nicoeri/filebrowser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9097bcda6e
filebrowser/auth/cloudflare.go
Travis Johnson 9097bcda6e cloudflare-access auth method
2023-09-14 20:05:37 -04:00

64 lines
1.6 KiB
Go
Raw Blame History

package auth
import (
"fmt"
"net/http"
"os"
"github.com/coreos/go-oidc/v3/oidc"
"github.com/filebrowser/filebrowser/v2/errors"
"github.com/filebrowser/filebrowser/v2/settings"
"github.com/filebrowser/filebrowser/v2/users"
)
// MethodCloudflareAuth is used to identify no auth.
const MethodCloudflareAuth settings.AuthMethod = "cloudflare-access"
// CloudflareAuth is a proxy implementation of an auther.
type CloudflareAuth struct {
Team string `json:"team"`
Aud string `json:"aud"`
}
type CloudflareTokenPayload struct {
Email string
}
// Auth authenticates the user via an HTTP header.
func (a CloudflareAuth) Auth(r *http.Request, usr users.Store, stg *settings.Settings, srv *settings.Server) (*users.User, error) {
accessJWT := r.Header.Get("Cf-Access-Jwt-Assertion")
if accessJWT == "" {
return nil, os.ErrPermission
}
// The Application Audience (AUD) tag for your application
config := &oidc.Config{
ClientID: a.Aud,
}
teamDomain := fmt.Sprintf("https://%s.cloudflareaccess.com", a.Team)
certsURL := fmt.Sprintf("%s/cdn-cgi/access/certs", teamDomain)
keySet := oidc.NewRemoteKeySet(r.Context(), certsURL)
verifier := oidc.NewVerifier(teamDomain, keySet, config)
token, err := verifier.Verify(r.Context(), accessJWT)
if err != nil {
return nil, os.ErrPermission
}
payload := new(CloudflareTokenPayload)
token.Claims(&payload)
user, err := usr.Get(srv.Root, payload.Email)
if err == errors.ErrNotExist {
return nil, os.ErrPermission
}
return user, err
}
// LoginPage tells that proxy auth doesn't require a login page.
func (a CloudflareAuth) LoginPage() bool {
return false
}
Reference in New Issue View Git Blame Copy Permalink