Add optional OIDC authentication with Keycloak, Authentik, and Pocket-ID support

2026-04-19 15:03:14 +02:00 · 2026-01-19 22:09:54 +01:00
parent 62ab6dede3
commit d64eb3db95
25 changed files with 2028 additions and 37 deletions
--- a/pkg/web/static/js/api.js
+++ b/pkg/web/static/js/api.js
@@ -17,3 +17,27 @@ function serverHeaders(headers) {
  return headers;
 }

+// Auth-aware fetch wrapper that handles 401/403 responses
+function authFetch(url, options) {
+  options = options || {};
+  // Ensure Accept header for API requests
+  if (!options.headers) {
+    options.headers = {};
+  }
+  if (!options.headers['Accept']) {
+    options.headers['Accept'] = 'application/json';
+  }
+  
+  return fetch(url, options).then(function(response) {
+    // Handle authentication errors
+    if (response.status === 401 || response.status === 403) {
+      if (typeof handleAuthError === 'function') {
+        handleAuthError(response);
+      }
+      // Return a rejected promise to stop the chain
+      return Promise.reject(new Error('Authentication required'));
+    }
+    return response;
+  });
+}
+
--- a/pkg/web/static/js/auth.js
+++ b/pkg/web/static/js/auth.js
@@ -0,0 +1,247 @@
+// Authentication functions for Fail2ban UI
+"use strict";
+
+let authEnabled = false;
+let isAuthenticated = false;
+let currentUser = null;
+
+// Check authentication status on page load
+async function checkAuthStatus() {
+  // Immediately hide main content to prevent flash
+  const mainContent = document.getElementById('mainContent');
+  const nav = document.querySelector('nav');
+  if (mainContent) {
+    mainContent.style.display = 'none';
+  }
+  if (nav) {
+    nav.style.display = 'none';
+  }
+  
+  try {
+    const response = await fetch('/auth/status', {
+      headers: serverHeaders()
+    });
+    
+    if (!response.ok) {
+      throw new Error('Failed to check auth status');
+    }
+    
+    const data = await response.json();
+    authEnabled = data.enabled || false;
+    isAuthenticated = data.authenticated || false;
+    
+    if (authEnabled) {
+      if (isAuthenticated && data.user) {
+        currentUser = data.user;
+        showAuthenticatedUI();
+      } else {
+        showLoginPage();
+      }
+    } else {
+      // OIDC not enabled, show main content
+      showMainContent();
+    }
+    
+    return { enabled: authEnabled, authenticated: isAuthenticated, user: currentUser };
+  } catch (error) {
+    console.error('Error checking auth status:', error);
+    // If auth check fails and we're on a protected route, show login
+    if (authEnabled) {
+      showLoginPage();
+    } else {
+      showMainContent();
+    }
+    return { enabled: false, authenticated: false, user: null };
+  }
+}
+
+// Get current user info
+async function getUserInfo() {
+  try {
+    const response = await fetch('/auth/user', {
+      headers: serverHeaders()
+    });
+    
+    if (!response.ok) {
+      if (response.status === 401) {
+        isAuthenticated = false;
+        currentUser = null;
+        showLoginPage();
+        return null;
+      }
+      throw new Error('Failed to get user info');
+    }
+    
+    const data = await response.json();
+    if (data.authenticated && data.user) {
+      currentUser = data.user;
+      isAuthenticated = true;
+      return data.user;
+    }
+    
+    return null;
+  } catch (error) {
+    console.error('Error getting user info:', error);
+    return null;
+  }
+}
+
+// Handle login - redirect to login endpoint with action parameter
+function handleLogin() {
+  const loginLoading = document.getElementById('loginLoading');
+  const loginError = document.getElementById('loginError');
+  const loginErrorText = document.getElementById('loginErrorText');
+  const loginButton = event?.target?.closest('button');
+  
+  // Show loading state
+  if (loginLoading) loginLoading.classList.remove('hidden');
+  if (loginButton) {
+    loginButton.disabled = true;
+    loginButton.classList.add('opacity-75', 'cursor-not-allowed');
+  }
+  
+  // Hide error if shown
+  if (loginError) {
+    loginError.classList.add('hidden');
+    if (loginErrorText) loginErrorText.textContent = '';
+  }
+  
+  // Redirect to login endpoint with action=redirect to trigger OIDC redirect
+  window.location.href = '/auth/login?action=redirect';
+}
+
+// Handle logout - use direct redirect instead of fetch to avoid CORS issues
+function handleLogout() {
+  // Clear local state
+  isAuthenticated = false;
+  currentUser = null;
+  
+  // Direct redirect to logout endpoint (server will handle redirect to provider)
+  // Using window.location.href instead of fetch to avoid CORS issues with redirects
+  window.location.href = '/auth/logout';
+}
+
+// Show login page
+function showLoginPage() {
+  const loginPage = document.getElementById('loginPage');
+  const mainContent = document.getElementById('mainContent');
