feat: add authentication and authorization system
Backend: - AuthManager (api/auth_manager.py): server-side user store with bcrypt password hashing, account lockout after 5 failed attempts (15 min), and atomic file writes - AuthRoutes (api/auth_routes.py): Blueprint at /api/auth/* — login, logout, me, change-password, admin reset-password, list-users - app.py: register auth_bp blueprint; add enforce_auth before_request hook (401 for unauthenticated, 403 for wrong role; only active when auth store has users so pre-auth tests remain green); instantiate AuthManager; update POST /api/peers to require password >= 10 chars and auto-provision email + calendar + files + auth accounts with full rollback on any failure; extend DELETE /api/peers to tear down all four service accounts; add /api/peer/dashboard and /api/peer/services peer-scoped routes; fix is_local_request to also trust the last X-Forwarded-For entry appended by the reverse proxy (Caddy) - Role-based access: admin for /api/* (except /api/auth/* which is public and /api/peer/* which is peer-only) - setup_cell.py: generate and print initial admin password, store in .admin_initial_password with 0600 permissions; cleaned up on first admin login Frontend: - AuthContext.jsx: React context with login/logout/me state and Axios interceptor for automatic 401 redirect - PrivateRoute.jsx: route guard component - Login.jsx: login page with error handling and must-change-password redirect - AccountSettings.jsx: change-password form for any authenticated user - PeerDashboard.jsx: peer-role landing page (IP, service list) - MyServices.jsx: peer service links page - App.jsx, Sidebar.jsx: AuthContext integration, logout button, PrivateRoute wrappers, peer-role routing - Peers.jsx, WireGuard.jsx, api.js: auth-aware API calls Tests: 100 new auth tests all pass (test_auth_manager, test_auth_routes, test_route_protection, test_peer_provisioning). Fix pre-existing test failures: update WireGuard test keys to valid 44-char base64 format (test_wireguard_manager, test_peer_wg_integration), add password field and service manager mocks to test_api_endpoints peer tests, add auth helpers to conftest.py. Full suite: 845 passed, 0 failures. Fixed: .admin_initial_password security cleanup on bootstrap, username minimum length (3 chars enforced by USERNAME_RE regex) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -1,6 +1,6 @@
|
||||
import { useState, useEffect } from 'react';
|
||||
import { Plus, Trash2, Edit, Eye, Shield, Copy, Download, Key, AlertTriangle, CheckCircle, Globe, Lock, Users, Server } from 'lucide-react';
|
||||
import { peerAPI, wireguardAPI } from '../services/api';
|
||||
import { peerRegistryAPI, wireguardAPI } from '../services/api';
|
||||
import { useConfig } from '../contexts/ConfigContext';
|
||||
import QRCode from 'qrcode';
|
||||
|
||||
@@ -15,8 +15,16 @@ const emptyForm = () => ({
|
||||
service_access: ['calendar', 'files', 'mail', 'webdav'],
|
||||
peer_access: true,
|
||||
create_calendar: false,
|
||||
password: '',
|
||||
});
|
||||
|
||||
const generatePassword = () => {
|
||||
const chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%';
|
||||
const arr = new Uint8Array(14);
|
||||
crypto.getRandomValues(arr);
|
||||
return Array.from(arr).map(b => chars[b % chars.length]).join('');
|
||||
};
|
||||
|
||||
function AccessBadge({ icon: Icon, label, active }) {
|
||||
return (
|
||||
<span className={`inline-flex items-center px-1.5 py-0.5 rounded text-xs font-medium mr-1 ${
|
||||
@@ -59,6 +67,7 @@ function Peers() {
|
||||
const [showAddModal, setShowAddModal] = useState(false);
|
||||
const [showEditModal, setShowEditModal] = useState(false);
|
||||
const [showViewModal, setShowViewModal] = useState(false);
|
||||
const [showPasswordModal, setShowPasswordModal] = useState(null);
|
||||
const [selectedPeer, setSelectedPeer] = useState(null);
|
||||
const [formData, setFormData] = useState(emptyForm());
|
||||
const [showAdvanced, setShowAdvanced] = useState(false);
|
||||
@@ -79,7 +88,7 @@ function Peers() {
|
||||
const fetchPeers = async () => {
|
||||
try {
|
||||
const [regResp, statusResp, scResp] = await Promise.all([
|
||||
peerAPI.getPeers(),
|
||||
peerRegistryAPI.getPeers(),
|
||||
wireguardAPI.getPeerStatuses().catch(() => ({ data: {} })),
|
||||
fetch('/api/wireguard/server-config').then(r => r.ok ? r.json() : null).catch(() => null),
|
||||
]);
|
||||
@@ -156,6 +165,7 @@ PersistentKeepalive = ${peer.persistent_keepalive || 25}`;
|
||||
const handleAddPeer = async (e) => {
|
||||
e.preventDefault();
|
||||
const errs = validate(formData);
|
||||
if (!formData.password || formData.password.length < 10) errs.password = 'Password must be at least 10 characters';
|
||||
if (Object.keys(errs).length) { setErrors(errs); return; }
|
||||
setIsSubmitting(true);
|
||||
try {
|
||||
@@ -179,11 +189,10 @@ PersistentKeepalive = ${peer.persistent_keepalive || 25}`;
|
||||
internet_access: formData.internet_access,
|
||||
service_access: formData.service_access,
|
||||
peer_access: formData.peer_access,
|
||||
password: formData.password,
|
||||
};
|
||||
const addResult = await peerAPI.addPeer(peerData);
|
||||
const addResult = await peerRegistryAPI.addPeer(peerData);
|
||||
const assignedIp = addResult.data?.ip;
|
||||
// Server-side AllowedIPs = peer's VPN IP only (/32).
