Add support for header authentication

cpanfile

@@ -7,7 +7,7 @@ requires 'Mojolicious::Plugin::GzipStatic';
 requires 'Mojolicious::Plugin::StaticCache';
 requires 'Mojolicious::Plugin::CSPHeader', '>= 0.06';
 requires 'Mojolicious::Plugin::FiatTux::Helpers', '== 0.12', url => 'https://framagit.org/fiat-tux/mojolicious/fiat-tux/mojolicious-plugin-fiattux-helpers/-/archive/0.12/mojolicious-plugin-fiattux-helpers-0.12.tar.gz';
-requires 'Mojolicious::Plugin::FiatTux::GrantAccess', '== 0.07', url => 'https://framagit.org/fiat-tux/mojolicious/fiat-tux/mojolicious-plugin-fiattux-grantaccess/-/archive/0.07/mojolicious-plugin-fiattux-grantaccess-0.07.tar.gz';
+requires 'Mojolicious::Plugin::FiatTux::GrantAccess', '== 0.08', url => 'https://framagit.org/fiat-tux/mojolicious/fiat-tux/mojolicious-plugin-fiattux-grantaccess/-/archive/0.08/mojolicious-plugin-fiattux-grantaccess-0.08.tar.gz';
 requires 'Mojolicious::Plugin::FiatTux::Themes', '== 0.02', url => 'https://framagit.org/fiat-tux/mojolicious/fiat-tux/mojolicious-plugin-fiattux-themes/-/archive/0.02/mojolicious-plugin-fiattux-themes-0.02.tar.gz';
 requires 'Filesys::DiskUsage';
 requires 'Switch';
@@ -43,6 +43,9 @@ feature 'htpasswd', 'Htpasswd authentication support' => sub {
     requires 'Apache::Htpasswd';
     requires 'Mojolicious::Plugin::Authentication';
 };
+feature 'auth_headers', 'Header authentication support' => sub {
+    requires 'Mojolicious::Plugin::Authentication';
+};
 feature 'postgresql', 'PostgreSQL support' => sub {
     requires 'Mojo::Pg';
     requires 'Mojolicious::Plugin::PgURLHelper';

lib/Lufi.pm

@@ -124,7 +124,7 @@ sub startup {
       ->to('Misc#change_lang')
       ->name('lang');
 
-    if (defined $self->config('ldap') || defined $self->config('htpasswd')) {
+    if (defined $self->config('ldap') || defined $self->config('htpasswd') || defined $self->config('auth_headers')) {
         # Login page
         $r->get('/login')
           ->to('Auth#login_page');
@@ -138,7 +138,7 @@ sub startup {
           ->to('Auth#log_out')
           ->name('logout');
 
-        if (defined $self->config('ldap') && defined $self->config('invitations')) {
+        if ((defined $self->config('ldap') || defined $self->config('auth_headers')) && defined $self->config('invitations')) {
             # Invitation creation page
             $r->get('/invite')
               ->name('invite')

lib/Lufi/Controller/Auth.pm

@@ -9,10 +9,21 @@ sub login_page {
     if ($c->is_user_authenticated) {
         $c->redirect_to('/');
     } else {
-        $c->render(
+        if ($c->config('auth_headers')) {
-            template => 'login',
+            if($c->authenticate('dummy', 'dummy')) {
-            redirect => $redirect
+                if ($redirect eq 'invite') {
-        );
+                    return $c->redirect_to('invite');
+                } elsif ($redirect eq 'my_invitations') {
+                    return $c->redirect_to('invite_list');
+                }
+                return $c->redirect_to('/');
+            }
+        } else {
+            $c->render(
+                template => 'login',
+                redirect => $redirect
+            );
+        }
     }
 }
 

lib/Lufi/Controller/Misc.pm

@@ -8,7 +8,7 @@ use Lufi::DB::File;
 
 sub index {
     my $c = shift;
-    if ((!defined($c->config('ldap')) && !defined($c->config('htpasswd'))) || $c->is_user_authenticated) {
+    if ((!defined($c->config('ldap')) && !defined($c->config('htpasswd')) && !defined($c->config('auth_headers'))) || $c->is_user_authenticated) {
         $c->render(template => 'index');
     } else {
         $c->redirect_to('login');
@@ -56,7 +56,7 @@ sub config_infos {
             force_burn_after_reading => $c->config('force_burn_after_reading'),
             keep_ip_during           => $c->config('keep_ip_during'),
             stop_upload              => (-f 'stop-upload' || -f 'stop-upload.manual') ? true : false,
-            need_authentication      => (defined($c->config('ldap')) || defined($c->config('htpasswd'))) ? true : false,
+            need_authentication      => (defined($c->config('ldap')) || defined($c->config('htpasswd')) || defined($c->config('auth_headers'))) ? true : false,
             version                  => $c->git_version
         }
     );

lufi.conf.template

@@ -291,6 +291,28 @@
     # See 'man htpasswd' to know how to create such file
     #htpasswd => 'lufi.passwd',
 
