auth: slight refactor, setup user auth

user-auth.go contains slightly adjusted versions of auth.go functions, for authorizing jellyfin users (admin or not). Refactored auth.go so that most code is shared. User auth isn't hooked up yet, nor has it been tested.
2026-01-18 16:47:42 +01:00 · 2023-06-15 21:32:18 +01:00
parent bf981935cb
commit 918f8816c5
3 changed files with 208 additions and 42 deletions
--- a/user-auth.go
+++ b/user-auth.go
@@ -0,0 +1,98 @@
+package main
+
+import "github.com/gin-gonic/gin"
+
+func (app *appContext) userAuth() gin.HandlerFunc {
+	return app.userAuthenticate
+}
+
+func (app *appContext) userAuthenticate(gc *gin.Context) {
+	jellyfinLogin := app.config.Section("ui").Key("jellyfin_login").MustBool(true)
+	if !jellyfinLogin {
+		app.err.Println("Enable Jellyfin Login to use the User Page feature.")
+		respond(500, "Contact Admin", gc)
+		return
+	}
+	claims, ok := app.decodeValidateAuthHeader(gc)
+	if !ok {
+		return
+	}
+
+	// user id can be nil for all we care, we just want the Jellyfin ID
+	jfID := claims["jfid"].(string)
+
+	gc.Set("jfId", jfID)
+	gc.Set("userMode", true)
+	app.debug.Println("Auth succeeded")
+	gc.Next()
+}
+
+// @Summary Grabs an user-access token using username & password.
+// @description Has limited access to API routes, used to display the user's personal page.
+// @Produce json
+// @Success 200 {object} getTokenDTO
+// @Failure 401 {object} stringResponse
+// @Router /my/token/login [get]
+// @tags Auth
+// @Security getUserTokenAuth
+func (app *appContext) getUserTokenLogin(gc *gin.Context) {
+	if !app.config.Section("ui").Key("jellyfin_login").MustBool(true) {
+		app.err.Println("Enable Jellyfin Login to use the User Page feature.")
+		respond(500, "Contact Admin", gc)
+		return
+	}
+	app.info.Println("UserToken requested (login attempt)")
+	username, password, ok := app.decodeValidateLoginHeader(gc)
+	if !ok {
+		return
+	}
+
+	user, ok := app.validateJellyfinCredentials(username, password, gc)
+	if !ok {
+		return
+	}
+
+	token, refresh, err := CreateToken(user.ID, user.ID, false)
+	if err != nil {
+		app.err.Printf("getUserToken failed: Couldn't generate user token (%s)", err)
+		respond(500, "Couldn't generate user token", gc)
+		return
+	}
+
+	app.debug.Printf("Token generated for non-admin user \"%s\"", username)
+	gc.SetCookie("refresh", refresh, REFRESH_TOKEN_VALIDITY_SEC, "/my", gc.Request.URL.Hostname(), true, true)
+	gc.JSON(200, getTokenDTO{token})
+}
+
+// @Summary Grabs an user-access token using a refresh token from cookies.
+// @Produce json
+// @Success 200 {object} getTokenDTO
+// @Failure 401 {object} stringResponse
+// @Router /my/token/refresh [get]
+// @tags Auth
+func (app *appContext) getUserTokenRefresh(gc *gin.Context) {
+	jellyfinLogin := app.config.Section("ui").Key("jellyfin_login").MustBool(true)
+	if !jellyfinLogin {
+		app.err.Println("Enable Jellyfin Login to use the User Page feature.")
+		respond(500, "Contact Admin", gc)
+		return
+	}
+
+	app.info.Println("UserToken request (refresh token)")
+	claims, ok := app.decodeValidateRefreshCookie(gc)
+	if !ok {
+		return
+	}
+
+	jfID := claims["jfid"].(string)
+
+	jwt, refresh, err := CreateToken(jfID, jfID, false)
+	if err != nil {
+		app.err.Printf("getUserToken failed: Couldn't generate user token (%s)", err)
+		respond(500, "Couldn't generate user token", gc)
+		return
+	}
+
+	gc.SetCookie("refresh", refresh, REFRESH_TOKEN_VALIDITY_SEC, "/my", gc.Request.URL.Hostname(), true, true)
+	gc.JSON(200, getTokenDTO{jwt})
+}