|
||||
// Full/split tunnel is a CLIENT-side setting (AllowedIPs in the client config).
|
||||
await wireguardAPI.addPeer({
|
||||
name: formData.name,
|
||||
public_key: publicKey,
|
||||
@@ -197,11 +206,14 @@ PersistentKeepalive = ${peer.persistent_keepalive || 25}`;
|
||||
} catch {}
|
||||
}
|
||||
|
||||
const provisioned = addResult.data?.provisioned;
|
||||
const createdName = formData.name;
|
||||
const createdPassword = formData.password;
|
||||
setShowAddModal(false);
|
||||
setFormData(emptyForm());
|
||||
setErrors({});
|
||||
fetchPeers();
|
||||
showToast(`Peer "${formData.name}" created. Open it to download the tunnel config.`);
|
||||
setShowPasswordModal({ name: createdName, password: createdPassword, provisioned });
|
||||
} catch (err) {
|
||||
showToast(err?.response?.data?.error || 'Failed to add peer', 'error');
|
||||
} finally { setIsSubmitting(false); }
|
||||
@@ -251,7 +263,7 @@ PersistentKeepalive = ${peer.persistent_keepalive || 25}`;
|
||||
const handleRemovePeer = async (peerName) => {
|
||||
if (!window.confirm(`Remove peer "${peerName}"?`)) return;
|
||||
try {
|
||||
await Promise.all([peerAPI.removePeer(peerName), wireguardAPI.removePeer({ name: peerName })]);
|
||||
await Promise.all([peerRegistryAPI.removePeer(peerName), wireguardAPI.removePeer({ name: peerName })]);
|
||||
fetchPeers();
|
||||
showToast(`Peer "${peerName}" removed.`);
|
||||
} catch { showToast('Failed to remove peer', 'error'); }
|
||||
@@ -525,6 +537,25 @@ PersistentKeepalive = ${peer.persistent_keepalive || 25}`;
|
||||
{/* Account Creation */}
|
||||
<div className="pt-3 border-t border-gray-200">
|
||||
<div className="text-sm font-semibold text-gray-700 mb-2">Account Setup</div>
|
||||
<div className="mb-3">
|
||||
<label className="block text-sm font-medium text-gray-700 mb-1">Dashboard Password *</label>
|
||||
<div className="flex gap-2">
|
||||
<input
|
||||
type="password"
|
||||
value={formData.password}
|
||||
onChange={e => { setFormData(f => ({ ...f, password: e.target.value })); setErrors(e2 => ({ ...e2, password: undefined })); }}
|
||||
className={`input flex-1 ${errors.password ? 'border-red-500' : ''}`}
|
||||
placeholder="Min 10 characters"
|
||||
autoComplete="new-password"
|
||||
/>
|
||||
<button type="button"
|
||||
onClick={() => setFormData(f => ({ ...f, password: generatePassword() }))}
|
||||
className="btn btn-secondary text-xs whitespace-nowrap">
|
||||
Generate
|
||||
</button>
|
||||
</div>
|
||||
{errors.password && <p className="text-xs text-red-600 mt-1">{errors.password}</p>}
|
||||
</div>
|
||||
<label className="flex items-center gap-2 cursor-pointer">
|
||||
<input type="checkbox" checked={formData.create_calendar}
|
||||
onChange={e => setFormData(f => ({ ...f, create_calendar: e.target.checked }))} className="rounded" />
|
||||
@@ -727,6 +758,43 @@ PersistentKeepalive = ${peer.persistent_keepalive || 25}`;
|
||||
</div>
|
||||
</div>
|
||||
)}
|
||||
|
||||
{/* One-time password modal */}
|
||||
{showPasswordModal && (
|
||||
<div className="fixed inset-0 bg-gray-600 bg-opacity-50 overflow-y-auto h-full w-full z-50 flex items-center justify-center">
|
||||
<div className="bg-white rounded-lg shadow-xl p-6 w-full max-w-md mx-4">
|
||||
<div className="flex items-center gap-2 mb-4">
|
||||
<CheckCircle className="h-6 w-6 text-green-500 flex-shrink-0" />
|
||||
<h3 className="text-lg font-medium text-gray-900">Peer Created — Save This Password</h3>
|
||||
</div>
|
||||
<p className="text-sm text-gray-600 mb-3">
|
||||
This is the only time you will see this password. Copy it and share it with <strong>{showPasswordModal.name}</strong>.
|
||||
</p>
|
||||
<div className="bg-gray-50 border border-gray-200 rounded-md p-3 mb-3">
|
||||
<div className="flex items-center justify-between gap-2">
|
||||
<code className="text-sm font-mono text-gray-900 break-all">{showPasswordModal.password}</code>
|
||||
<button
|
||||
onClick={() => copyToClipboard(showPasswordModal.password)}
|
||||
className="flex-shrink-0 p-1.5 text-gray-500 hover:text-gray-700 rounded"
|
||||
title="Copy password"
|
||||
>
|
||||
<Copy className="h-4 w-4" />
|
||||
</button>
|
||||
</div>
|
||||
</div>
|
||||
{showPasswordModal.provisioned && (
|
||||
<p className="text-xs text-gray-500 mb-4">
|
||||
Accounts created: {Object.entries(showPasswordModal.provisioned).filter(([, v]) => v).map(([k]) => k).join(', ') || 'none'}
|
||||
</p>
|
||||
)}
|
||||
<div className="flex justify-end">
|
||||
<button onClick={() => setShowPasswordModal(null)} className="btn btn-primary">
|
||||
Done
|
||||
</button>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
)}
|
||||
</div>
|
||||
);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user