edi/iten.pro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: edi:3e078d5344ed5192b8bf6bad08f4cee92a04cc61
Branches Tags
edi:main edi:dev
..
compare: edi:dev
Branches Tags
edi:main edi:dev

7 Commits
3e078d5344 ... dev

Author SHA1 Message Date
Eduard Iten
83d45e161f Fixe IP aus auth.php entfernt
All checks were successful
Build and Deploy / build-and-deploy (push) Successful in 11s
Details
2026-04-01 17:48:17 +02:00
Eduard Iten
796d236d79 Authelia funktionert, errorpage angepasst
All checks were successful
Build and Deploy / build-and-deploy (push) Successful in 11s
Details
2026-04-01 17:44:43 +02:00
Eduard Iten
63e2336c3b Authelia funktionert, errorpage angepasst
All checks were successful
Build and Deploy / build-and-deploy (push) Successful in 12s
Details
2026-04-01 17:30:42 +02:00
Eduard Iten
39c87726a2 Authelia test
All checks were successful
Build and Deploy / build-and-deploy (push) Successful in 11s
Details
2026-04-01 17:29:48 +02:00
Eduard Iten
7dbb374360 Authelia test
All checks were successful
Build and Deploy / build-and-deploy (push) Successful in 11s
Details
2026-04-01 17:23:24 +02:00
Eduard Iten
403e3310af Authelia test
All checks were successful
Build and Deploy / build-and-deploy (push) Successful in 14s
Details
2026-04-01 17:08:32 +02:00
Eduard Iten
8deac0dbec Authelia test
All checks were successful
Build and Deploy / build-and-deploy (push) Successful in 11s
Details
2026-04-01 17:04:47 +02:00
2 changed files with 99 additions and 21 deletions
Expand all files Collapse all files