+    ############################
+    # HTTP header authentication
+    ############################
+
+    # Set `auth_headers` if you want to use HTTP header auth.
+    # Typically, these headers are set by a reverse-proxy
+    # acting as an authentication server. Useful for SSO.
+    # `auth_headers` should contains the user's username.
+    #
+    # /!\ LUFI BLINDLY TRUSTS THESE HEADERS
+    # /!\ IT'S UP TO YOU TO SANITIZE INCOMING HEADERS TO SECURE YOUR INSTANCE
+    #
+    #auth_headers => 'X-AUTH-PREFERRED-USERNAME',
+    #auth_headers_map_value => {
+    #    # Like ldap_map_attr but for headers
+    #    displayname => 'X-AUTH-DISPLAYNAME',
+    #    firstname   => 'X-AUTH-GIVENNAME',
+    #    lastname    => 'X-AUTH-LASTNAME',
+    #    mail        => 'X-AUTH-EMAIL'
+    #},
+
+
     #######################
     # HTTP Headers settings
     #######################

themes/default/templates/layouts/default.html.ep

@@ -29,10 +29,10 @@
                 <a href="#" data-activates="mobile" class="button-collapse"><i class="mdi-navigation-menu"></i></a>
                 <ul id="nav-mobile" class="right hide-on-med-and-down">
                     <li><a href="<%= $self->config('report') %>"><%= l('Report file') %></a></li>
-                % if ((!defined(config('ldap')) && !defined(config('htpasswd'))) || is_user_authenticated()) {
+                % if ((!defined(config('ldap')) && !defined(config('htpasswd')) && !defined(config('auth_headers'))) || is_user_authenticated()) {
                     <li<%== ' class="active"' if (current_route eq 'index') %>><a href="<%= url_for('/') %>"><%= l('Upload files') %></a></li>
                     <li<%== ' class="active"' if (current_route eq 'files') %>><a href="<%= url_for('/files') %>"><%= l('My files') %></a></li>
-                    % if (defined config('ldap') && defined config('invitations')) {
+                    % if ((defined config('ldap') || defined config('auth_headers')) && defined config('invitations')) {
                         <li<%== ' class="active"' if (current_route eq 'invite') %>><a href="<%= url_for('/invite') %>"><%= l('Invite a guest') %></a></li>
                         <li<%== ' class="active"' if (current_route eq 'invite/list') %>><a href="<%= url_for('/invite/list') %>"><%= l('My invitations') %></a></li>
                     % }
@@ -51,7 +51,7 @@
                         </div>
                     </li>
                     <li<%== ' class="active"' if (current_route eq 'about') %>><a href="<%= url_for('/about') %>"><%= l('About') %></a></li>
-                % if ((defined(config('ldap')) || defined(config('htpasswd'))) && is_user_authenticated()) {
+                % if ((defined(config('ldap')) || defined(config('htpasswd')) || defined(config('auth_headers'))) && is_user_authenticated()) {
                     <li>
                         <form action="<%= url_for('/logout') %>" method="POST">
                             %= csrf_field
@@ -62,10 +62,10 @@
                 </ul>
                 <ul id="mobile" class="side-nav">
                     <li><a href="<%= $self->config('report') %>"><%= l('Report file') %></a></li>
-                % if ((!defined(config('ldap')) && !defined(config('htpasswd'))) || is_user_authenticated()) {
+                % if ((!defined(config('ldap')) && !defined(config('htpasswd')) && !defined(config('auth_headers'))) || is_user_authenticated()) {
                     <li<%== ' class="active"' if (current_route eq 'index') %>><a href="<%= url_for('/') %>"><%= l('Upload files') %></a></li>
                     <li<%== ' class="active"' if (current_route eq 'files') %>><a href="<%= url_for('/files') %>"><%= l('My files') %></a></li>
-                    % if (defined config('ldap') && defined config('invitations')) {
+                    % if ((defined config('ldap') || defined config('auth_headers')) && defined config('invitations')) {
                         <li<%== ' class="active"' if (current_route eq 'invite') %>><a href="<%= url_for('/invite') %>"><%= l('Invite a guest') %></a></li>
                         <li<%== ' class="active"' if (current_route eq 'invite/list') %>><a href="<%= url_for('/invite/list') %>"><%= l('My invitations') %></a></li>
                     % }
@@ -84,7 +84,7 @@
                         </div>
                     </li>
                     <li<%== ' class="active"' if (current_route eq 'about') %>><a href="<%= url_for('/about') %>"><%= l('About') %></a></li>
-                % if ((defined(config('ldap')) || defined(config('htpasswd'))) && is_user_authenticated()) {
+                % if ((defined(config('ldap')) || defined(config('htpasswd')) || defined(config('auth_headers'))) && is_user_authenticated()) {
                     <li>
                         <form action="<%= url_for('/logout') %>" method="POST">
                             %= csrf_field