vrr/Pulse
2
0
Fork 0
mirror of https://github.com/rcourtman/Pulse.git synced 2026-05-19 07:54:10 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
Pulse/internal/api/auth.go
Pulse Monitor 35b51c3a77 feat: enhance security and improve API token UX 
Security Improvements:
- Add comprehensive CSRF protection for state-changing operations
- Implement rate limiting (500 req/min general, 10/min for auth)
- Add account lockout after 5 failed login attempts
- Secure session management with HttpOnly cookies
- Add security headers (CSP, X-Frame-Options, etc.)
- Implement audit logging for security events
- Session invalidation on password change

API Token UX Improvements:
- Always show API token to authenticated users (no longer hide after generation)
- Add ability to view existing token anytime from Settings
- Fix clipboard copy with HTTP fallback

Authentication Flow Fixes:
- Fix WebSocket initialization to occur after auth check
- Fix CSRF validation to handle server restarts gracefully
- Adjust rate limiting to exclude high-frequency endpoints
- Fix authentication check to use session cookies properly

Documentation Updates:
- Document all security features comprehensively
- Update API documentation with CSRF usage examples
- Add security feature details to README
2025-08-13 19:05:23 +00:00

236 lines
No EOL
7 KiB
Go
Raw Blame History

package api
import (
cryptorand "crypto/rand"
"encoding/base64"
"encoding/hex"
"net/http"
"strings"
"sync"
"time"
internalauth "github.com/rcourtman/pulse-go-rewrite/internal/auth"
"github.com/rcourtman/pulse-go-rewrite/internal/config"
"github.com/rs/zerolog/log"
)
// Simple session store - in production you'd use Redis or similar
var (
sessions = make(map[string]time.Time)
sessionMu sync.RWMutex
)
// generateSessionToken creates a cryptographically secure session token
func generateSessionToken() string {
b := make([]byte, 32)
if _, err := cryptorand.Read(b); err != nil {
log.Error().Err(err).Msg("Failed to generate secure session token")
// Fallback - should never happen
return ""
}
return hex.EncodeToString(b)
}
// ValidateSession checks if a session token is valid
func ValidateSession(token string) bool {
sessionMu.RLock()
defer sessionMu.RUnlock()
expiry, exists := sessions[token]
if !exists {
return false
}
// Check if expired
if time.Now().After(expiry) {
// Clean up expired session
sessionMu.RUnlock()
sessionMu.Lock()
delete(sessions, token)
sessionMu.Unlock()
sessionMu.RLock()
return false
}
return true
}
// CheckAuth checks both basic auth and API token
func CheckAuth(cfg *config.Config, w http.ResponseWriter, r *http.Request) bool {
// If no auth is configured at all, allow access
if cfg.AuthUser == "" && cfg.AuthPass == "" && cfg.APIToken == "" {
log.Debug().Msg("No auth configured, allowing access")
return true
}
log.Debug().
Str("configured_user", cfg.AuthUser).
Bool("has_pass", cfg.AuthPass != "").
Bool("has_token", cfg.APIToken != "").
Str("url", r.URL.Path).
Msg("Checking authentication")
// Check API token first (for backward compatibility)
if cfg.APIToken != "" {
// Check header
if token := r.Header.Get("X-API-Token"); token == cfg.APIToken {
return true
}
// Check query parameter (for export/import)
if token := r.URL.Query().Get("token"); token == cfg.APIToken {
return true
}
}
// Check session cookie (for WebSocket and UI)
if cookie, err := r.Cookie("pulse_session"); err == nil && cookie.Value != "" {
if ValidateSession(cookie.Value) {
return true
}
}
// Check basic auth
if cfg.AuthUser != "" && cfg.AuthPass != "" {
auth := r.Header.Get("Authorization")
log.Debug().Str("auth_header", auth).Str("url", r.URL.Path).Msg("Checking auth")
if auth != "" {
const prefix = "Basic "
if strings.HasPrefix(auth, prefix) {
decoded, err := base64.StdEncoding.DecodeString(auth[len(prefix):])
