/alist-org/alist/v3/server/common"
	"github.com/gin-gonic/gin"
	log "github.com/sirupsen/logrus"
)

// Auth is a middleware that checks if the user is logged in.
// if token is empty, set user to guest
func Auth(c *gin.Context) {
	token := c.GetHeader("Authorization")
	if subtle.ConstantTimeCompare([]byte(token), []byte(setting.GetStr(conf.Token))) == 1 {
		admin, err := op.GetAdmin()
		if err != nil {
			common.ErrorResp(c, err, 500)
			c.Abort()
			return
		}
		c.Set("user", admin)
		log.Debugf("use admin token: %+v", admin)
		c.Next()
		return
	}
	if token == "" {
		guest, err := op.GetGuest()
		if err != nil {
			common.ErrorResp(c, err, 500)
			c.Abort()
			return
		}
		if guest.Disabled {
			common.ErrorStrResp(c, "Guest user is disabled, login please", 401)
			c.Abort()
			return
		}
		c.Set("user", guest)
		log.Debugf("use empty token: %+v", guest)
		c.Next()
		return
	}
	userClaims, err := common.ParseToken(token)
	if err != nil {
		common.ErrorResp(c, err, 401)
		c.Abort()
		return
	}
	user, err := op.GetUserByName(userClaims.Username)
	if err != nil {
		common.ErrorResp(c, err, 401)
		c.Abort()
		return
	}
	// validate password timestamp
	if userClaims.PwdTS != user.PwdTS {
		common.ErrorStrResp(c, "Password has been changed, login please", 401)
		c.Abort()
		return
	}
	if user.Disabled {
		common.ErrorStrResp(c, "Current user is disabled, replace please", 401)
		c.Abort()
		return
	}
	c.Set("user", user)
	log.Debugf("use login token: %+v", user)
	c.Next()
}

func Authn(c *gin.Context) {
	token := c.GetHeader("Authorization")
	if subtle.ConstantTimeCompare([]byte(token), []byte(setting.GetStr(conf.Token))) == 1 {
		admin, err := op.GetAdmin()
		if err != nil {
			common.ErrorResp(c, err, 500)
			c.Abort()
			return
		}
		c.Set("user", admin)
		log.Debugf("use admin token: %+v", admin)
		c.Next()
		return
	}
	if token == "" {
		guest, err := op.GetGuest()
		if err != nil {
			common.ErrorResp(c, err, 500)
			c.Abort()
			return
		}
		c.Set("user", guest)
		log.Debugf("use empty token: %+v", guest)
		c.Next()
		return
	}
	userClaims, err := common.ParseToken(token)
	if err != nil {
		common.ErrorResp(c, err, 401)
		c.Abort()
		return
	}
	user, err := op.GetUserByName(userClaims.Username)
	if err != nil {
		common.ErrorResp(c, err, 401)
		c.Abort()
		return
	}
	// validate password timestamp
	if userClaims.PwdTS != user.PwdTS {
		common.ErrorStrResp(c, "Password has been changed, login please", 401)
		c.Abort()
		return
	}
	if user.Disabled {
		common.ErrorStrResp(c, "Current user is disabled, replace please", 401)
		c.Abort()
		return
	}
	c.Set("user", user)
	log.Debugf("use login token: %+v", user)
	c.Next()
}

func AuthNotGuest(c *gin.Context) {
	user := c.MustGet("user").(*model.User)
	if user.IsGuest() {
		common.ErrorStrResp(c, "You are a guest", 403)
		c.Abort()
	} else {
		c.Next()
	}
}

func AuthAdmin(c *gin.Context) {
	user := c.MustGet("user").(*model.User)
	if !user.IsAdmin() {
		common.ErrorStrResp(c, "You are not an admin", 403)
		c.Abort()
	} else {
		c.Next()
	}
}
feat: user jwt login 2022-06-25 21:34:44 +08:00			`package middlewares`

