edi/iten.pro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7dbb374360ddba2720828aeb1fca874c8bbcac6f
iten.pro/public/auth.php
Eduard Iten 7dbb374360
All checks were successful
Build and Deploy / build-and-deploy (push) Successful in 11s
Details
Authelia test
2026-04-01 17:23:24 +02:00

108 lines
3.4 KiB
PHP
Raw Blame History

<?php
session_start();
// --- OIDC Konfiguration ---
$client_id = 'iten-pro';
$client_secret = '1qd6v3kCwpkdRu48pgyYF7axT9dywipqEvwHqWM9OiB53bQC'; // Hier im Klartext eintragen
$authelia_url = 'https://auth.iten.pro';
$redirect_uri = 'https://iten.pro/auth.php'; // Muss exakt mit Authelia config übereinstimmen
// 1. OIDC Callback verarbeiten (Rückkehr von Authelia)
if (isset($_GET['code']) && isset($_GET['state'])) {
if ($_GET['state'] !== $_SESSION['oauth_state']) {
die('Sicherheitsfehler: State Mismatch.');
}
// Autorisierungscode gegen Token tauschen
$ch = curl_init($authelia_url . '/api/oidc/token');
curl_setopt($ch, CURLOPT_RESOLVE, ["auth.iten.pro:443:84.227.207.55"]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
'grant_type' => 'authorization_code',
'client_id' => $client_id,
'client_secret' => $client_secret,
'redirect_uri' => $redirect_uri,
'code' => $_GET['code']
]));
$response = curl_exec($ch);
if ($response === false) {
$error_msg = curl_error($ch);
curl_close($ch);
die('Kritischer cURL-Netzwerkfehler: ' . $error_msg);
}
curl_close($ch);
$data = json_decode($response, true);
if (isset($data['access_token'])) {
// Erfolgreich eingeloggt
$_SESSION['authenticated'] = true;
// Zurück zur ursprünglich angeforderten Route umleiten
$target = $_SESSION['auth_target_route'] ?? '/';
header('Location: /' . ltrim($target, '/'));
exit;
} else {
die('Fehler bei der Token-Generierung: ' . htmlspecialchars($response));
}
}
// 2. Authentifizierungsstatus prüfen
$is_logged_in = isset($_SESSION['authenticated']) && $_SESSION['authenticated'] === true;
if (!$is_logged_in) {
// Ursprüngliches Ziel speichern, um nach dem Login dorthin zurückzukehren
$_SESSION['auth_target_route'] = $_GET['route'] ?? '';
// CSRF-Schutz generieren
$_SESSION['oauth_state'] = bin2hex(random_bytes(16));
// Umleitung zur Authelia-Loginseite
$auth_url = $authelia_url . '/api/oidc/authorization?' . http_build_query([
'client_id' => $client_id,
'response_type' => 'code',
'redirect_uri' => $redirect_uri,
'state' => $_SESSION['oauth_state'],
'scope' => 'openid profile email'
]);
header('Location: ' . $auth_url);
exit;
}
// 3. Auslieferung der statischen Astro-Datei
$route = $_GET['route'] ?? '';
// Wenn auth.php direkt aufgerufen wurde (z.B. nach Login-Callback ohne Ziel)
if ($route === '') {
header('Location: /');
exit;
}
$route = trim($route, '/');
$base_dir = realpath(__DIR__);
$target_file = $base_dir . '/' . $route;
if (is_dir($target_file)) {
$target_file = rtrim($target_file, '/') . '/index.html';
} elseif (!str_ends_with($target_file, '.html') && file_exists($target_file . '/index.html')) {
$target_file .= '/index.html';
} elseif (!str_ends_with($target_file, '.html')) {
$target_file .= '.html';
}
$real_target = realpath($target_file);
// Path Traversal verhindern
if ($real_target && file_exists($real_target) && strpos($real_target, $base_dir) === 0) {
header('Content-Type: text/html');
readfile($real_target);
exit;
}
header("HTTP/1.0 404 Not Found");
echo "404 - Geschützte Datei nicht gefunden";
exit;
Reference in New Issue View Git Blame Copy Permalink