Compare commits
14 Commits
272321b19f
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
| 47b971f5e3 | |||
| 83d45e161f | |||
| 796d236d79 | |||
| 63e2336c3b | |||
| 39c87726a2 | |||
| 7dbb374360 | |||
| 403e3310af | |||
| 8deac0dbec | |||
| 3e078d5344 | |||
| 35f152632e | |||
| f0bcaf45d0 | |||
| e46cd9a6b1 | |||
| 7992c211b5 | |||
| b399e31349 |
@@ -0,0 +1,10 @@
|
||||
ErrorDocument 403 /403.html
|
||||
ErrorDocument 404 /404.html
|
||||
ErrorDocument 500 /500.html
|
||||
|
||||
RewriteEngine On
|
||||
|
||||
# Prüfen, ob die aufgerufene URL mit /index-test beginnt
|
||||
RewriteCond %{REQUEST_URI} ^/index-test(/.*)?$
|
||||
# Umleitung auf das PHP-Skript, Übergabe des originalen Pfads als Parameter
|
||||
RewriteRule ^(.*)$ /auth.php?route=$1 [QSA,L]
|
||||
121
public/auth.php
Normal file
121
public/auth.php
Normal file
@@ -0,0 +1,121 @@
|
||||
<?php
|
||||
session_start();
|
||||
|
||||
// --- Hilfsfunktion für Fehlerseiten ---
|
||||
function serve_error_page($http_code, $filename) {
|
||||
http_response_code($http_code);
|
||||
$filepath = realpath(__DIR__ . '/' . $filename);
|
||||
|
||||
if ($filepath && file_exists($filepath)) {
|
||||
header('Content-Type: text/html');
|
||||
readfile($filepath);
|
||||
} else {
|
||||
// Fallback, falls die HTML-Datei serverseitig gelöscht wurde
|
||||
echo "<h1>Fehler $http_code</h1>";
|
||||
}
|
||||
exit;
|
||||
}
|
||||
|
||||
// --- OIDC Konfiguration ---
|
||||
$client_id = 'iten-pro';
|
||||
$client_secret = '1qd6v3kCwpkdRu48pgyYF7axT9dywipqEvwHqWM9OiB53bQC'; // Hier im Klartext eintragen
|
||||
$authelia_url = 'https://auth.iten.pro';
|
||||
$redirect_uri = 'https://iten.pro/auth.php'; // Muss exakt mit Authelia config übereinstimmen
|
||||
|
||||
// 1. OIDC Callback verarbeiten (Rückkehr von Authelia)
|
||||
if (isset($_GET['code']) && isset($_GET['state'])) {
|
||||
if ($_GET['state'] !== $_SESSION['oauth_state']) {
|
||||
die('Sicherheitsfehler: State Mismatch.');
|
||||
}
|
||||
|
||||
// Autorisierungscode gegen Token tauschen
|
||||
$ch = curl_init($authelia_url . '/api/oidc/token');
|
||||
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
|
||||
curl_setopt($ch, CURLOPT_POST, true);
|
||||
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
|
||||
'grant_type' => 'authorization_code',
|
||||
'client_id' => $client_id,
|
||||
'client_secret' => $client_secret,
|
||||
'redirect_uri' => $redirect_uri,
|
||||
'code' => $_GET['code']
|
||||
]));
|
||||
|
||||
$response = curl_exec($ch);
|
||||
|
||||
if ($response === false) {
|
||||
$error_msg = curl_error($ch);
|
||||
curl_close($ch);
|
||||
die('Kritischer cURL-Netzwerkfehler: ' . $error_msg);
|
||||
}
|
||||
|
||||
curl_close($ch);
|
||||
$data = json_decode($response, true);
|
||||
|
||||
if (isset($data['access_token'])) {
|
||||
// Erfolgreich eingeloggt
|
||||
$_SESSION['authenticated'] = true;
|
||||
|
||||
// Zurück zur ursprünglich angeforderten Route umleiten
|
||||
$target = $_SESSION['auth_target_route'] ?? '/';
|
||||
header('Location: /' . ltrim($target, '/'));
|
||||
exit;
|
||||
} else {
|
||||
die('Fehler bei der Token-Generierung: ' . htmlspecialchars($response));
|
||||
}
|
||||
}
|
||||
|
||||
// 2. Authentifizierungsstatus prüfen
|
||||
$is_logged_in = isset($_SESSION['authenticated']) && $_SESSION['authenticated'] === true;
|
||||
|
||||
if (!$is_logged_in) {
|
||||
// Ursprüngliches Ziel speichern, um nach dem Login dorthin zurückzukehren
|
||||
$_SESSION['auth_target_route'] = $_GET['route'] ?? '';
|
||||
|
||||
// CSRF-Schutz generieren
|
||||
$_SESSION['oauth_state'] = bin2hex(random_bytes(16));
