administrator/frigate
1
0
Fork 0
mirror of https://github.com/blakeblackshear/frigate.git synced 2026-02-11 13:45:25 +03:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

return location for redirect

Browse Source
This commit is contained in:
Blake Blackshear 2024-05-07 14:49:30 -05:00
parent 46cbe98a1f
commit 952df23ea6
4 changed files with 32 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
docker/main/rootfs/usr/local/nginx/conf/auth_location.conf
View File

@ -7,12 +7,19 @@ location /auth {
proxy_pass $upstream_auth; proxy_pass $upstream_auth;
## Headers ## Headers
## The headers starting with X-* are required.
# First strip out all the request headers
# Note: This is important to ensure that upgrade requests for secure
# websockets dont cause the backend to fail
proxy_pass_request_headers off;
# Pass info about the request
proxy_set_header X-Original-Method $request_method; proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Content-Length ""; proxy_set_header Content-Length "";
proxy_set_header Connection ""; # Pass along auth related info
proxy_set_header Authorization $http_authorization;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-CSRF-TOKEN "1"; proxy_set_header X-CSRF-TOKEN "1";
## Basic Proxy Configuration ## Basic Proxy Configuration

4
docker/main/rootfs/usr/local/nginx/conf/auth_request.conf
View File

@ -17,6 +17,6 @@ proxy_set_header Remote-Name $name;
auth_request_set $auth_cookie $upstream_http_set_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie; add_header Set-Cookie $auth_cookie;
## Redirect to the redirection url in the location header ## Pass the location header back up if it exists
auth_request_set $redirection_url $upstream_http_location; auth_request_set $redirection_url $upstream_http_location;
error_page 401 =302 $redirection_url; add_header Location $redirection_url;

3
docker/main/rootfs/usr/local/nginx/conf/nginx.conf
View File

@ -268,7 +268,8 @@ http {
} }
location /api/version { location /api/version {
include auth_request.conf; # dont auth the healthcheck endpoint
auth_request off;
access_log off; access_log off;
rewrite ^/api(/.*)$ $1 break; rewrite ^/api(/.*)$ $1 break;
proxy_pass http://frigate_api; proxy_pass http://frigate_api;

31
frigate/api/auth.py
View File

@ -115,13 +115,20 @@ def create_encoded_jwt(user, expiration, secret):
def set_jwt_cookie(response, cookie_name, encoded_jwt, expiration): def set_jwt_cookie(response, cookie_name, encoded_jwt, expiration):
# TODO: ideally this would set secure as well, but that requires TLS # TODO: ideally this would set secure as well, but that requires TLS
response.set_cookie(cookie_name, encoded_jwt, httponly=True, expires=expiration) response.set_cookie(
cookie_name, encoded_jwt, httponly=True, expires=expiration, secure=False
)
@AuthBp.route("/auth") @AuthBp.route("/auth")
def auth(): def auth():
success_response = make_response({}, 202)
fail_response = make_response({}, 401)
fail_response.headers["location"] = "/login"
if not current_app.frigate_config.auth.enabled: if not current_app.frigate_config.auth.enabled:
return make_response({}, 202) return success_response
JWT_COOKIE_NAME = current_app.frigate_config.auth.cookie_name JWT_COOKIE_NAME = current_app.frigate_config.auth.cookie_name
JWT_REFRESH = current_app.frigate_config.auth.refresh_time JWT_REFRESH = current_app.frigate_config.auth.refresh_time
@ -142,18 +149,16 @@ def auth():
if encoded_token is None: if encoded_token is None:
logger.debug("No jwt token found") logger.debug("No jwt token found")
return make_response({}, 401) return fail_response
try: try:
response = make_response({}, 202)
token = jwt.decode(encoded_token, current_app.jwt_token) token = jwt.decode(encoded_token, current_app.jwt_token)
if "sub" not in token.claims: if "sub" not in token.claims:
logger.debug("user not set in jwt token") logger.debug("user not set in jwt token")
return make_response({}, 401) return fail_response
if "exp" not in token.claims: if "exp" not in token.claims:
logger.debug("exp not set in jwt token") logger.debug("exp not set in jwt token")
return make_response({}, 401) return fail_response
user = token.claims.get("sub") user = token.claims.get("sub")
current_time = int(time.time()) current_time = int(time.time())
@ -171,7 +176,7 @@ def auth():
) )
if expiration <= current_time: if expiration <= current_time:
logger.debug("jwt token expired") logger.debug("jwt token expired")
return make_response({}, 401) return fail_response
# if the jwt cookie is expiring soon # if the jwt cookie is expiring soon
elif jwt_source == "cookie" and expiration - JWT_REFRESH <= current_time: elif jwt_source == "cookie" and expiration - JWT_REFRESH <= current_time:
@ -180,13 +185,15 @@ def auth():
new_encoded_jwt = create_encoded_jwt( new_encoded_jwt = create_encoded_jwt(
user, new_expiration, current_app.jwt_token user, new_expiration, current_app.jwt_token
) )
set_jwt_cookie(response, JWT_COOKIE_NAME, new_encoded_jwt, new_expiration) set_jwt_cookie(
success_response, JWT_COOKIE_NAME, new_encoded_jwt, new_expiration
)
response.headers["remote-user"] = user success_response.headers["remote-user"] = user
return response return success_response
except Exception as e: except Exception as e:
logger.error(f"Error parsing jwt: {e}") logger.error(f"Error parsing jwt: {e}")
return make_response({}, 401) return fail_response
@AuthBp.route("/login", methods=["POST"]) @AuthBp.route("/login", methods=["POST"])