Switch user status to enum

2025-10-23 20:24:19 +11:00
parent 91573ee2b9
commit 7f075391c1
6 changed files with 146 additions and 6 deletions
--- a/app/controllers/api/forward_auth_controller.rb
+++ b/app/controllers/api/forward_auth_controller.rb
@@ -0,0 +1,130 @@
+module Api
+  class ForwardAuthController < ApplicationController
+    # ForwardAuth endpoints don't use sessions or CSRF
+    allow_unauthenticated_access
+    skip_before_action :verify_authenticity_token
+
+    # GET /api/verify
+    # This endpoint is called by reverse proxies (Traefik, Caddy, nginx)
+    # to verify if a user is authenticated and authorized to access an application
+    def verify
+      # Get the application slug from query params or X-Forwarded-Host header
+      app_slug = params[:app] || extract_app_from_headers
+
+      # Get the session from cookie
+      session_id = extract_session_id
+      unless session_id
+        # No session cookie - user is not authenticated
+        return render_unauthorized("No session cookie")
+      end
+
+      # Find the session
+      session = Session.find_by(id: session_id)
+      unless session
+        # Invalid session
+        return render_unauthorized("Invalid session")
+      end
+
+      # Check if session is expired
+      if session.expired?
+        session.destroy
+        return render_unauthorized("Session expired")
+      end
+
+      # Update last activity
+      session.update_column(:last_activity_at, Time.current)
+
+      # Get the user
+      user = session.user
+      unless user.active?
+        return render_unauthorized("User account is not active")
+      end
+
+      # If an application is specified, check authorization
+      if app_slug.present?
+        application = Application.find_by(slug: app_slug, app_type: "trusted_header", active: true)
+
+        unless application
+          Rails.logger.warn "ForwardAuth: Application not found or not configured for trusted_header: #{app_slug}"
+          return render_forbidden("Application not found or not configured")
+        end
+
+        # Check if user is allowed to access this application
+        unless application.user_allowed?(user)
+          Rails.logger.info "ForwardAuth: User #{user.email_address} denied access to #{app_slug}"
+          return render_forbidden("You do not have permission to access this application")
+        end
+
+        Rails.logger.info "ForwardAuth: User #{user.email_address} granted access to #{app_slug}"
+      else
+        Rails.logger.info "ForwardAuth: User #{user.email_address} authenticated (no app specified)"
+      end
+
+      # User is authenticated and authorized
+      # Return 200 with user information headers
+      response.headers["Remote-User"] = user.email_address
+      response.headers["Remote-Email"] = user.email_address
+      response.headers["Remote-Name"] = user.email_address
+
+      # Add groups if user has any
+      if user.groups.any?
+        response.headers["Remote-Groups"] = user.groups.pluck(:name).join(",")
+      end
+
+      # Add admin flag
+      response.headers["Remote-Admin"] = user.admin? ? "true" : "false"
+
+      # Return 200 OK with no body
+      head :ok
+    end
+
+    private
+
+    def extract_session_id
+      # Extract session ID from cookie
+      # Rails uses signed cookies by default
+      cookies.signed[:session_id]
+    end
+
+    def extract_app_from_headers
+      # Try to extract application slug from forwarded headers
+      # This is useful when the proxy doesn't pass ?app= param
+
+      # X-Forwarded-Host might contain the hostname
+      host = request.headers["X-Forwarded-Host"] || request.headers["Host"]
+
+      # Try to match hostname to application
+      # Format: app-slug.domain.com -> app-slug
+      if host.present?
+        # Extract subdomain as potential app slug
+        parts = host.split(".")
+        if parts.length >= 2
+          return parts.first if parts.first != "www"
+        end
+      end
+
+      nil
+    end
+
+    def render_unauthorized(reason = nil)
+      Rails.logger.info "ForwardAuth: Unauthorized - #{reason}"
+
+      # Set header to help with debugging
+      response.headers["X-Auth-Reason"] = reason if reason
+
+      # Return 401 Unauthorized
+      # The reverse proxy should redirect to login
+      head :unauthorized
+    end
+
+    def render_forbidden(reason = nil)
+      Rails.logger.info "ForwardAuth: Forbidden - #{reason}"
+
+      # Set header to help with debugging
+      response.headers["X-Auth-Reason"] = reason if reason
+
+      # Return 403 Forbidden
+      head :forbidden
+    end
+  end
+end
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -17,7 +17,7 @@ class SessionsController < ApplicationController
    end

    # Check if user is active
-    unless user.status == "active"
+    unless user.active?
      redirect_to signin_path, alert: "Your account is not active. Please contact an administrator."
      return
    end