From 8742015f4581fdcc719567b86c14cf21d337f6d8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Albin=20M=C3=A9doc?= <stamline203@gmail.com>
Date: Wed, 4 Dec 2024 03:10:58 +0100
Subject: [PATCH] Header authentication (#180)

* Use BaseSetting for default group

* Add header authentication

* Add instructions for proxy auth

* Global flag to enable header authentication

* First user goes to setup-wizard regardless of proxy auth

* Update readme regarding proxy authentication

* Add function for creating a user

* Fix issue with bolean value of HEADER_AUTH_ENABLED

* Disable password change for proxy users

* format code

* fix lint errors

* Default value for proxy headers

* Ensure HEADER_USERNAME is set when using proxy auth

* Add error logging for header authentication
---
 README.md                                     | 16 +++++
 .../admin/SettingsForm/DefaultGroup.svelte    |  1 -
 src/lib/server/user.ts                        | 71 +++++++++++++++++++
 src/routes/account/+page.server.ts            | 11 ++-
 src/routes/account/+page.svelte               |  6 +-
 src/routes/login/+page.server.ts              | 68 ++++++++++++++++--
 src/routes/signup/+page.server.ts             | 69 +++---------------
 7 files changed, 174 insertions(+), 68 deletions(-)
 create mode 100644 src/lib/server/user.ts

diff --git a/README.md b/README.md
index 1040394..7a45d01 100644
--- a/README.md
+++ b/README.md
@@ -127,3 +127,19 @@ In this mode, the suggested item is automatically approved and added to the wish
 ### SMTP
 
 SMTP does not need to be configured for the app to function. SMTP enables inviting users via email and the forgot password flow. Without SMTP, you can still manually generate invite links and forgot password links.
+
+### Proxy authentication
+
+> [!WARNING]  
+> When header authentication is enabled, Wishlist makes no assumptions about the validity of the headers. It is up to you to have your proxy properly configured. An improperly configured proxy **could allow anyone** to gain access to the application by forging the headers.
+
+If you have a reverse proxy you want to use to login your users, you do it via our proxy authentication method. To configure this method, your proxy must send HTTP headers containing the name, username and email for the logged in user.
+You configure this using environment variables.
+
+`HEADER_AUTH`: Enable proxy authentication
+
+`HEADER_USERNAME`: The name of the headers that contains the username of the user
+
+`HEADER_NAME`: The name of the headers that contains the full name of the user
+
+`HEADER_EMAIL`: The name of the headers that contains the email of the user
diff --git a/src/lib/components/admin/SettingsForm/DefaultGroup.svelte b/src/lib/components/admin/SettingsForm/DefaultGroup.svelte
index fe8f729..8266eb0 100644
--- a/src/lib/components/admin/SettingsForm/DefaultGroup.svelte
+++ b/src/lib/components/admin/SettingsForm/DefaultGroup.svelte
@@ -1,6 +1,5 @@
 <script lang="ts">
     import BaseSetting from "./BaseSetting.svelte";
-
     type Group = {
         id: string;
         name: string;
diff --git a/src/lib/server/user.ts b/src/lib/server/user.ts
new file mode 100644
index 0000000..c8db7ee
--- /dev/null
+++ b/src/lib/server/user.ts
@@ -0,0 +1,71 @@
+import { client } from "$lib/server/prisma";
+import { Role } from "$lib/schema";
+import { getConfig } from "$lib/server/config";
+import { LegacyScrypt } from "lucia";
+import type { User } from "@prisma/client";
+
+type UserMinimal = Pick<User, "username" | "email" | "name">;
+
+export const createUser = async (user: UserMinimal, role: Role, password: string, signupTokenId?: string) => {
+    const config = await getConfig();
+    const userCount = await client.user.count();
+
+    let groupId = config.defaultGroup;
+    if (signupTokenId) {
+        groupId = await client.signupToken
+            .findUnique({
+                where: {
+                    id: signupTokenId
+                },
+                select: {
+                    groupId: true
+                }
+            })
+            .then((data) => data?.groupId);
+    } else if (userCount === 0) {
+        groupId = (
+            await client.group.findFirst({
+                select: {
+                    id: true
+                }
+            })
+        )?.id;
+    }
+    const hashedPassword = await new LegacyScrypt().hash(password);
+
+    const newUser = await client.user.create({
+        select: {
+            id: true
+        },
+        data: {
+            username: user.username,
+            name: user.name,
+            email: user.email,
+            roleId: role,
+            hashedPassword
+        }
+    });
+
+    if (groupId) {
+        await client.userGroupMembership.create({
+            data: {
+                groupId: groupId,
+                userId: newUser.id,
+                active: true
+            }
+        });
+    }
+
+    if (signupTokenId) {
+        await client.signupToken.update({
+            where: {
+                id: signupTokenId
+            },
+            data: {
+                redeemed: true
+            }
+        });
+    }
+
+    return newUser;
+};
diff --git a/src/routes/account/+page.server.ts b/src/routes/account/+page.server.ts
index 07e3bd0..ff22700 100644
--- a/src/routes/account/+page.server.ts
+++ b/src/routes/account/+page.server.ts
@@ -1,3 +1,4 @@
+import { env } from "$env/dynamic/private";
 import { auth } from "$lib/server/auth";
 import { client } from "$lib/server/prisma";
 import { getResetPasswordSchema } from "$lib/validations";
@@ -8,14 +9,20 @@ import type { PrismaClientKnownRequestError } from "@prisma/client/runtime/libra
 import { createImage, tryDeleteImage } from "$lib/server/image-util";
 import { LegacyScrypt } from "lucia";
 