+  const nav = document.querySelector('nav');
+  
+  // Hide main content and nav immediately
+  if (mainContent) {
+    mainContent.style.display = 'none';
+    mainContent.classList.add('hidden');
+  }
+  if (nav) {
+    nav.style.display = 'none';
+    nav.classList.add('hidden');
+  }
+  
+  // Show login page
+  if (loginPage) {
+    loginPage.style.display = 'flex';
+    loginPage.classList.remove('hidden');
+  }
+}
+
+// Show main content (when authenticated or OIDC disabled)
+function showMainContent() {
+  const loginPage = document.getElementById('loginPage');
+  const mainContent = document.getElementById('mainContent');
+  const nav = document.querySelector('nav');
+  
+  // Hide login page immediately
+  if (loginPage) {
+    loginPage.style.display = 'none';
+    loginPage.classList.add('hidden');
+  }
+  
+  // Show main content and nav
+  if (mainContent) {
+    mainContent.style.display = '';
+    mainContent.classList.remove('hidden');
+  }
+  if (nav) {
+    nav.style.display = '';
+    nav.classList.remove('hidden');
+  }
+}
+
+// Toggle user menu dropdown
+function toggleUserMenu() {
+  const dropdown = document.getElementById('userMenuDropdown');
+  if (dropdown) {
+    dropdown.classList.toggle('hidden');
+  }
+}
+
+// Close user menu when clicking outside
+document.addEventListener('click', function(event) {
+  const userMenuButton = document.getElementById('userMenuButton');
+  const userMenuDropdown = document.getElementById('userMenuDropdown');
+  
+  if (userMenuButton && userMenuDropdown && 
+      !userMenuButton.contains(event.target) && 
+      !userMenuDropdown.contains(event.target)) {
+    userMenuDropdown.classList.add('hidden');
+  }
+});
+
+// Show authenticated UI (update header with user info)
+function showAuthenticatedUI() {
+  showMainContent();
+  
+  const userInfoContainer = document.getElementById('userInfoContainer');
+  const userDisplayName = document.getElementById('userDisplayName');
+  const userMenuDisplayName = document.getElementById('userMenuDisplayName');
+  const userMenuEmail = document.getElementById('userMenuEmail');
+  const mobileUserInfoContainer = document.getElementById('mobileUserInfoContainer');
+  const mobileUserDisplayName = document.getElementById('mobileUserDisplayName');
+  const mobileUserEmail = document.getElementById('mobileUserEmail');
+  
+  if (userInfoContainer && currentUser) {
+    userInfoContainer.classList.remove('hidden');
+    
+    const displayName = currentUser.name || currentUser.username || currentUser.email;
+    
+    if (userDisplayName) {
+      userDisplayName.textContent = displayName;
+    }
+    
+    if (userMenuDisplayName) {
+      userMenuDisplayName.textContent = displayName;
+    }
+    
+    if (userMenuEmail && currentUser.email) {
+      userMenuEmail.textContent = currentUser.email;
+    }
+  }
+  
+  // Update mobile menu
+  if (mobileUserInfoContainer && currentUser) {
+    mobileUserInfoContainer.classList.remove('hidden');
+    
+    const displayName = currentUser.name || currentUser.username || currentUser.email;
+    
+    if (mobileUserDisplayName) {
+      mobileUserDisplayName.textContent = displayName;
+    }
+    
+    if (mobileUserEmail && currentUser.email) {
+      mobileUserEmail.textContent = currentUser.email;
+    }
+  }
+}
+
+// Handle 401/403 responses from API
+function handleAuthError(response) {
+  if (response.status === 401 || response.status === 403) {
+    if (authEnabled) {
+      isAuthenticated = false;
+      currentUser = null;
+      showLoginPage();
+      return true;
+    }
+  }
+  return false;
+}
--- a/pkg/web/static/js/init.js
+++ b/pkg/web/static/js/init.js
@@ -3,6 +3,29 @@

 window.addEventListener('DOMContentLoaded', function() {
  showLoading(true);
+  
+  // Check authentication status first (if auth.js is loaded)
+  if (typeof checkAuthStatus === 'function') {
+    checkAuthStatus().then(function(authStatus) {
+      // Only proceed with initialization if authenticated or OIDC disabled
+      if (!authStatus.enabled || authStatus.authenticated) {
+        initializeApp();
+      } else {
+        // Not authenticated, login page will be shown by checkAuthStatus
+        showLoading(false);
+      }
+    }).catch(function(err) {
+      console.error('Auth check failed:', err);
+      // Proceed with initialization anyway (fallback)
+      initializeApp();
+    });
+  } else {
+    // Auth.js not loaded, proceed normally
+    initializeApp();
+  }
+});
+
+function initializeApp() {
  // Only display external IP if the element exists (not disabled via template variable)
  if (document.getElementById('external-ip')) {
    displayExternalIP();
@@ -148,4 +171,4 @@ window.addEventListener('DOMContentLoaded', function() {
      advancedIntegrationSelect.addEventListener('change', updateAdvancedIntegrationFields);
    }
  });
-});
+}