			`import (`
fix(security): compare auth token in constant time (#3740 close #3739) 2023-03-06 23:41:06 +08:00			`"crypto/subtle"`

feat: fs link api 2022-06-29 16:08:55 +08:00			`"github.com/alist-org/alist/v3/internal/conf"`
feat: meta manage api 2022-06-26 19:09:28 +08:00			`"github.com/alist-org/alist/v3/internal/model"`
refactor: split the db package hook and cache to the op package (#2747) * refactor:separate the setting method from the db package to the op package and add the cache * refactor:separate the meta method from the db package to the op package * fix:setting not load database data * refactor:separate the user method from the db package to the op package * refactor:remove user JoinPath error * fix:op package user cache * refactor:fs package list method * fix:tile virtual paths (close #2743) * Revert "refactor:remove user JoinPath error" This reverts commit 4e20daaf9e700da047000d4fd4900abbe05c3848. * clean path directly may lead to unknown behavior * fix: The path of the meta passed in must be prefix of reqPath * chore: rename all virtualPath to mountPath * fix: `getStoragesByPath` and `GetStorageVirtualFilesByPath` is_sub_path: /a/b isn't subpath of /a/bc * fix: don't save setting if hook error Co-authored-by: Noah Hsu <i@nn.ci> 2022-12-18 19:51:20 +08:00			`"github.com/alist-org/alist/v3/internal/op"`
feat: token and reset 2022-06-28 14:18:10 +08:00			`"github.com/alist-org/alist/v3/internal/setting"`
chore: common err resp log 2022-06-28 18:12:53 +08:00			`"github.com/alist-org/alist/v3/server/common"`
feat: user jwt login 2022-06-25 21:34:44 +08:00			`"github.com/gin-gonic/gin"`
chore: add current user log 2022-07-23 21:33:53 +08:00			`log "github.com/sirupsen/logrus"`
feat: user jwt login 2022-06-25 21:34:44 +08:00			`)`

