Compare commits
15 Commits
35f152632e
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
| 47b971f5e3 | |||
| 83d45e161f | |||
| 796d236d79 | |||
| 63e2336c3b | |||
| 39c87726a2 | |||
| 7dbb374360 | |||
| 403e3310af | |||
| 8deac0dbec | |||
| 3e078d5344 | |||
| f0bcaf45d0 | |||
| 7992c211b5 | |||
| 272321b19f | |||
| f5445ece43 | |||
| 6f3c61270a | |||
| 561ceb6ed7 |
110
public/auth.php
110
public/auth.php
@@ -1,25 +1,105 @@
|
|||||||
<?php
|
<?php
|
||||||
session_start();
|
session_start();
|
||||||
|
|
||||||
// 1. Authentifizierungsstatus prüfen (Hier erfolgt später die Authelia-OIDC-Integration)
|
// --- Hilfsfunktion für Fehlerseiten ---
|
||||||
// Für den initialen Test wird ein manueller Toggle simuliert
|
function serve_error_page($http_code, $filename) {
|
||||||
$is_logged_in = isset($_SESSION['authenticated']) && $_SESSION['authenticated'] === true;
|
http_response_code($http_code);
|
||||||
|
$filepath = realpath(__DIR__ . '/' . $filename);
|
||||||
|
|
||||||
// Zum Testen erzwingen wir den Login-Fehler, wenn die Session nicht gesetzt ist:
|
if ($filepath && file_exists($filepath)) {
|
||||||
if (!$is_logged_in) {
|
header('Content-Type: text/html');
|
||||||
header("HTTP/1.1 401 Unauthorized");
|
readfile($filepath);
|
||||||
die("Zugriff verweigert. Die Authelia-Integration folgt hier.");
|
} else {
|
||||||
// Später: header('Location: /login.php'); exit;
|
// Fallback, falls die HTML-Datei serverseitig gelöscht wurde
|
||||||
|
echo "<h1>Fehler $http_code</h1>";
|
||||||
|
}
|
||||||
|
exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
// 2. Angeforderten Dateipfad ermitteln
|
// --- OIDC Konfiguration ---
|
||||||
$route = $_GET['route'] ?? '';
|
$client_id = 'iten-pro';
|
||||||
$route = trim($route, '/');
|
$client_secret = '1qd6v3kCwpkdRu48pgyYF7axT9dywipqEvwHqWM9OiB53bQC'; // Hier im Klartext eintragen
|
||||||
|
$authelia_url = 'https://auth.iten.pro';
|
||||||
|
$redirect_uri = 'https://iten.pro/auth.php'; // Muss exakt mit Authelia config übereinstimmen
|
||||||
|
|
||||||
|
// 1. OIDC Callback verarbeiten (Rückkehr von Authelia)
|
||||||
|
if (isset($_GET['code']) && isset($_GET['state'])) {
|
||||||
|
if ($_GET['state'] !== $_SESSION['oauth_state']) {
|
||||||
|
die('Sicherheitsfehler: State Mismatch.');
|
||||||
|
}
|
||||||
|
|
||||||
|
// Autorisierungscode gegen Token tauschen
|
||||||
|
$ch = curl_init($authelia_url . '/api/oidc/token');
|
||||||
|
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
|
||||||
|
curl_setopt($ch, CURLOPT_POST, true);
|
||||||
|
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
|
||||||
|
'grant_type' => 'authorization_code',
|
||||||
|
'client_id' => $client_id,
|
||||||
|
'client_secret' => $client_secret,
|
||||||
|
'redirect_uri' => $redirect_uri,
|
||||||
|
'code' => $_GET['code']
|
||||||
|
]));
|
||||||
|
|
||||||
|
$response = curl_exec($ch);
|
||||||
|
|
||||||
|
if ($response === false) {
|
||||||
|
$error_msg = curl_error($ch);
|
||||||
|
curl_close($ch);
|
||||||
|
die('Kritischer cURL-Netzwerkfehler: ' . $error_msg);
|
||||||
|
}
|
||||||
|
|
||||||
|
curl_close($ch);
|
||||||
|
$data = json_decode($response, true);
|
||||||
|
|
||||||
|
if (isset($data['access_token'])) {
|
||||||
|
// Erfolgreich eingeloggt
|
||||||
|
$_SESSION['authenticated'] = true;
|
||||||
|
|
||||||
|
// Zurück zur ursprünglich angeforderten Route umleiten
|
||||||
|
$target = $_SESSION['auth_target_route'] ?? '/';
|
||||||
|
header('Location: /' . ltrim($target, '/'));
|
||||||
|
exit;
|
||||||
|
} else {
|
||||||
|
die('Fehler bei der Token-Generierung: ' . htmlspecialchars($response));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// 2. Authentifizierungsstatus prüfen
|
||||||
|
$is_logged_in = isset($_SESSION['authenticated']) && $_SESSION['authenticated'] === true;
|
||||||
|
|
||||||
|
if (!$is_logged_in) {
|
||||||
|
// Ursprüngliches Ziel speichern, um nach dem Login dorthin zurückzukehren
|
||||||
|
$_SESSION['auth_target_route'] = $_GET['route'] ?? '';
|
||||||
|
|
||||||
|
// CSRF-Schutz generieren
|
||||||
|
$_SESSION['oauth_state'] = bin2hex(random_bytes(16));
