Added local user authentication and user management

Author: iTraceur

.gitignore

@@ -8,6 +8,7 @@ nohup.out
 *.log
 *.pid
 *.tmp
+*.db
 
 .idea
 .vscode

README.md

@@ -43,11 +43,19 @@ sessionproviderconfig = "127.0.0.1:6379"  # The provider's path or link address
 xsrfkey = 4b6774f328ee1a2f24fcb62842fc0cfc  # XSRF key
 xsrfexpire = 86400  # XSRF expiration time
 
-# User remote authentication API
+# User authentication provider, local or remote, default local.
+authProvider = local
+
+# Whether to enable User-IP binding to restrict the user to login to the application using a specific IP,
+# takes effect when the authProvider is configured to local. once enabled, the manage user needs to
+# bind the client IP for each user in the user management page, default false.
+ipBinding = false
+
+# User remote authentication API, required when the authProvider is configured to remote.
 authAPI = http://127.0.0.1:5000/api/login
 
-# The users who can access control API, default admin
-controlUsers = admin;iTraceur;zhaowencheng
+# The users who can access user manager page and control API, default admin.
+manageUsers = admin;iTraceur;zhaowencheng
 
 # Clinet IP control configuration
 [ipControl]

README_CN.md

@@ -40,11 +40,18 @@ sessionproviderconfig = "127.0.0.1:6379"  # Session 存储引擎的路径或链
 xsrfkey = 4b6774f328ee1a2f24fcb62842fc0cfc  # XSRF key
 xsrfexpire = 86400  # XSRF 过期时间
 
-# 远程用户认证接口
+# 用户认证提供方, 可设为local或remote, 默认为local
+authProvider = local
+
+# 是否开启用户与IP绑定功能来限定用户只能使用特定的IP来登录此应用, 当authProvider配置为local时此配置生效,
+# 开启后，管理用户需要在用户管理页面为每个用户绑定客户端IP，默认不开启
+ipBinding = false
+
+# 远程用户认证接口， 当authProvider为remote时需要此配置
 authAPI = http://127.0.0.1:5000/api/login
 
-# 可访问控制接口的用户，默认为admin
-controlUsers = admin;iTraceur;zhaowencheng
+# 管理用户，可访问控制接口及管理本地用户，默认为admin
+manageUsers = admin;iTraceur;zhaowencheng
 
 # 客户端 IP 访问控制
 [ipControl]

conf/app.example.conf

@@ -11,16 +11,21 @@ sessioncookielifetime = 86400
 sessionprovider = redis
 sessionproviderconfig = "127.0.0.1:6379"
 
-
 # XSRF configuration
 xsrfkey = 4b6774f328ee1a2f24fcb62842fc0cfc
 xsrfexpire = 86400
 
-# User authentication login interface
+# User authentication provider, local or remote, default local
+authProvider = local
+
+# Whether enable binding client ip to the user, needed when authProvider config is local, default false
+ipBinding = false
+
+# User remote authentication API, required when authProvider config is remote
 authAPI = http://127.0.0.1:5000/api/login
 
-# The users who can access control API
-controlUsers = admin;iTraceur;zhaowencheng
+# The users who can access control API and manage local users, default admin
+manageUsers = admin;iTraceur;zhaowencheng
 
 # Client IP control configuration
 [ipControl]

conf/nginx.example.conf

@@ -41,22 +41,22 @@ server {
         proxy_cache_key "$http_authorization$cookie_SessionID";
     }
 
-    location /passport/login {
+    location /passport {
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header Host            $http_host;
-        proxy_pass http://auth-backend/passport/login;
+        proxy_pass http://auth-backend/passport;
     }
 
-    location /passport/logout {
+    location /captcha {
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header Host            $http_host;
-        proxy_pass http://auth-backend/passport/logout;
+        proxy_pass http://auth-backend/captcha;
     }
 