chore: set guest while token is empty 2022-06-26 16:39:02 +08:00			`// Auth is a middleware that checks if the user is logged in.`
			`// if token is empty, set user to guest`
			`func Auth(c *gin.Context) {`
feat: user jwt login 2022-06-25 21:34:44 +08:00			`token := c.GetHeader("Authorization")`
fix(security): compare auth token in constant time (#3740 close #3739) 2023-03-06 23:41:06 +08:00			`if subtle.ConstantTimeCompare([]byte(token), []byte(setting.GetStr(conf.Token))) == 1 {`
refactor: split the db package hook and cache to the op package (#2747) * refactor:separate the setting method from the db package to the op package and add the cache * refactor:separate the meta method from the db package to the op package * fix:setting not load database data * refactor:separate the user method from the db package to the op package * refactor:remove user JoinPath error * fix:op package user cache * refactor:fs package list method * fix:tile virtual paths (close #2743) * Revert "refactor:remove user JoinPath error" This reverts commit 4e20daaf9e700da047000d4fd4900abbe05c3848. * clean path directly may lead to unknown behavior * fix: The path of the meta passed in must be prefix of reqPath * chore: rename all virtualPath to mountPath * fix: `getStoragesByPath` and `GetStorageVirtualFilesByPath` is_sub_path: /a/b isn't subpath of /a/bc * fix: don't save setting if hook error Co-authored-by: Noah Hsu <i@nn.ci> 2022-12-18 19:51:20 +08:00			`admin, err := op.GetAdmin()`
feat: token and reset 2022-06-28 14:18:10 +08:00			`if err != nil {`
chore: common err resp log 2022-06-28 18:12:53 +08:00			`common.ErrorResp(c, err, 500)`
feat: token and reset 2022-06-28 14:18:10 +08:00			`c.Abort()`
			`return`
			`}`
			`c.Set("user", admin)`
chore: add current user log 2022-07-23 21:33:53 +08:00			`log.Debugf("use admin token: %+v", admin)`
feat: token and reset 2022-06-28 14:18:10 +08:00			`c.Next()`
			`return`
			`}`
chore: set guest while token is empty 2022-06-26 16:39:02 +08:00			`if token == "" {`
refactor: split the db package hook and cache to the op package (#2747) * refactor:separate the setting method from the db package to the op package and add the cache * refactor:separate the meta method from the db package to the op package * fix:setting not load database data * refactor:separate the user method from the db package to the op package * refactor:remove user JoinPath error * fix:op package user cache * refactor:fs package list method * fix:tile virtual paths (close #2743) * Revert "refactor:remove user JoinPath error" This reverts commit 4e20daaf9e700da047000d4fd4900abbe05c3848. * clean path directly may lead to unknown behavior * fix: The path of the meta passed in must be prefix of reqPath * chore: rename all virtualPath to mountPath * fix: `getStoragesByPath` and `GetStorageVirtualFilesByPath` is_sub_path: /a/b isn't subpath of /a/bc * fix: don't save setting if hook error Co-authored-by: Noah Hsu <i@nn.ci> 2022-12-18 19:51:20 +08:00			`guest, err := op.GetGuest()`
chore: ignore password for get current user 2022-06-26 16:55:37 +08:00			`if err != nil {`
chore: common err resp log 2022-06-28 18:12:53 +08:00			`common.ErrorResp(c, err, 500)`
chore: ignore password for get current user 2022-06-26 16:55:37 +08:00			`c.Abort()`
			`return`
			`}`
feat!: allow disable user (close #3241) From this commit, the guest user will be disabled by default 2023-02-04 11:44:17 +08:00			`if guest.Disabled {`
			`common.ErrorStrResp(c, "Guest user is disabled, login please", 401)`
			`c.Abort()`
			`return`
			`}`
chore: set guest while token is empty 2022-06-26 16:39:02 +08:00			`c.Set("user", guest)`
chore: add current user log 2022-07-23 21:33:53 +08:00			`log.Debugf("use empty token: %+v", guest)`
chore: set guest while token is empty 2022-06-26 16:39:02 +08:00			`c.Next()`
			`return`
			`}`
chore: common err resp log 2022-06-28 18:12:53 +08:00			`userClaims, err := common.ParseToken(token)`
feat: user jwt login 2022-06-25 21:34:44 +08:00			`if err != nil {`
chore: common err resp log 2022-06-28 18:12:53 +08:00			`common.ErrorResp(c, err, 401)`
feat: user jwt login 2022-06-25 21:34:44 +08:00			`c.Abort()`
			`return`
			`}`
refactor: split the db package hook and cache to the op package (#2747) * refactor:separate the setting method from the db package to the op package and add the cache * refactor:separate the meta method from the db package to the op package * fix:setting not load database data * refactor:separate the user method from the db package to the op package * refactor:remove user JoinPath error * fix:op package user cache * refactor:fs package list method * fix:tile virtual paths (close #2743) * Revert "refactor:remove user JoinPath error" This reverts commit 4e20daaf9e700da047000d4fd4900abbe05c3848. * clean path directly may lead to unknown behavior * fix: The path of the meta passed in must be prefix of reqPath * chore: rename all virtualPath to mountPath * fix: `getStoragesByPath` and `GetStorageVirtualFilesByPath` is_sub_path: /a/b isn't subpath of /a/bc * fix: don't save setting if hook error Co-authored-by: Noah Hsu <i@nn.ci> 2022-12-18 19:51:20 +08:00			`user, err := op.GetUserByName(userClaims.Username)`
feat: user jwt login 2022-06-25 21:34:44 +08:00			`if err != nil {`
chore: common err resp log 2022-06-28 18:12:53 +08:00			`common.ErrorResp(c, err, 401)`
feat: user jwt login 2022-06-25 21:34:44 +08:00			`c.Abort()`
			`return`
			`}`
feat: invalidate old token after changing the password (close #5515) 2023-11-13 15:22:42 +08:00			`// validate password timestamp`
			`if userClaims.PwdTS != user.PwdTS {`
			`common.ErrorStrResp(c, "Password has been changed, login please", 401)`
			`c.Abort()`
			`return`
			`}`
feat!: allow disable user (close #3241) From this commit, the guest user will be disabled by default 2023-02-04 11:44:17 +08:00			`if user.Disabled {`
			`common.ErrorStrResp(c, "Current user is disabled, replace please", 401)`
			`c.Abort()`
			`return`
			`}`
feat: user jwt login 2022-06-25 21:34:44 +08:00			`c.Set("user", user)`
chore: add current user log 2022-07-23 21:33:53 +08:00			`log.Debugf("use login token: %+v", user)`
feat: user jwt login 2022-06-25 21:34:44 +08:00			`c.Next()`
			`}`
feat: meta manage api 2022-06-26 19:09:28 +08:00
feat: support webauthn login (#4945) * feat: support webauthn login * manually merge * fix: clear user cache after updating authn * decrease db size of Authn * change authn type to text * simplify code structure --------- Co-authored-by: Andy Hsu <i@nn.ci> 2023-08-14 22:54:38 +08:00			`func Authn(c *gin.Context) {`
			`token := c.GetHeader("Authorization")`
			`if subtle.ConstantTimeCompare([]byte(token), []byte(setting.GetStr(conf.Token))) == 1 {`
			`admin, err := op.GetAdmin()`
			`if err != nil {`
			`common.ErrorResp(c, err, 500)`
			`c.Abort()`
			`return`
			`}`
			`c.Set("user", admin)`
			`log.Debugf("use admin token: %+v", admin)`
			`c.Next()`
			`return`
			`}`
			`if token == "" {`
			`guest, err := op.GetGuest()`
			`if err != nil {`
			`common.ErrorResp(c, err, 500)`
			`c.Abort()`
			`return`
			`}`
			`c.Set("user", guest)`
			`log.Debugf("use empty token: %+v", guest)`
			`c.Next()`
			`return`
			`}`
			`userClaims, err := common.ParseToken(token)`
			`if err != nil {`
			`common.ErrorResp(c, err, 401)`
			`c.Abort()`
			`return`
			`}`
			`user, err := op.GetUserByName(userClaims.Username)`
			`if err != nil {`
			`common.ErrorResp(c, err, 401)`
			`c.Abort()`
			`return`
			`}`
feat: invalidate old token after changing the password (close #5515) 2023-11-13 15:22:42 +08:00			`// validate password timestamp`
			`if userClaims.PwdTS != user.PwdTS {`
			`common.ErrorStrResp(c, "Password has been changed, login please", 401)`
			`c.Abort()`
			`return`
			`}`
feat: support webauthn login (#4945) * feat: support webauthn login * manually merge * fix: clear user cache after updating authn * decrease db size of Authn * change authn type to text * simplify code structure --------- Co-authored-by: Andy Hsu <i@nn.ci> 2023-08-14 22:54:38 +08:00			`if user.Disabled {`
			`common.ErrorStrResp(c, "Current user is disabled, replace please", 401)`
			`c.Abort()`
			`return`
			`}`
			`c.Set("user", user)`
			`log.Debugf("use login token: %+v", user)`
			`c.Next()`
			`}`