if err == nil {
parts := strings.SplitN(string(decoded), ":", 2)
if len(parts) == 2 {
// Check rate limiting for auth attempts
clientIP := GetClientIP(r)
if !authLimiter.Allow(clientIP) {
log.Warn().Str("ip", clientIP).Msg("Rate limit exceeded for auth")
LogAuditEvent("login", parts[0], clientIP, r.URL.Path, false, "Rate limited")
if w != nil {
http.Error(w, "Too many authentication attempts", http.StatusTooManyRequests)
}
return false
}
// Check if account is locked out
if IsLockedOut(parts[0]) || IsLockedOut(clientIP) {
log.Warn().Str("user", parts[0]).Str("ip", clientIP).Msg("Account locked out")
LogAuditEvent("login", parts[0], clientIP, r.URL.Path, false, "Account locked")
if w != nil {
http.Error(w, "Account temporarily locked due to failed attempts", http.StatusForbidden)
}
return false
}
// Check username
userMatch := parts[0] == cfg.AuthUser
// Check password - support both hashed and plain text for migration
var passMatch bool
if strings.HasPrefix(cfg.AuthPass, "$2") && len(cfg.AuthPass) == 60 {
// Config has hashed password, check against hash
passMatch = internalauth.CheckPasswordHash(parts[1], cfg.AuthPass)
} else {
// Config has plain text password (legacy), do direct comparison
passMatch = parts[1] == cfg.AuthPass
if passMatch {
log.Warn().Msg("Using plain text password comparison - please update to hashed password")
}
}
log.Debug().
Str("provided_user", parts[0]).
Str("expected_user", cfg.AuthUser).
Bool("user_match", userMatch).
Bool("pass_match", passMatch).
Bool("password_is_hashed", strings.HasPrefix(cfg.AuthPass, "$2") && len(cfg.AuthPass) == 60).
Msg("Auth check")
if userMatch && passMatch {
// Clear failed login attempts
ClearFailedLogins(parts[0])
ClearFailedLogins(GetClientIP(r))
// Valid credentials - create session
if w != nil {
token := generateSessionToken()
if token == "" {
return false
}
// Store session
sessionMu.Lock()
sessions[token] = time.Now().Add(24 * time.Hour)
sessionMu.Unlock()
// Track session for user
TrackUserSession(parts[0], token)
// Generate CSRF token
csrfToken := generateCSRFToken(token)
// Set session cookie
http.SetCookie(w, &http.Cookie{
Name: "pulse_session",
Value: token,
Path: "/",
HttpOnly: true,
Secure: r.TLS != nil,
SameSite: http.SameSiteLaxMode,
MaxAge: 86400, // 24 hours
})
// Set CSRF cookie (not HttpOnly so JS can read it)
http.SetCookie(w, &http.Cookie{
Name: "pulse_csrf",
Value: csrfToken,
Path: "/",
Secure: r.TLS != nil,
SameSite: http.SameSiteStrictMode,
MaxAge: 86400, // 24 hours
})
// Audit log successful login
LogAuditEvent("login", parts[0], GetClientIP(r), r.URL.Path, true, "Basic auth login")
}
return true
} else {
// Failed login
RecordFailedLogin(parts[0])
RecordFailedLogin(GetClientIP(r))
LogAuditEvent("login", parts[0], GetClientIP(r), r.URL.Path, false, "Invalid credentials")
}
}
}
}
}
}
return false
}
// RequireAuth middleware checks for authentication
func RequireAuth(cfg *config.Config, handler http.HandlerFunc) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
if CheckAuth(cfg, w, r) {
handler(w, r)
return
}
// Log the failed attempt
log.Warn().
Str("ip", r.RemoteAddr).
Str("path", r.URL.Path).
Str("method", r.Method).
Msg("Unauthorized access attempt")
// Only send WWW-Authenticate header for non-API/non-AJAX requests
// This prevents the browser popup for API calls from the frontend
isAPIRequest := strings.HasPrefix(r.URL.Path, "/api/") ||
r.Header.Get("X-Requested-With") == "XMLHttpRequest" ||
strings.Contains(r.Header.Get("Accept"), "application/json")
if cfg.AuthUser != "" && cfg.AuthPass != "" && !isAPIRequest {
w.Header().Set("WWW-Authenticate", `Basic realm="Pulse"`)
}
http.Error(w, "Unauthorized", http.StatusUnauthorized)
}
}
Reference in a new issue View git blame Copy permalink