fix: harden login for MLPS requirements
This commit is contained in:
@@ -9,8 +9,10 @@ import (
|
||||
)
|
||||
|
||||
type loginRequest struct {
|
||||
Username string `json:"username" binding:"required"`
|
||||
Password string `json:"password" binding:"required"`
|
||||
Username string `json:"username" binding:"required"`
|
||||
Password string `json:"password"`
|
||||
EncryptedPassword string `json:"encrypted_password"`
|
||||
PasswordKeyID string `json:"password_key_id"`
|
||||
}
|
||||
|
||||
type loginResponse struct {
|
||||
@@ -28,11 +30,13 @@ func loginHandler(svc *app.AuthService) gin.HandlerFunc {
|
||||
}
|
||||
|
||||
result, err := svc.Login(c.Request.Context(), app.LoginInput{
|
||||
Username: body.Username,
|
||||
Password: body.Password,
|
||||
IP: c.ClientIP(),
|
||||
UserAgent: c.Request.UserAgent(),
|
||||
RequestID: middleware.RequestIDFromGin(c),
|
||||
Username: body.Username,
|
||||
Password: body.Password,
|
||||
EncryptedPassword: body.EncryptedPassword,
|
||||
PasswordKeyID: body.PasswordKeyID,
|
||||
IP: c.ClientIP(),
|
||||
UserAgent: c.Request.UserAgent(),
|
||||
RequestID: middleware.RequestIDFromGin(c),
|
||||
})
|
||||
if err != nil {
|
||||
response.Error(c, err)
|
||||
@@ -47,6 +51,17 @@ func loginHandler(svc *app.AuthService) gin.HandlerFunc {
|
||||
}
|
||||
}
|
||||
|
||||
func passwordPublicKeyHandler(svc *app.AuthService) gin.HandlerFunc {
|
||||
return func(c *gin.Context) {
|
||||
key := svc.PasswordPublicKey()
|
||||
if key == nil {
|
||||
response.Error(c, response.ErrNotFound(40420, "password_cipher_disabled", "password cipher is disabled"))
|
||||
return
|
||||
}
|
||||
response.Success(c, key)
|
||||
}
|
||||
}
|
||||
|
||||
func meHandler(accounts *app.AccountService) gin.HandlerFunc {
|
||||
return func(c *gin.Context) {
|
||||
actor := actorFromGin(c)
|
||||
|
||||
@@ -6,12 +6,14 @@ import (
|
||||
"go.uber.org/zap"
|
||||
|
||||
"github.com/geo-platform/tenant-api/internal/ops/app"
|
||||
sharedconfig "github.com/geo-platform/tenant-api/internal/shared/config"
|
||||
"github.com/geo-platform/tenant-api/internal/shared/middleware"
|
||||
"github.com/geo-platform/tenant-api/internal/shared/response"
|
||||
)
|
||||
|
||||
type Deps struct {
|
||||
Engine *gin.Engine
|
||||
Server sharedconfig.ServerConfig
|
||||
Logger *zap.Logger
|
||||
DB *pgxpool.Pool
|
||||
MonitoringDB *pgxpool.Pool
|
||||
@@ -26,13 +28,27 @@ type Deps struct {
|
||||
Compliance *app.ComplianceService
|
||||
}
|
||||
|
||||
func (d Deps) ServerAllowedOrigins() []string {
|
||||
return d.Server.AllowedOrigins
|
||||
}
|
||||
|
||||
func (d Deps) ServerSecurityHeadersEnabled() bool {
|
||||
return d.Server.SecurityHeaders.Enabled
|
||||
}
|
||||
|
||||
func RegisterRoutes(d Deps) {
|
||||
d.Engine.Use(
|
||||
middleware.Recovery(d.Logger),
|
||||
middleware.RequestID(),
|
||||
middleware.Logger(d.Logger),
|
||||
middleware.CORS(),
|
||||
)
|
||||
if d.ServerSecurityHeadersEnabled() {
|
||||
d.Engine.Use(middleware.SecurityHeaders())
|
||||
}
|
||||
d.Engine.Use(middleware.CORSWithConfig(middleware.CORSConfig{
|
||||
AllowedOrigins: d.ServerAllowedOrigins(),
|
||||
AllowAll: len(d.ServerAllowedOrigins()) == 0,
|
||||
}))
|
||||
|
||||
d.Engine.GET("/api/health/live", func(c *gin.Context) {
|
||||
response.Success(c, gin.H{"status": "alive"})
|
||||
@@ -53,6 +69,7 @@ func RegisterRoutes(d Deps) {
|
||||
|
||||
api := d.Engine.Group("/api/ops")
|
||||
{
|
||||
api.GET("/auth/password-key", passwordPublicKeyHandler(d.Auth))
|
||||
api.POST("/auth/login", loginHandler(d.Auth))
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user