-export const load: PageServerLoad = async ({ locals }) => {
+export const load: PageServerLoad = async ({ locals, request }) => {
     const user = locals.user;
     if (!user) {
         redirect(302, `/login?ref=/account`);
     }
 
+    const isProxyUser =
+        (env.HEADER_AUTH_ENABLED ?? "false") == "true" &&
+        !!env.HEADER_USERNAME &&
+        !!request.headers.get(env.HEADER_USERNAME);
+
     return {
-        user
+        user,
+        isProxyUser
     };
 };
 
diff --git a/src/routes/account/+page.svelte b/src/routes/account/+page.svelte
index 29f8570..61dba34 100644
--- a/src/routes/account/+page.svelte
+++ b/src/routes/account/+page.svelte
@@ -20,7 +20,9 @@
 
 <TabGroup>
     <Tab name="Profile" value={0} bind:group={tabSet}>Profile</Tab>
-    <Tab name="Security" value={1} bind:group={tabSet}>Security</Tab>
+    {#if !data.isProxyUser}
+        <Tab name="Security" value={1} bind:group={tabSet}>Security</Tab>
+    {/if}
     {#snippet panel()}
         {#if tabSet === 0}
             <div class="flex w-fit flex-col items-center">
@@ -49,7 +51,7 @@
 
                 <EditProfile user={data.user} />
             </div>
-        {:else if tabSet === 1}
+        {:else if tabSet === 1 && !data.isProxyUser}
             <ChangePassword />
         {/if}
     {/snippet}
diff --git a/src/routes/login/+page.server.ts b/src/routes/login/+page.server.ts
index b47ad95..bb8c493 100644
--- a/src/routes/login/+page.server.ts
+++ b/src/routes/login/+page.server.ts
@@ -1,14 +1,18 @@
 import { fail, redirect } from "@sveltejs/kit";
+import { env } from "$env/dynamic/private";
 import { auth } from "$lib/server/auth";
-import type { PageServerLoad, Actions } from "./$types";
 import { loginSchema } from "$lib/validations";
 import { getConfig } from "$lib/server/config";
+import { Role } from "$lib/schema";
 import { client } from "$lib/server/prisma";
 import { LegacyScrypt } from "lucia";
+import type { PageServerLoad, Actions } from "./$types";
+import { createUser } from "$lib/server/user";
 
-export const load: PageServerLoad = async ({ locals, request }) => {
+export const load: PageServerLoad = async ({ locals, request, cookies }) => {
+    const config = await getConfig();
+    const ref = new URL(request.url).searchParams.get("ref");
     if (locals.user) {
-        const ref = new URL(request.url).searchParams.get("ref");
         redirect(302, ref || "/");
     }
 
@@ -17,7 +21,63 @@ export const load: PageServerLoad = async ({ locals, request }) => {
         redirect(302, "/setup-wizard");
     }
 
