fix: harden dashboard RBAC and cookie auth flows
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m17s
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 2m17s
Restrict Docker/Files writes to admins, move terminal websocket auth to cookie-first with temporary query fallback, and migrate refresh-token handling to httpOnly cookies for safer session persistence. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
+47
-21
@@ -6,7 +6,7 @@ import tempfile
|
||||
import jwt
|
||||
from passlib.context import CryptContext
|
||||
import pyotp
|
||||
from fastapi import Depends, HTTPException, status
|
||||
from fastapi import Depends, HTTPException, Response, status
|
||||
from fastapi.security import OAuth2PasswordBearer
|
||||
import config
|
||||
|
||||
@@ -14,6 +14,12 @@ import config
|
||||
pwd_context = CryptContext(schemes=["pbkdf2_sha256"], deprecated="auto")
|
||||
oauth2_scheme = OAuth2PasswordBearer(tokenUrl="api/auth/login")
|
||||
|
||||
ACCESS_COOKIE_NAME = "nas_access_token"
|
||||
REFRESH_COOKIE_NAME = "nas_refresh_token"
|
||||
COOKIE_SECURE = True
|
||||
COOKIE_SAMESITE = "lax"
|
||||
COOKIE_PATH = "/"
|
||||
|
||||
def verify_password(plain_password, hashed_password):
|
||||
return pwd_context.verify(plain_password, hashed_password)
|
||||
|
||||
@@ -26,18 +32,49 @@ def create_access_token(data: dict, expires_delta: Optional[timedelta] = None):
|
||||
to_encode.update({"exp": expire, "type": "access"})
|
||||
return jwt.encode(to_encode, config.SECRET_KEY, algorithm=config.ALGORITHM)
|
||||
|
||||
|
||||
def create_refresh_token(data: dict):
|
||||
to_encode = data.copy()
|
||||
expire = datetime.now(timezone.utc) + timedelta(minutes=config.REFRESH_TOKEN_EXPIRE_MINUTES)
|
||||
to_encode.update({"exp": expire, "type": "refresh", "tv": _load_token_version()})
|
||||
return jwt.encode(to_encode, config.SECRET_KEY, algorithm=config.ALGORITHM)
|
||||
|
||||
async def get_current_user(token: str = Depends(oauth2_scheme)):
|
||||
|
||||
def _cookie_max_age(minutes: int) -> int:
|
||||
return max(60, int(minutes * 60))
|
||||
|
||||
|
||||
def set_auth_cookies(response: Response, access_token: str, refresh_token: str):
|
||||
response.set_cookie(
|
||||
key=ACCESS_COOKIE_NAME,
|
||||
value=access_token,
|
||||
httponly=True,
|
||||
secure=COOKIE_SECURE,
|
||||
samesite=COOKIE_SAMESITE,
|
||||
path=COOKIE_PATH,
|
||||
max_age=_cookie_max_age(config.ACCESS_TOKEN_EXPIRE_MINUTES),
|
||||
)
|
||||
response.set_cookie(
|
||||
key=REFRESH_COOKIE_NAME,
|
||||
value=refresh_token,
|
||||
httponly=True,
|
||||
secure=COOKIE_SECURE,
|
||||
samesite=COOKIE_SAMESITE,
|
||||
path=COOKIE_PATH,
|
||||
max_age=_cookie_max_age(config.REFRESH_TOKEN_EXPIRE_MINUTES),
|
||||
)
|
||||
|
||||
|
||||
def clear_auth_cookies(response: Response):
|
||||
response.delete_cookie(ACCESS_COOKIE_NAME, path=COOKIE_PATH)
|
||||
response.delete_cookie(REFRESH_COOKIE_NAME, path=COOKIE_PATH)
|
||||
|
||||
def user_from_access_token(token: str, include_auth_header: bool = True):
|
||||
from rbac import User, get_pages, get_sidebar_links
|
||||
credentials_exception = HTTPException(
|
||||
status_code=status.HTTP_401_UNAUTHORIZED,
|
||||
detail="Could not validate credentials",
|
||||
headers={"WWW-Authenticate": "Bearer"},
|
||||
headers={"WWW-Authenticate": "Bearer"} if include_auth_header else None,
|
||||
)
|
||||
try:
|
||||
payload = jwt.decode(token, config.SECRET_KEY, algorithms=[config.ALGORITHM])
|
||||
@@ -49,29 +86,18 @@ async def get_current_user(token: str = Depends(oauth2_scheme)):
|
||||
raise credentials_exception
|
||||
except jwt.PyJWTError:
|
||||
raise credentials_exception
|
||||
|
||||
pages = get_pages(username, role)
|
||||
sidebar_links = get_sidebar_links(username, role)
|
||||
return User(username=username, role=role, pages=pages, sidebar_links=sidebar_links)
|
||||
|
||||
|
||||
async def get_current_user(token: str = Depends(oauth2_scheme)):
|
||||
return user_from_access_token(token)
|
||||
|
||||
|
||||
async def get_current_user_ws(token: str):
|
||||
from rbac import User, get_pages, get_sidebar_links
|
||||
credentials_exception = HTTPException(
|
||||
status_code=status.HTTP_401_UNAUTHORIZED,
|
||||
detail="Could not validate credentials",
|
||||
)
|
||||
try:
|
||||
payload = jwt.decode(token, config.SECRET_KEY, algorithms=[config.ALGORITHM])
|
||||
if payload.get("type") != "access":
|
||||
raise credentials_exception
|
||||
username: str = payload.get("sub")
|
||||
role: str = payload.get("role", "admin")
|
||||
if username is None:
|
||||
raise credentials_exception
|
||||
except jwt.PyJWTError:
|
||||
raise credentials_exception
|
||||
pages = get_pages(username, role)
|
||||
sidebar_links = get_sidebar_links(username, role)
|
||||
return User(username=username, role=role, pages=pages, sidebar_links=sidebar_links)
|
||||
return user_from_access_token(token, include_auth_header=False)
|
||||
|
||||
# TOTP Persistence
|
||||
AUTH_FILE = config.VOLUME_ROOT + "/docker/nas-dashboard/auth.json"
|
||||
|
||||
Reference in New Issue
Block a user