feat: support general users view and cancel own tasks (#7416 close #7398) * feat: support general users view and cancel own tasks Add a creator attribute to the upload, copy and offline download tasks, so that a GENERAL task creator can view and cancel them. BREAKING CHANGE: 1. A new internal package `task` including the struct `TaskWithCreator` which embeds `tache.Base` is created, and the past dependence on `tache.Task` will all be transferred to dependence on this package. 2. The API `/admin/task` can now also be accessed via `/task`, and the old endpoint is retained to ensure compatibility with legacy automation scripts. Closes #7398 * fix(deps): update github.com/xhofe/tache to v0.1.3 2024-11-01 23:32:26 +08:00			`func AuthNotGuest(c *gin.Context) {`
			`user := c.MustGet("user").(*model.User)`
			`if user.IsGuest() {`
			`common.ErrorStrResp(c, "You are a guest", 403)`
			`c.Abort()`
			`} else {`
			`c.Next()`
			`}`
			`}`

feat: meta manage api 2022-06-26 19:09:28 +08:00			`func AuthAdmin(c *gin.Context) {`
			`user := c.MustGet("user").(*model.User)`
			`if !user.IsAdmin() {`
chore: common err resp log 2022-06-28 18:12:53 +08:00			`common.ErrorStrResp(c, "You are not an admin", 403)`
feat: meta manage api 2022-06-26 19:09:28 +08:00			`c.Abort()`
			`} else {`
			`c.Next()`
			`}`
			`}`