-    const config = await getConfig();
+    /* Header authentication */
+    if ((env.HEADER_AUTH_ENABLED ?? "false") == "true" && !!env.HEADER_USERNAME) {
+        const username = request.headers.get(env.HEADER_USERNAME);
+        if (username) {
+            let user = await client.user.findUnique({
+                select: {
+                    id: true
+                },
+                where: {
+                    username: username
+                }
+            });
+
+            if (!user) {
+                if (!env.HEADER_EMAIL || !env.HEADER_NAME) {
+                    console.error("Missing required environment variables for header authentication");
+                    return fail(400, { username: username, password: "", incorrect: true });
+                }
+                const name = request.headers.get(env.HEADER_NAME);
+                const email = request.headers.get(env.HEADER_EMAIL);
+                if (!name || !email) {
+                    console.error("Missing required headers for header authentication");
+                    return fail(400, { username: username, password: "", incorrect: true });
+                }
+                const userCount = await client.user.count();
+                user = await createUser(
+                    {
+                        username: username,
+                        email: email,
+                        name: name
+                    },
+                    userCount > 0 ? Role.USER : Role.ADMIN,
+                    ""
+                );
+
+                if (config.defaultGroup) {
+                    await client.userGroupMembership.create({
+                        data: {
+                            groupId: config.defaultGroup,
+                            userId: user.id,
+                            active: true
+                        }
+                    });
+                }
+            }
+
+            const session = await auth.createSession(user.id, {});
+            const sessionCookie = auth.createSessionCookie(session.id);
+            cookies.set(sessionCookie.name, sessionCookie.value, {
+                path: "/",
+                ...sessionCookie.attributes
+            });
+            redirect(302, ref || "/");
+        }
+    }
+    /* End header authentication */
+
     return { enableSignup: config.enableSignup };
 };
 
diff --git a/src/routes/signup/+page.server.ts b/src/routes/signup/+page.server.ts
index 8efda30..c91b197 100644
--- a/src/routes/signup/+page.server.ts
+++ b/src/routes/signup/+page.server.ts
@@ -5,9 +5,9 @@ import { error, fail, redirect } from "@sveltejs/kit";
 import type { Actions, PageServerLoad } from "./$types";
 import { hashToken } from "$lib/server/token";
 import { getConfig } from "$lib/server/config";
-import { Role } from "$lib/schema";
 import { env } from "$env/dynamic/private";
-import { LegacyScrypt } from "lucia";
+import { createUser } from "$lib/server/user";
+import { Role } from "$lib/schema";
 
 export const load: PageServerLoad = async ({ locals, request }) => {
     if (locals.user) redirect(302, "/");
@@ -43,7 +43,6 @@ export const load: PageServerLoad = async ({ locals, request }) => {
 
 export const actions: Actions = {
     default: async ({ request, cookies }) => {
-        const config = await getConfig();
         const formData = Object.fromEntries(await request.formData());
         const signupSchema = await getSignupSchema();
         const signupData = signupSchema.safeParse(formData);
@@ -60,44 +59,17 @@ export const actions: Actions = {
         }
 
         const userCount = await client.user.count();
-        let groupId: string | undefined;
-        if (signupData.data.tokenId) {
-            groupId = await client.signupToken
-                .findUnique({
-                    where: {
-                        id: signupData.data.tokenId
-                    },
-                    select: {
-                        groupId: true
-                    }
-                })
-                .then((data) => data?.groupId);
-        } else if (userCount === 0) {
-            groupId = (
-                await client.group.findFirst({
-                    select: {
-                        id: true
-                    }
-                })
-            )?.id;
-        } else if (config.defaultGroup) {
-            groupId = config.defaultGroup;
-        }
-
         try {
-            const hashedPassword = await new LegacyScrypt().hash(signupData.data.password);
-            const user = await client.user.create({
-                select: {
-                    id: true
-                },
-                data: {
+            const user = await createUser(
+                {
                     username: signupData.data.username,
                     email: signupData.data.email,
-                    hashedPassword,
-                    name: signupData.data.name,
-                    roleId: userCount > 0 ? Role.USER : Role.ADMIN
-                }
-            });
+                    name: signupData.data.name
+                },
+                userCount > 0 ? Role.USER : Role.ADMIN,
+                signupData.data.password,
+                signupData.data.tokenId
+            );
 
             const session = await auth.createSession(user.id, {});
             const sessionCookie = auth.createSessionCookie(session.id);
@@ -105,27 +77,6 @@ export const actions: Actions = {
                 path: "/",
                 ...sessionCookie.attributes
             });
-
-            if (groupId) {
-                await client.userGroupMembership.create({
-                    data: {
-                        groupId: groupId,
-                        userId: user.id,
-                        active: true
-                    }
-                });
-            }
-
-            if (signupData.data.tokenId) {
-                await client.signupToken.update({
-                    where: {
-                        id: signupData.data.tokenId
-                    },
-                    data: {
-                        redeemed: true
-                    }
-                });
-            }
             return { success: true };
         } catch {
             return fail(400, {