Fixe IP aus auth.php entfernt

Reviewed-on: #6

public/.htaccess

@@ -1,3 +1,10 @@
 ErrorDocument 403 /403.html
 ErrorDocument 404 /404.html
 ErrorDocument 500 /500.html
+
+RewriteEngine On
+
+# Prüfen, ob die aufgerufene URL mit /index-test beginnt
+RewriteCond %{REQUEST_URI} ^/index-test(/.*)?$
+# Umleitung auf das PHP-Skript, Übergabe des originalen Pfads als Parameter
+RewriteRule ^(.*)$ /auth.php?route=$1 [QSA,L]

public/auth.php

@@ -0,0 +1,121 @@
+<?php
+session_start();
+
+// --- Hilfsfunktion für Fehlerseiten ---
+function serve_error_page($http_code, $filename) {
+    http_response_code($http_code);
+    $filepath = realpath(__DIR__ . '/' . $filename);
+    
+    if ($filepath && file_exists($filepath)) {
+        header('Content-Type: text/html');
+        readfile($filepath);
+    } else {
+        // Fallback, falls die HTML-Datei serverseitig gelöscht wurde
+        echo "<h1>Fehler $http_code</h1>";
+    }
+    exit;
+}
+
+// --- OIDC Konfiguration ---
+$client_id     = 'iten-pro';
+$client_secret = '1qd6v3kCwpkdRu48pgyYF7axT9dywipqEvwHqWM9OiB53bQC'; // Hier im Klartext eintragen
+$authelia_url  = 'https://auth.iten.pro';
+$redirect_uri  = 'https://iten.pro/auth.php'; // Muss exakt mit Authelia config übereinstimmen
+
+// 1. OIDC Callback verarbeiten (Rückkehr von Authelia)
+if (isset($_GET['code']) && isset($_GET['state'])) {
+    if ($_GET['state'] !== $_SESSION['oauth_state']) {
+        die('Sicherheitsfehler: State Mismatch.');
+    }
+
+    // Autorisierungscode gegen Token tauschen
+    $ch = curl_init($authelia_url . '/api/oidc/token');
+    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+    curl_setopt($ch, CURLOPT_POST, true);
+    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
+        'grant_type'    => 'authorization_code',
+        'client_id'     => $client_id,
+        'client_secret' => $client_secret,
+        'redirect_uri'  => $redirect_uri,
+        'code'          => $_GET['code']
+    ]));
+    
+    $response = curl_exec($ch);
+
+    if ($response === false) {
+        $error_msg = curl_error($ch);
+        curl_close($ch);
+        die('Kritischer cURL-Netzwerkfehler: ' . $error_msg);
+    }
+
+    curl_close($ch);
+    $data = json_decode($response, true);
+
+    if (isset($data['access_token'])) {
+        // Erfolgreich eingeloggt
+        $_SESSION['authenticated'] = true;
+        
+        // Zurück zur ursprünglich angeforderten Route umleiten
+        $target = $_SESSION['auth_target_route'] ?? '/';
+        header('Location: /' . ltrim($target, '/'));
+        exit;
+    } else {
+        die('Fehler bei der Token-Generierung: ' . htmlspecialchars($response));
+    }
+}
+
+// 2. Authentifizierungsstatus prüfen
+$is_logged_in = isset($_SESSION['authenticated']) && $_SESSION['authenticated'] === true;
+
+if (!$is_logged_in) {
+    // Ursprüngliches Ziel speichern, um nach dem Login dorthin zurückzukehren
+    $_SESSION['auth_target_route'] = $_GET['route'] ?? '';
+    
+    // CSRF-Schutz generieren
+    $_SESSION['oauth_state'] = bin2hex(random_bytes(16));
+    
+    // Umleitung zur Authelia-Loginseite
+    $auth_url = $authelia_url . '/api/oidc/authorization?' . http_build_query([
+        'client_id'     => $client_id,
+        'response_type' => 'code',
+        'redirect_uri'  => $redirect_uri,
+        'state'         => $_SESSION['oauth_state'],
+        'scope'         => 'openid profile email'
+    ]);
+    
+    header('Location: ' . $auth_url);
+    exit;
+}
+
+// 3. Auslieferung der statischen Astro-Datei
+$route = $_GET['route'] ?? '';
+
+// Wenn auth.php direkt aufgerufen wurde (z.B. nach Login-Callback ohne Ziel)
+if ($route === '') {
+    header('Location: /');
+    exit;
+}
+
+$route = trim($route, '/');
+$base_dir = realpath(__DIR__);
+$target_file = $base_dir . '/' . $route;
+
+if (is_dir($target_file)) {
+    $target_file = rtrim($target_file, '/') . '/index.html';
+} elseif (!str_ends_with($target_file, '.html') && file_exists($target_file . '/index.html')) {
+    $target_file .= '/index.html';
+} elseif (!str_ends_with($target_file, '.html')) {
+    $target_file .= '.html';
+}
+
+$real_target = realpath($target_file);
+
+// Path Traversal verhindern
+if ($real_target && file_exists($real_target) && strpos($real_target, $base_dir) === 0) {
+    header('Content-Type: text/html');
+    readfile($real_target);
+    exit;
+}
+
+serve_error_page(404, '404.html');
+exit;

src/components/ErrorComponent.astro

@@ -11,21 +11,31 @@ interface props {
 const { title = "404" } = Astro.props;
 ---
 
-<div class="grid place-items-center min-h-[60vh] w-full error-component">
+<div class="flex flex-col items-center justify-center min-h-[60vh] w-full py-12 error-component">
     <div
-        class="w-full sm:max-w-lg bg-red-50 text-red-500 p-0 sm:rounded-lg sm:shadow border-b-2 sm:border-2 border-red-500 text-center"
+        class="w-full sm:max-w-lg -mx-4 sm:mx-0 bg-red-50 text-red-500 p-0 sm:rounded-lg sm:shadow border-y-2 sm:border-2 border-red-500 text-center"
     >
         <h1
             class="bg-red-500 text-white text-4xl font-bold py-2 px-4 font-mono flex items-center justify-center gap-3"
         >
-            <Icon name="tabler:alert-triangle" class="size-9" />
+            <span class="relative grid h-9 w-9">
+                <Icon
+                    name="tabler:triangle-filled"
+                    class="col-start-1 row-start-1 size-9 animate-ping opacity-75 translate-x-[-0.25px] translate-y-[-1.5px] blur-[1px]"
+                />
+                <Icon
+                    name="tabler:alert-triangle"
+                    class="col-start-1 row-start-1 size-9 relative"
+                />
+            </span>
             Fehler {title}
         </h1>
+
         <p class="mb-4 text-red-500 py-2 px-4 text-lg">
             <slot />
             <a
                 href={getPath("/")}
-                class="flex items-center justify-center gap-1 font-semibold text-red-500 hover:text-white hover:bg-red-500 rounded-full px-4 py-2 hover:drop-shadow transition-colors transition-[1s] mt-2"
+                class="flex items-center justify-center gap-1 font-semibold text-red-500 hover:text-white hover:bg-red-500 rounded-full px-4 py-2 hover:drop-shadow transition-colors duration-300 mt-2"
             >
                 <Icon name="tabler:arrow-big-left" class="size-5" />
                 Zurück zur Startseite
@@ -38,4 +48,8 @@ const { title = "404" } = Astro.props;
     .error-component :global(br) {
         @apply mb-3;
     }
+
+    .error-component .animate-ping {
+        animation-duration: 2s;
+    }
 </style>