|
||||||
|
|
||||||
|
// Umleitung zur Authelia-Loginseite
|
||||||
|
$auth_url = $authelia_url . '/api/oidc/authorization?' . http_build_query([
|
||||||
|
'client_id' => $client_id,
|
||||||
|
'response_type' => 'code',
|
||||||
|
'redirect_uri' => $redirect_uri,
|
||||||
|
'state' => $_SESSION['oauth_state'],
|
||||||
|
'scope' => 'openid profile email'
|
||||||
|
]);
|
||||||
|
|
||||||
|
header('Location: ' . $auth_url);
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
// 3. Auslieferung der statischen Astro-Datei
|
||||||
|
$route = $_GET['route'] ?? '';
|
||||||
|
|
||||||
|
// Wenn auth.php direkt aufgerufen wurde (z.B. nach Login-Callback ohne Ziel)
|
||||||
|
if ($route === '') {
|
||||||
|
header('Location: /');
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
$route = trim($route, '/');
|
||||||
$base_dir = realpath(__DIR__);
|
$base_dir = realpath(__DIR__);
|
||||||
$target_file = $base_dir . '/' . $route;
|
$target_file = $base_dir . '/' . $route;
|
||||||
|
|
||||||
// Astro generiert Seiten standardmäßig als Verzeichnis mit einer index.html
|
|
||||||
if (is_dir($target_file)) {
|
if (is_dir($target_file)) {
|
||||||
$target_file = rtrim($target_file, '/') . '/index.html';
|
$target_file = rtrim($target_file, '/') . '/index.html';
|
||||||
} elseif (!str_ends_with($target_file, '.html') && file_exists($target_file . '/index.html')) {
|
} elseif (!str_ends_with($target_file, '.html') && file_exists($target_file . '/index.html')) {
|
||||||
@@ -28,16 +108,14 @@ if (is_dir($target_file)) {
|
|||||||
$target_file .= '.html';
|
$target_file .= '.html';
|
||||||
}
|
}
|
||||||
|
|
||||||
// 3. Sicherheitsprüfung (Path Traversal verhindern) und Datei ausliefern
|
|
||||||
$real_target = realpath($target_file);
|
$real_target = realpath($target_file);
|
||||||
|
|
||||||
|
// Path Traversal verhindern
|
||||||
if ($real_target && file_exists($real_target) && strpos($real_target, $base_dir) === 0) {
|
if ($real_target && file_exists($real_target) && strpos($real_target, $base_dir) === 0) {
|
||||||
header('Content-Type: text/html');
|
header('Content-Type: text/html');
|
||||||
readfile($real_target);
|
readfile($real_target);
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Fallback
|
serve_error_page(404, '404.html');
|
||||||
header("HTTP/1.0 404 Not Found");
|
|
||||||
echo "404 - Geschützte Datei nicht gefunden";
|
|
||||||
exit;
|
exit;
|
||||||
@@ -11,9 +11,9 @@ interface props {
|
|||||||
const { title = "404" } = Astro.props;
|
const { title = "404" } = Astro.props;
|
||||||
---
|
---
|
||||||
|
|
||||||
<div class="grid place-items-center min-h-[60vh] w-full error-component">
|
<div class="flex flex-col items-center justify-center min-h-[60vh] w-full py-12 error-component">
|
||||||
<div
|
<div
|
||||||
class="w-full sm:max-w-lg bg-red-50 text-red-500 p-0 sm:rounded-lg sm:shadow border-b-2 sm:border-2 border-red-500 text-center"
|
class="w-full sm:max-w-lg -mx-4 sm:mx-0 bg-red-50 text-red-500 p-0 sm:rounded-lg sm:shadow border-y-2 sm:border-2 border-red-500 text-center"
|
||||||
>
|
>
|
||||||
<h1
|
<h1
|
||||||
class="bg-red-500 text-white text-4xl font-bold py-2 px-4 font-mono flex items-center justify-center gap-3"
|
class="bg-red-500 text-white text-4xl font-bold py-2 px-4 font-mono flex items-center justify-center gap-3"
|
||||||
@@ -35,7 +35,7 @@ const { title = "404" } = Astro.props;
|
|||||||
<slot />
|
<slot />
|
||||||
<a
|
<a
|
||||||
href={getPath("/")}
|
href={getPath("/")}
|
||||||
class="flex items-center justify-center gap-1 font-semibold text-red-500 hover:text-white hover:bg-red-500 rounded-full px-4 py-2 hover:drop-shadow transition-colors transition-[1s] mt-2"
|
class="flex items-center justify-center gap-1 font-semibold text-red-500 hover:text-white hover:bg-red-500 rounded-full px-4 py-2 hover:drop-shadow transition-colors duration-300 mt-2"
|
||||||
>
|
>
|
||||||
<Icon name="tabler:arrow-big-left" class="size-5" />
|
<Icon name="tabler:arrow-big-left" class="size-5" />
|
||||||
Zurück zur Startseite
|
Zurück zur Startseite
|
||||||
|
|||||||
Reference in New Issue
Block a user