wn/traefik-forward-auth
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Modify whitelist implementation + expand docs

Browse Source 
Closes #4
This commit is contained in:
Thom Seddon 2018-11-06 14:01:06 +00:00
parent eaad0a9054
commit 1832672f5e
2 changed files with 20 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
README.md
View File

@ -33,7 +33,7 @@ The following configuration is supported:
|-csrf-cookie-name|string|CSRF Cookie Name (default "_forward_auth_csrf")| |-csrf-cookie-name|string|CSRF Cookie Name (default "_forward_auth_csrf")|
|-direct|bool|Run in direct mode (use own hostname as oppose to <br>X-Forwarded-Host, used for testing/development) |-direct|bool|Run in direct mode (use own hostname as oppose to <br>X-Forwarded-Host, used for testing/development)
|-domain|string|Comma separated list of email domains to allow| |-domain|string|Comma separated list of email domains to allow|
|-whitelist|string|Comma separated list of email addresses to allow (Omit -domain)| |-whitelist|string|Comma separated list of email addresses to allow|
|-lifetime|int|Session length in seconds (default 43200)| |-lifetime|int|Session length in seconds (default 43200)|
|-url-path|string|Callback URL (default "_oauth")| |-url-path|string|Callback URL (default "_oauth")|
|-prompt|string|Space separated list of [OpenID prompt options](https://developers.google.com/identity/protocols/OpenIDConnect#prompt)| |-prompt|string|Space separated list of [OpenID prompt options](https://developers.google.com/identity/protocols/OpenIDConnect#prompt)|
@ -50,6 +50,15 @@ Create a new project then search for and select "Credentials" in the search bar.
Click, "Create Credentials" > "OAuth client ID". Select "Web Application", fill in the name of your app, skip "Authorized JavaScript origins" and fill "Authorized redirect URIs" with all the domains you will allow authentication from, appended with the `url-path` (e.g. https://app.test.com/_oauth) Click, "Create Credentials" > "OAuth client ID". Select "Web Application", fill in the name of your app, skip "Authorized JavaScript origins" and fill "Authorized redirect URIs" with all the domains you will allow authentication from, appended with the `url-path` (e.g. https://app.test.com/_oauth)
## User Restriction
You can restrict who can login with the following parameters:
* `-domain` - Use this to limit logins to a specific domain, e.g. test.com only
* `-whitelist` - Use this to only allow specific users to login e.g. thom@test.com only
Note, if you pass `whitelist` then only this is checked and `domain` is effectively ignored.
## Cookie Domains ## Cookie Domains
You can supply a comma separated list of cookie domains, if the host of the original request is a subdomain of any given cookie domain, the authentication cookie will set with the given domain. You can supply a comma separated list of cookie domains, if the host of the original request is a subdomain of any given cookie domain, the authentication cookie will set with the given domain.

24
forwardauth.go
View File

@ -88,7 +88,13 @@ func (f *ForwardAuth) ValidateCookie(r *http.Request, c *http.Cookie) (bool, str
// Validate email // Validate email
func (f *ForwardAuth) ValidateEmail(email string) bool { func (f *ForwardAuth) ValidateEmail(email string) bool {
found := false found := false
if len(f.Domain) > 0 { if len(f.Whitelist) > 0 {
for _, whitelist := range f.Whitelist {
if email == whitelist {
found = true
}
}
} else if len(f.Domain) > 0 {
parts := strings.Split(email, "@") parts := strings.Split(email, "@")
if len(parts) < 2 { if len(parts) < 2 {
return false return false
@ -98,21 +104,11 @@ func (f *ForwardAuth) ValidateEmail(email string) bool {
found = true found = true
} }
} }
if !found { } else {
return false return true
}
} else if len(f.Whitelist) > 0 {
for _, wlEmail := range f.Whitelist {
if wlEmail == email {
found = true
}
}
if !found {
return false
}
} }
return true return found
} }