[Web] move /process/login to internal endpoint

2026-01-08 06:29:23 +00:00 · 2023-04-12 15:32:22 +02:00
parent f0689e08d9
commit dca5f1baab
10 changed files with 123 additions and 58 deletions
--- a/data/web/inc/functions.auth.inc.php
+++ b/data/web/inc/functions.auth.inc.php
@@ -9,7 +9,7 @@ function unset_auth_session(){
  unset($_SESSION['pending_mailcow_cc_role']);
  unset($_SESSION['pending_tfa_methods']);
 }
-function check_login($user, $pass, $app_passwd_data = false) {
+function check_login($user, $pass, $app_passwd_data = false, $is_internal = false) {
  global $pdo;
  global $redis;

@@ -35,12 +35,6 @@ function check_login($user, $pass, $app_passwd_data = false) {
  }

  // Validate mailbox user
-  // skip log & ldelay if requests comes from dovecot
-  $is_dovecot = false;
-  $request_ip =  $_SERVER['REMOTE_ADDR'];
-  if ($request_ip == getenv('IPV4_NETWORK').'.250'){
-    $is_dovecot = true;
-  }
  // check authsource
  $stmt = $pdo->prepare("SELECT authsource FROM `mailbox`
      INNER JOIN domain on mailbox.domain = domain.domain
@@ -54,9 +48,9 @@ function check_login($user, $pass, $app_passwd_data = false) {
    // mbox does not exist, call keycloak login and create mbox if possible
    $identity_provider_settings = identity_provider('get');
    if ($identity_provider_settings['login_flow'] == 'ropc'){
-      $result = keycloak_mbox_login_ropc($user, $pass, $identity_provider_settings, $is_dovecot, true);
+      $result = keycloak_mbox_login_ropc($user, $pass, $identity_provider_settings, $is_internal, true);
    } else {
-      $result = keycloak_mbox_login_rest($user, $pass, $identity_provider_settings, $is_dovecot, true);
+      $result = keycloak_mbox_login_rest($user, $pass, $identity_provider_settings, $is_internal, true);
    }
    if ($result){
      return $result;
@@ -64,7 +58,7 @@ function check_login($user, $pass, $app_passwd_data = false) {
  } else if ($row['authsource'] == 'keycloak'){
    if ($app_passwd_data){
      // first check if password is app_password
-      $result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_dovecot);
+      $result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal);
      if ($result){
        return $result;
      }
@@ -72,9 +66,9 @@ function check_login($user, $pass, $app_passwd_data = false) {

    $identity_provider_settings = identity_provider('get');
    if ($identity_provider_settings['login_flow'] == 'ropc'){
-      $result = keycloak_mbox_login_ropc($user, $pass, $identity_provider_settings, $is_dovecot);
+      $result = keycloak_mbox_login_ropc($user, $pass, $identity_provider_settings, $is_internal);
    } else {
-      $result = keycloak_mbox_login_rest($user, $pass, $identity_provider_settings, $is_dovecot);
+      $result = keycloak_mbox_login_rest($user, $pass, $identity_provider_settings, $is_internal);
    }
    if ($result){
      return $result;
@@ -82,21 +76,20 @@ function check_login($user, $pass, $app_passwd_data = false) {
  } else {
    if ($app_passwd_data){
      // first check if password is app_password
-      $result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_dovecot);
+      $result = mailcow_mbox_apppass_login($user, $pass, $app_passwd_data, $is_internal);
      if ($result){
        return $result;
      }
    }

-    $result = mailcow_mbox_login($user, $pass, $app_passwd_data, $is_dovecot);
+    $result = mailcow_mbox_login($user, $pass, $app_passwd_data, $is_internal);
    if ($result){
      return $result;
    }
  }

-  // skip log and only return false
-  // netfilter uses dovecot error log for banning
-  if ($is_dovecot){
+  // skip log and only return false if it's an internal request
+  if ($is_internal){
    return false;
  }
  if (!isset($_SESSION['ldelay'])) {
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2214,6 +2214,25 @@ function identity_provider($_action, $_data = null, $hide_secret = false) {

      return true;
    break;
+    case "init":
+      $identity_provider_settings = identity_provider('get');
+      $provider = null;
+      if ($identity_provider_settings['server_url'] && $identity_provider_settings['realm'] && $identity_provider_settings['client_id'] &&
+          $identity_provider_settings['client_secret'] && $identity_provider_settings['redirect_url'] && $identity_provider_settings['version']){
+        $provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([
+          'authServerUrl'         => $identity_provider_settings['server_url'],
+          'realm'                 => $identity_provider_settings['realm'],
+          'clientId'              => $identity_provider_settings['client_id'],
+          'clientSecret'          => $identity_provider_settings['client_secret'],
+          'redirectUri'           => $identity_provider_settings['redirect_url'],
+          'version'               => $identity_provider_settings['version'],                            
+          // 'encryptionAlgorithm'   => 'RS256',                             // optional
+          // 'encryptionKeyPath'     => '../key.pem'                         // optional
+          // 'encryptionKey'         => 'contents_of_key_or_certificate'     // optional
+        ]);
+      }
+      return $provider;
+    break;
  }
 }

--- a/data/web/inc/prerequisites.inc.php
+++ b/data/web/inc/prerequisites.inc.php
@@ -179,22 +179,7 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.auth.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/sessions.inc.php';

 // Init Keycloak Provider
-$identity_provider_settings = identity_provider('get');
-$keycloak_provider = null;
-if ($identity_provider_settings['server_url'] && $identity_provider_settings['realm'] && $identity_provider_settings['client_id'] &&
-    $identity_provider_settings['client_secret'] && $identity_provider_settings['redirect_url'] && $identity_provider_settings['version']){
-  $keycloak_provider = new Stevenmaguire\OAuth2\Client\Provider\Keycloak([
-    'authServerUrl'         => $identity_provider_settings['server_url'],
-    'realm'                 => $identity_provider_settings['realm'],
-    'clientId'              => $identity_provider_settings['client_id'],
-    'clientSecret'          => $identity_provider_settings['client_secret'],
-    'redirectUri'           => $identity_provider_settings['redirect_url'],
-    'version'               => $identity_provider_settings['version'],                            
-    // 'encryptionAlgorithm'   => 'RS256',                             // optional
-    // 'encryptionKeyPath'     => '../key.pem'                         // optional
-    // 'encryptionKey'         => 'contents_of_key_or_certificate'     // optional
-  ]);
-}
+$keycloak_provider = identity_provider('init');

 // IMAP lib
 // use Ddeboer\Imap\Server;
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -401,26 +401,6 @@ if (isset($_GET['query'])) {
          );
          echo json_encode($return);
        break;
-        case "login":
-          header('Content-Type: application/json');
-          $post = trim(file_get_contents('php://input'));
-          if ($post) {
-            $post = json_decode($post, true);
-          }
-
-          $return = array("success" => false, "role" => false);
-          if(!isset($post['username']) || !isset($post['password'])){
-            echo json_encode($return); 
-            return;
-          }
-          $result = check_login($post['username'], $post['password'], $post['protocol']);
-          if ($result) {
-            $return = array("success" => true, "role" => $result);
-          }
-
-          echo json_encode($return); 
-          return;
-        break;
      }
    break;
    case "get":