-    location /captcha {
+    location /users {
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header Host            $http_host;
-        proxy_pass http://auth-backend/captcha;
+        proxy_pass http://auth-backend/users;
     }
 
     location /static {

controllers/auth_proxy.go

@@ -9,11 +9,11 @@ type AuthProxyController struct {
 }
 
 func (this *AuthProxyController) Get() {
-	this.Ctx.Output.Header("Cache-Control", "no-cache")
-	uname := this.GetSession("uname")
-	if uname == nil {
-		this.Ctx.Abort(401, "401")
-		return
+	this.TplName = "index.html"
+	data := map[string]string{
+		"title": "Are you ok?",
+		"p":     "I'm ok.",
 	}
-	this.Ctx.Output.Body([]byte("ok"))
+	this.Ctx.Output.Header("Cache-Control", "no-cache")
+	this.Data["data"] = data
 }

controllers/control.go

@@ -3,70 +3,66 @@ package controllers
 import (
 	"fmt"
 	"path/filepath"
-	"reflect"
-	"time"
 
 	"github.com/beego/beego/v2/core/logs"
+	"github.com/beego/beego/v2/core/utils"
 	beego "github.com/beego/beego/v2/server/web"
 	"github.com/toolkits/file"
 
 	"nginx-http-auth/g"
-	"nginx-http-auth/utils"
 )
 
 type ControlController struct {
 	beego.Controller
 }
 
 func (this *ControlController) Get() {
+	// 获取客户端IP
 	clientIP := this.Ctx.Input.IP()
-	logtime := time.Now().Format("02/Jan/2006 03:04:05")
 
-	uname := this.GetSession("uname")
-	if uname == nil {
-		this.Ctx.Redirect(302, "/passport/login")
+	// 获取用户Session
+	username := this.GetSession("uname")
+	if username == nil {
+		this.Redirect("/passport/login", 302)
 		return
 	}
 
-	controlUsers, err := beego.AppConfig.Strings("controlUsers")
+	// 获取管理用户配置
+	manageUsers, err := beego.AppConfig.Strings("manageUsers")
 	if err != nil {
-		logs.Error(err.Error())
-		this.Ctx.Output.SetStatus(500)
-		this.Ctx.WriteString("Internal Server Error")
-		return
+		logs.Warn(fmt.Sprintf("%s - get manage users failed: %s", clientIP, err.Error()))
+		manageUsers = []string{"admin"}
 	}
-	if !utils.InSlice(uname.(string), controlUsers) {
-		logs.Debug(uname.(string), controlUsers, controlUsers[0], reflect.TypeOf(controlUsers[0]))
-		this.Ctx.Output.SetStatus(401)
-		this.Ctx.Output.Body([]byte("Not Allowed"))
-		return
+	// 管理用户校验
+	if !utils.InSlice(username.(string), manageUsers) {
+		logs.Warn(fmt.Sprintf("%s - %s - access to control API was denied", clientIP, username))
+		this.Abort("403")
 	}
 
+	// 获取管理类型
 	control := this.Ctx.Input.Param(":control")
 	switch control {
-	case "version":
-		this.Ctx.Output.Body([]byte(g.VERSION))
-	case "health":
-		this.Ctx.Output.Body([]byte("ok"))
-	case "config":
+	case "version": // 获取版本
+		_ = this.Ctx.Output.Body([]byte(g.VERSION))
+	case "health": // 探活
+		_ = this.Ctx.Output.Body([]byte("ok"))
+	case "config": // 获取配置信息
 		var json map[string]interface{}
 		err = beego.AppConfig.Unmarshaler("", &json)
 		if err != nil {
-			logs.Error(err.Error())
-			this.Ctx.Output.SetStatus(500)
-			this.Ctx.WriteString("Internal Server Error")
-			return
+			logs.Error(fmt.Sprintf("%s - get config info failed: %s", clientIP, err.Error()))
+			this.Abort("550")
 		}
 		this.Data["json"] = json
-		this.ServeJSON()
-	case "reload":
+		_ = this.ServeJSON()
+	case "reload": // 重新加载配置
 		err := beego.LoadAppConfig("ini", filepath.Join(file.SelfDir(), "conf/app.conf"))
 		if err != nil {
-			logs.Error(fmt.Sprintf("%s - - [%s] Config reload failed: %s", clientIP, logtime, err.Error()))
-			this.Ctx.Output.Body([]byte("config reload failed"))
+			logs.Error(fmt.Sprintf("%s - config reload failed: %s", clientIP, err.Error()))
+			_ = this.Ctx.Output.Body([]byte("config reload failed"))
 		} else {
-			logs.Notice(fmt.Sprintf("%s - - [%s] Config Reloaded", clientIP, logtime))
-			this.Ctx.Output.Body([]byte("config reloaded"))
+			logs.Info(fmt.Sprintf("%s - config Reloaded", clientIP))
+			_ = this.Ctx.Output.Body([]byte("config reloaded"))
 		}
 	}
 }

