improve web ui
This commit is contained in:
@@ -1,20 +1,28 @@
|
||||
// POST /_auth/login {password} — verify the shared password (constant-time), then seal an
|
||||
// authenticated session cookie. Public (allowlisted in the gate) so an unauthenticated user
|
||||
// can actually log in.
|
||||
import { defineEventHandler, readBody, createError, useSession } from 'h3'
|
||||
import { sessionConfig, timingSafeEqual, uiPassword, type SessionData } from '../../util/auth'
|
||||
import { defineEventHandler, readBody, createError, useSession } from "h3";
|
||||
import {
|
||||
sessionConfig,
|
||||
timingSafeEqual,
|
||||
uiPassword,
|
||||
type SessionData,
|
||||
} from "../../util/auth";
|
||||
|
||||
export default defineEventHandler(async (event) => {
|
||||
const expected = uiPassword()
|
||||
if (!expected) {
|
||||
throw createError({ statusCode: 503, statusMessage: 'auth not configured' })
|
||||
}
|
||||
const body = await readBody<{ password?: string }>(event)
|
||||
const password = String(body?.password ?? '')
|
||||
if (!timingSafeEqual(password, expected)) {
|
||||
throw createError({ statusCode: 401, statusMessage: 'invalid password' })
|
||||
}
|
||||
const session = await useSession<SessionData>(event, sessionConfig())
|
||||
await session.update({ authenticated: true })
|
||||
return { ok: true }
|
||||
})
|
||||
const expected = uiPassword();
|
||||
if (!expected) {
|
||||
throw createError({
|
||||
statusCode: 503,
|
||||
statusMessage: "auth not configured",
|
||||
});
|
||||
}
|
||||
const body = await readBody<{ password?: string }>(event);
|
||||
const password = String(body?.password ?? "");
|
||||
if (!timingSafeEqual(password, expected)) {
|
||||
throw createError({ statusCode: 401, statusMessage: "invalid password" });
|
||||
}
|
||||
const session = await useSession<SessionData>(event, sessionConfig());
|
||||
await session.update({ authenticated: true });
|
||||
return { ok: true };
|
||||
});
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
// POST /_auth/logout — clear the session cookie.
|
||||
import { defineEventHandler, useSession } from 'h3'
|
||||
import { sessionConfig, type SessionData } from '../../util/auth'
|
||||
import { defineEventHandler, useSession } from "h3";
|
||||
import { sessionConfig, type SessionData } from "../../util/auth";
|
||||
|
||||
export default defineEventHandler(async (event) => {
|
||||
const session = await useSession<SessionData>(event, sessionConfig())
|
||||
await session.clear()
|
||||
return { ok: true }
|
||||
})
|
||||
const session = await useSession<SessionData>(event, sessionConfig());
|
||||
await session.clear();
|
||||
return { ok: true };
|
||||
});
|
||||
|
||||
@@ -3,26 +3,34 @@
|
||||
// (the browser never sees it) and drop the browser's own cookies/auth from the upstream
|
||||
// request, then proxy. The management API itself binds loopback only — this proxy is the
|
||||
// ONLY path to it from the LAN, and it's authenticated.
|
||||
import { defineEventHandler, getRequestURL, proxyRequest, setResponseStatus } from 'h3'
|
||||
import { mgmtToken, mgmtUrl } from '../../util/auth'
|
||||
import {
|
||||
defineEventHandler,
|
||||
getRequestURL,
|
||||
proxyRequest,
|
||||
setResponseStatus,
|
||||
} from "h3";
|
||||
import { mgmtToken, mgmtUrl } from "../../util/auth";
|
||||
|
||||
export default defineEventHandler((event) => {
|
||||
const { pathname, search } = getRequestURL(event)
|
||||
const target = `${mgmtUrl()}${pathname}${search}`
|
||||
const token = mgmtToken()
|
||||
// The mgmt API now requires a token always. Without one configured, forwarding an empty bearer
|
||||
// would just bounce as 401 — fail fast and legibly instead (the packaged service sources the
|
||||
// host's ~/.config/punktfunk/mgmt-token, so this only fires on a misconfigured/early-start deploy).
|
||||
if (!token) {
|
||||
setResponseStatus(event, 503)
|
||||
return { error: 'management token not configured (PUNKTFUNK_MGMT_TOKEN / ~/.config/punktfunk/mgmt-token)' }
|
||||
}
|
||||
return proxyRequest(event, target, {
|
||||
headers: {
|
||||
// Overwrite, not append: the host-held token replaces anything the browser sent.
|
||||
authorization: `Bearer ${token}`,
|
||||
// Don't forward the session cookie to the management API.
|
||||
cookie: '',
|
||||
},
|
||||
})
|
||||
})
|
||||
const { pathname, search } = getRequestURL(event);
|
||||
const target = `${mgmtUrl()}${pathname}${search}`;
|
||||
const token = mgmtToken();
|
||||
// The mgmt API now requires a token always. Without one configured, forwarding an empty bearer
|
||||
// would just bounce as 401 — fail fast and legibly instead (the packaged service sources the
|
||||
// host's ~/.config/punktfunk/mgmt-token, so this only fires on a misconfigured/early-start deploy).
|
||||
if (!token) {
|
||||
setResponseStatus(event, 503);
|
||||
return {
|
||||
error:
|
||||
"management token not configured (PUNKTFUNK_MGMT_TOKEN / ~/.config/punktfunk/mgmt-token)",
|
||||
};
|
||||
}
|
||||
return proxyRequest(event, target, {
|
||||
headers: {
|
||||
// Overwrite, not append: the host-held token replaces anything the browser sent.
|
||||
authorization: `Bearer ${token}`,
|
||||
// Don't forward the session cookie to the management API.
|
||||
cookie: "",
|
||||
},
|
||||
});
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user