|
||||
|
||||
// Umleitung zur Authelia-Loginseite
|
||||
$auth_url = $authelia_url . '/api/oidc/authorization?' . http_build_query([
|
||||
'client_id' => $client_id,
|
||||
'response_type' => 'code',
|
||||
'redirect_uri' => $redirect_uri,
|
||||
'state' => $_SESSION['oauth_state'],
|
||||
'scope' => 'openid profile email'
|
||||
]);
|
||||
|
||||
header('Location: ' . $auth_url);
|
||||
exit;
|
||||
}
|
||||
|
||||
// 3. Auslieferung der statischen Astro-Datei
|
||||
$route = $_GET['route'] ?? '';
|
||||
|
||||
// Wenn auth.php direkt aufgerufen wurde (z.B. nach Login-Callback ohne Ziel)
|
||||
if ($route === '') {
|
||||
header('Location: /');
|
||||
exit;
|
||||
}
|
||||
|
||||
$route = trim($route, '/');
|
||||
$base_dir = realpath(__DIR__);
|
||||
$target_file = $base_dir . '/' . $route;
|
||||
|
||||
if (is_dir($target_file)) {
|
||||
$target_file = rtrim($target_file, '/') . '/index.html';
|
||||
} elseif (!str_ends_with($target_file, '.html') && file_exists($target_file . '/index.html')) {
|
||||
$target_file .= '/index.html';
|
||||
} elseif (!str_ends_with($target_file, '.html')) {
|
||||
$target_file .= '.html';
|
||||
}
|
||||
|
||||
$real_target = realpath($target_file);
|
||||
|
||||
// Path Traversal verhindern
|
||||
if ($real_target && file_exists($real_target) && strpos($real_target, $base_dir) === 0) {
|
||||
header('Content-Type: text/html');
|
||||
readfile($real_target);
|
||||
exit;
|
||||
}
|
||||
|
||||
serve_error_page(404, '404.html');
|
||||
exit;
|
||||
@@ -11,21 +11,31 @@ interface props {
|
||||
const { title = "404" } = Astro.props;
|
||||
---
|
||||
|
||||
<div class="grid place-items-center min-h-[60vh] w-full error-component">
|
||||
<div class="flex flex-col items-center justify-center min-h-[60vh] w-full py-12 error-component">
|
||||
<div
|
||||
class="w-full sm:max-w-lg bg-red-50 text-red-500 p-0 sm:rounded-lg sm:shadow border-b-2 sm:border-2 border-red-500 text-center"
|
||||
class="w-full sm:max-w-lg -mx-4 sm:mx-0 bg-red-50 text-red-500 p-0 sm:rounded-lg sm:shadow border-y-2 sm:border-2 border-red-500 text-center"
|
||||
>
|
||||
<h1
|
||||
class="bg-red-500 text-white text-4xl font-bold py-2 px-4 font-mono flex items-center justify-center gap-3"
|
||||
>
|
||||
<Icon name="tabler:alert-triangle" class="size-9" />
|
||||
<span class="relative grid h-9 w-9">
|
||||
<Icon
|
||||
name="tabler:triangle-filled"
|
||||
class="col-start-1 row-start-1 size-9 animate-ping opacity-75 translate-x-[-0.25px] translate-y-[-1.5px] blur-[1px]"
|
||||
/>
|
||||
<Icon
|
||||
name="tabler:alert-triangle"
|
||||
class="col-start-1 row-start-1 size-9 relative"
|
||||
/>
|
||||
</span>
|
||||
Fehler {title}
|
||||
</h1>
|
||||
|
||||
<p class="mb-4 text-red-500 py-2 px-4 text-lg">
|
||||
<slot />
|
||||
<a
|
||||
href={getPath("/")}
|
||||
class="flex items-center justify-center gap-1 font-semibold text-red-500 hover:text-white hover:bg-red-500 rounded-full px-4 py-2 hover:drop-shadow transition-colors transition-[1s] mt-2"
|
||||
class="flex items-center justify-center gap-1 font-semibold text-red-500 hover:text-white hover:bg-red-500 rounded-full px-4 py-2 hover:drop-shadow transition-colors duration-300 mt-2"
|
||||
>
|
||||
<Icon name="tabler:arrow-big-left" class="size-5" />
|
||||
Zurück zur Startseite
|
||||
@@ -38,4 +48,8 @@ const { title = "404" } = Astro.props;
|
||||
.error-component :global(br) {
|
||||
@apply mb-3;
|
||||
}
|
||||
</style>
|
||||
|
||||
.error-component .animate-ping {
|
||||
animation-duration: 2s;
|
||||
}
|
||||
</style>
|
||||
Reference in New Issue
Block a user