swissmakers_gmbh/fail2ban-ui
12
1
Fork 0
mirror of https://github.com/swissmakers/fail2ban-ui.git synced 2026-04-11 13:47:05 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add optional OIDC authentication with Keycloak, Authentik, and Pocket-ID support

Browse Source
This commit is contained in:
Michael Reber
2026-01-19 22:09:54 +01:00
parent 62ab6dede3
commit d64eb3db95
25 changed files with 2028 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

99
pkg/web/auth.go Normal file
View File

@@ -0,0 +1,99 @@
// Fail2ban UI - A Swiss made, management interface for Fail2ban.
//
// Copyright (C) 2025 Swissmakers GmbH (https://swissmakers.ch)
//
// Licensed under the GNU General Public License, Version 3 (GPL-3.0)
// You may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// https://www.gnu.org/licenses/gpl-3.0.en.html
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package web
import (
"net/http"
"strings"
"github.com/gin-gonic/gin"
"github.com/swissmakers/fail2ban-ui/internal/auth"
)
// AuthMiddleware protects routes requiring authentication
// If OIDC is enabled, validates session and redirects to login if not authenticated
// If OIDC is disabled, allows all requests
func AuthMiddleware() gin.HandlerFunc {
return func(c *gin.Context) {
// Check if OIDC is enabled
if !auth.IsEnabled() {
// OIDC not enabled, allow request
c.Next()
return
}
// Check if this is a public route
path := c.Request.URL.Path
if isPublicRoute(path) {
c.Next()
return
}
// Validate session
session, err := auth.GetSession(c.Request)
if err != nil {
// No valid session, redirect to login
if isAPIRequest(c) {
c.JSON(http.StatusUnauthorized, gin.H{"error": "Authentication required"})
c.Abort()
return
}
// For HTML requests, redirect to login
c.Redirect(http.StatusFound, "/auth/login")
c.Abort()
return
}
// Store session in context for handlers to access
c.Set("session", session)
c.Set("userID", session.UserID)
c.Set("userEmail", session.Email)
c.Set("userName", session.Name)
c.Set("username", session.Username)
c.Next()
}
}
// isPublicRoute checks if the path is a public route that doesn't require authentication
func isPublicRoute(path string) bool {
publicRoutes := []string{
"/auth/login",
"/auth/callback",
"/auth/logout",
"/auth/status",
"/api/ban",
"/api/unban",
"/api/ws",
"/static/",
"/locales/",
}
for _, route := range publicRoutes {
if strings.HasPrefix(path, route) {
return true
}
}
return false
}
// isAPIRequest checks if the request is an API request (JSON expected)
func isAPIRequest(c *gin.Context) bool {
accept := c.GetHeader("Accept")
return strings.Contains(accept, "application/json") || strings.HasPrefix(c.Request.URL.Path, "/api/")
}