controllers/default.go

@@ -1,6 +1,7 @@
 package controllers
 
 import (
+	"fmt"
 	beego "github.com/beego/beego/v2/server/web"
 	"nginx-http-auth/g"
 )
@@ -10,10 +11,10 @@ type MainController struct {
 }
 
 func (this *MainController) Get() {
-	uname := this.GetSession("uname")
-	if uname == nil {
-		this.Ctx.Redirect(302, "/passport/login")
-		return
+	this.TplName = "index.html"
+	data := map[string]string{
+		"title": "nginx-http-auth",
+		"p":     fmt.Sprintf("Version: %s", g.VERSION),
 	}
-	this.Ctx.Output.Body([]byte("nginx-http-auth, version " + g.VERSION))
+	this.Data["data"] = data
 }

controllers/error.go

@@ -8,12 +8,80 @@ type ErrorController struct {
 	beego.Controller
 }
 
+func (this *ErrorController) Prepare() {
+	this.Layout = "main-simple.html"
+	this.LayoutSections = make(map[string]string)
+	this.LayoutSections["HtmlHead"] = "deny-head.html"
+}
+
 func (this *ErrorController) Error401() {
-	this.Data["content"] = "限制访问，请求被拒绝"
-	this.TplName = "deny.tpl"
+	this.Data["title"] = "未授权页面"
+	this.Data["content"] = "未登录或认证状态失效"
+	this.TplName = "deny.html"
 }
 
 func (this *ErrorController) Error403() {
+	this.Data["title"] = "拒绝访问"
+	this.Data["content"] = "限制访问，请求被拒绝"
+	this.TplName = "deny.html"
+}
+
+func (this *ErrorController) Error404() {
+	this.Data["title"] = "Ooops!"
+	this.Data["content"] = "页面未找到"
+	this.TplName = "deny.html"
+}
+
+func (this *ErrorController) Error405() {
+	this.Data["title"] = "非法请求"
+	this.Data["content"] = "不允许的请求方法"
+	this.TplName = "deny.html"
+}
+
+func (this *ErrorController) Error417() {
+	this.Data["title"] = "非法请求"
+	this.Data["content"] = "XSRF校验失败"
+	this.TplName = "deny.html"
+}
+
+func (this *ErrorController) Error422() {
+	this.Data["title"] = "非法请求"
+	this.Data["content"] = "请求未提交XSRF参数"
+	this.TplName = "deny.html"
+}
+
+func (this *ErrorController) Error450() {
+	this.Data["title"] = "拒绝访问"
+	this.Data["content"] = "IP不匹配，请求被拒绝"
+	this.TplName = "deny.html"
+}
+
+func (this *ErrorController) Error451() {
+	this.Data["title"] = "拒绝访问"
+	this.Data["content"] = "限制IP访问，请求被拒绝"
+	this.TplName = "deny.html"
+}
+
+func (this *ErrorController) Error452() {
+	this.Data["title"] = "拒绝访问"
 	this.Data["content"] = "当前时间段不允许访问"
-	this.TplName = "deny.tpl"
+	this.TplName = "deny.html"
+}
+
+func (this *ErrorController) Error453() {
+	this.Data["title"] = "拒绝访问"
+	this.Data["content"] = "限制用户访问，请求被拒绝"
+	this.TplName = "deny.html"
+}
+
+func (this *ErrorController) Error500() {
+	this.Data["title"] = "服务异常"
+	this.Data["content"] = "服务器内部错误"
+	this.TplName = "deny.html"
+}
+
+func (this *ErrorController) Error550() {
+	this.Data["title"] = "服务异常"
+	this.Data["content"] = "服务未正确配置"
+	this.TplName = "deny.html"
 }