110
public/auth.php
View File

@@ -1,25 +1,105 @@
<?php <?php
session_start(); session_start();
// 1. Authentifizierungsstatus prüfen (Hier erfolgt später die Authelia-OIDC-Integration) // --- Hilfsfunktion für Fehlerseiten ---
// Für den initialen Test wird ein manueller Toggle simuliert function serve_error_page($http_code, $filename) {
$is_logged_in = isset($_SESSION['authenticated']) && $_SESSION['authenticated'] === true; http_response_code($http_code);
$filepath = realpath(__DIR__ . '/' . $filename);
// Zum Testen erzwingen wir den Login-Fehler, wenn die Session nicht gesetzt ist: if ($filepath && file_exists($filepath)) {
if (!$is_logged_in) { header('Content-Type: text/html');
header("HTTP/1.1 401 Unauthorized"); readfile($filepath);
die("Zugriff verweigert. Die Authelia-Integration folgt hier."); } else {
// Später: header('Location: /login.php'); exit; // Fallback, falls die HTML-Datei serverseitig gelöscht wurde
echo "<h1>Fehler $http_code</h1>";
}
exit;
} }
// 2. Angeforderten Dateipfad ermitteln // --- OIDC Konfiguration ---
$route = $_GET['route'] ?? ''; $client_id = 'iten-pro';
$route = trim($route, '/'); $client_secret = '1qd6v3kCwpkdRu48pgyYF7axT9dywipqEvwHqWM9OiB53bQC'; // Hier im Klartext eintragen
$authelia_url = 'https://auth.iten.pro';
$redirect_uri = 'https://iten.pro/auth.php'; // Muss exakt mit Authelia config übereinstimmen
// 1. OIDC Callback verarbeiten (Rückkehr von Authelia)
if (isset($_GET['code']) && isset($_GET['state'])) {
if ($_GET['state'] !== $_SESSION['oauth_state']) {
die('Sicherheitsfehler: State Mismatch.');
}
// Autorisierungscode gegen Token tauschen
$ch = curl_init($authelia_url . '/api/oidc/token');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
'grant_type' => 'authorization_code',
'client_id' => $client_id,
'client_secret' => $client_secret,
'redirect_uri' => $redirect_uri,
'code' => $_GET['code']
]));
$response = curl_exec($ch);
if ($response === false) {
$error_msg = curl_error($ch);
curl_close($ch);
die('Kritischer cURL-Netzwerkfehler: ' . $error_msg);
}
curl_close($ch);
$data = json_decode($response, true);
if (isset($data['access_token'])) {
// Erfolgreich eingeloggt
$_SESSION['authenticated'] = true;
// Zurück zur ursprünglich angeforderten Route umleiten
$target = $_SESSION['auth_target_route'] ?? '/';
header('Location: /' . ltrim($target, '/'));
exit;
} else {
die('Fehler bei der Token-Generierung: ' . htmlspecialchars($response));
}
}
// 2. Authentifizierungsstatus prüfen
$is_logged_in = isset($_SESSION['authenticated']) && $_SESSION['authenticated'] === true;
if (!$is_logged_in) {
// Ursprüngliches Ziel speichern, um nach dem Login dorthin zurückzukehren
$_SESSION['auth_target_route'] = $_GET['route'] ?? '';
// CSRF-Schutz generieren
$_SESSION['oauth_state'] = bin2hex(random_bytes(16));
// Umleitung zur Authelia-Loginseite
$auth_url = $authelia_url . '/api/oidc/authorization?' . http_build_query([
'client_id' => $client_id,
'response_type' => 'code',
'redirect_uri' => $redirect_uri,
'state' => $_SESSION['oauth_state'],
'scope' => 'openid profile email'
]);
header('Location: ' . $auth_url);
exit;
}
// 3. Auslieferung der statischen Astro-Datei
$route = $_GET['route'] ?? '';
// Wenn auth.php direkt aufgerufen wurde (z.B. nach Login-Callback ohne Ziel)
if ($route === '') {
header('Location: /');
exit;
}
$route = trim($route, '/');
$base_dir = realpath(__DIR__); $base_dir = realpath(__DIR__);
$target_file = $base_dir . '/' . $route; $target_file = $base_dir . '/' . $route;
// Astro generiert Seiten standardmäßig als Verzeichnis mit einer index.html
if (is_dir($target_file)) { if (is_dir($target_file)) {
$target_file = rtrim($target_file, '/') . '/index.html'; $target_file = rtrim($target_file, '/') . '/index.html';
} elseif (!str_ends_with($target_file, '.html') && file_exists($target_file . '/index.html')) { } elseif (!str_ends_with($target_file, '.html') && file_exists($target_file . '/index.html')) {
@@ -28,16 +108,14 @@ if (is_dir($target_file)) {
$target_file .= '.html'; $target_file .= '.html';
} }
// 3. Sicherheitsprüfung (Path Traversal verhindern) und Datei ausliefern
$real_target = realpath($target_file); $real_target = realpath($target_file);
// Path Traversal verhindern
if ($real_target && file_exists($real_target) && strpos($real_target, $base_dir) === 0) { if ($real_target && file_exists($real_target) && strpos($real_target, $base_dir) === 0) {
header('Content-Type: text/html'); header('Content-Type: text/html');
readfile($real_target); readfile($real_target);
exit; exit;
} }
// Fallback serve_error_page(404, '404.html');
header("HTTP/1.0 404 Not Found");
echo "404 - Geschützte Datei nicht gefunden";
exit; exit;

6
src/components/ErrorComponent.astro
View File

@@ -11,9 +11,9 @@ interface props {
const { title = "404" } = Astro.props; const { title = "404" } = Astro.props;
--- ---
<div class="grid place-items-center min-h-[60vh] w-full error-component"> <div class="flex flex-col items-center justify-center min-h-[60vh] w-full py-12 error-component">
<div <div
class="w-full sm:max-w-lg bg-red-50 text-red-500 p-0 sm:rounded-lg sm:shadow border-b-2 sm:border-2 border-red-500 text-center" class="w-full sm:max-w-lg -mx-4 sm:mx-0 bg-red-50 text-red-500 p-0 sm:rounded-lg sm:shadow border-y-2 sm:border-2 border-red-500 text-center"
> >
<h1 <h1
class="bg-red-500 text-white text-4xl font-bold py-2 px-4 font-mono flex items-center justify-center gap-3" class="bg-red-500 text-white text-4xl font-bold py-2 px-4 font-mono flex items-center justify-center gap-3"
@@ -35,7 +35,7 @@ const { title = "404" } = Astro.props;
<slot /> <slot />
<a <a
href={getPath("/")} href={getPath("/")}
class="flex items-center justify-center gap-1 font-semibold text-red-500 hover:text-white hover:bg-red-500 rounded-full px-4 py-2 hover:drop-shadow transition-colors transition-[1s] mt-2" class="flex items-center justify-center gap-1 font-semibold text-red-500 hover:text-white hover:bg-red-500 rounded-full px-4 py-2 hover:drop-shadow transition-colors duration-300 mt-2"
> >
<Icon name="tabler:arrow-big-left" class="size-5" /> <Icon name="tabler:arrow-big-left" class="size-5" />
Zurück zur Startseite Zurück zur Startseite