grafana/pkg/api/login.go

package api

import (
	"encoding/hex"
	"net/http"
	"net/url"

	"github.com/grafana/grafana/pkg/api/dtos"
	"github.com/grafana/grafana/pkg/bus"
	"github.com/grafana/grafana/pkg/infra/metrics"
	"github.com/grafana/grafana/pkg/log"
	"github.com/grafana/grafana/pkg/login"
	"github.com/grafana/grafana/pkg/middleware"
	m "github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/setting"
	"github.com/grafana/grafana/pkg/util"
)

const (
	ViewIndex            = "index"
	LoginErrorCookieName = "login_error"
)

func (hs *HTTPServer) LoginView(c *m.ReqContext) {
	viewData, err := hs.setIndexViewData(c)
	if err != nil {
		c.Handle(500, "Failed to get settings", err)
		return
	}

	enabledOAuths := make(map[string]interface{})
	for key, oauth := range setting.OAuthService.OAuthInfos {
		enabledOAuths[key] = map[string]string{"name": oauth.Name}
	}

	viewData.Settings["oauth"] = enabledOAuths
	viewData.Settings["disableUserSignUp"] = !setting.AllowUserSignUp
	viewData.Settings["loginHint"] = setting.LoginHint
	viewData.Settings["passwordHint"] = setting.PasswordHint
	viewData.Settings["disableLoginForm"] = setting.DisableLoginForm

	if loginError, ok := tryGetEncryptedCookie(c, LoginErrorCookieName); ok {
		deleteCookie(c, LoginErrorCookieName)
		viewData.Settings["loginError"] = loginError
	}

	if tryOAuthAutoLogin(c) {
		return
	}

	if !c.IsSignedIn {
		c.HTML(200, ViewIndex, viewData)
		return
	}

	if redirectTo, _ := url.QueryUnescape(c.GetCookie("redirect_to")); len(redirectTo) > 0 {
		c.SetCookie("redirect_to", "", -1, setting.AppSubUrl+"/")
		c.Redirect(redirectTo)
		return
	}

	c.Redirect(setting.AppSubUrl + "/")
}

func tryOAuthAutoLogin(c *m.ReqContext) bool {
	if !setting.OAuthAutoLogin {
		return false
	}
	oauthInfos := setting.OAuthService.OAuthInfos
	if len(oauthInfos) != 1 {
		log.Warn("Skipping OAuth auto login because multiple OAuth providers are configured.")
		return false
	}
	for key := range setting.OAuthService.OAuthInfos {
		redirectUrl := setting.AppSubUrl + "/login/" + key
		log.Info("OAuth auto login enabled. Redirecting to " + redirectUrl)
		c.Redirect(redirectUrl, 307)
		return true
	}
	return false
}

func (hs *HTTPServer) LoginAPIPing(c *m.ReqContext) Response {
	if c.IsSignedIn || c.IsAnonymous {
		return JSON(200, "Logged in")
	}

	return Error(401, "Unauthorized", nil)
}

func (hs *HTTPServer) LoginPost(c *m.ReqContext, cmd dtos.LoginCommand) Response {
	if setting.DisableLoginForm {
		return Error(401, "Login is disabled", nil)
	}

	authQuery := &m.LoginUserQuery{
		ReqContext: c,
		Username:   cmd.User,
		Password:   cmd.Password,
		IpAddress:  c.Req.RemoteAddr,
	}

	if err := bus.Dispatch(authQuery); err != nil {
		if err == login.ErrInvalidCredentials || err == login.ErrTooManyLoginAttempts {
			return Error(401, "Invalid username or password", err)
		}

		return Error(500, "Error while trying to authenticate user", err)
	}

	user := authQuery.User

	hs.loginUserWithUser(user, c)

	result := map[string]interface{}{
		"message": "Logged in",
	}

	if redirectTo, _ := url.QueryUnescape(c.GetCookie("redirect_to")); len(redirectTo) > 0 {
		result["redirectUrl"] = redirectTo
		c.SetCookie("redirect_to", "", -1, setting.AppSubUrl+"/")
	}

	metrics.M_Api_Login_Post.Inc()

	return JSON(200, result)
}

func (hs *HTTPServer) loginUserWithUser(user *m.User, c *m.ReqContext) {
	if user == nil {
		hs.log.Error("user login with nil user")
	}

	userToken, err := hs.AuthTokenService.CreateToken(user.Id, c.RemoteAddr(), c.Req.UserAgent())
	if err != nil {
		hs.log.Error("failed to create auth token", "error", err)
	}

	middleware.WriteSessionCookie(c, userToken.UnhashedToken, hs.Cfg.LoginMaxLifetimeDays)
}

func (hs *HTTPServer) Logout(c *m.ReqContext) {
	if err := hs.AuthTokenService.RevokeToken(c.UserToken); err != nil && err != m.ErrUserTokenNotFound {
		hs.log.Error("failed to revoke auth token", "error", err)
	}

	middleware.WriteSessionCookie(c, "", -1)

	if setting.SignoutRedirectUrl != "" {
		c.Redirect(setting.SignoutRedirectUrl)
	} else {
		c.Redirect(setting.AppSubUrl + "/login")
	}
}

func tryGetEncryptedCookie(ctx *m.ReqContext, cookieName string) (string, bool) {
	cookie := ctx.GetCookie(cookieName)
	if cookie == "" {
		return "", false
	}

	decoded, err := hex.DecodeString(cookie)
	if err != nil {
		return "", false
	}

	decryptedError, err := util.Decrypt(decoded, setting.SecretKey)
	return string(decryptedError), err == nil
}

func deleteCookie(ctx *m.ReqContext, cookieName string) {
	ctx.SetCookie(cookieName, "", -1, setting.AppSubUrl+"/")
}

func (hs *HTTPServer) trySetEncryptedCookie(ctx *m.ReqContext, cookieName string, value string, maxAge int) error {
	encryptedError, err := util.Encrypt([]byte(value), setting.SecretKey)
	if err != nil {
		return err
	}

	http.SetCookie(ctx.Resp, &http.Cookie{
		Name:     cookieName,
		MaxAge:   60,
		Value:    hex.EncodeToString(encryptedError),
		HttpOnly: true,
		Path:     setting.AppSubUrl + "/",
		Secure:   hs.Cfg.CookieSecure,
		SameSite: hs.Cfg.CookieSameSite,
	})

	return nil
}
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 11 years ago			`package api`

			`import (`
store oauth login error messages in an encrypted cookie 7 years ago			`"encoding/hex"`
			`"net/http"`
Worked on login remember cookie, and redirect after login 11 years ago			`"net/url"`

Changed go package path 11 years ago			`"github.com/grafana/grafana/pkg/api/dtos"`
			`"github.com/grafana/grafana/pkg/bus"`
moves metric package to /infra ref #14679 6 years ago			`"github.com/grafana/grafana/pkg/infra/metrics"`
Changed go package path 11 years ago			`"github.com/grafana/grafana/pkg/log"`
feat(ldap): work on reading ldap config from toml file, #1450 10 years ago			`"github.com/grafana/grafana/pkg/login"`
move auth token middleware/hooks to middleware package fix/adds auth token middleware tests 6 years ago			`"github.com/grafana/grafana/pkg/middleware"`
Changed go package path 11 years ago			`m "github.com/grafana/grafana/pkg/models"`
			`"github.com/grafana/grafana/pkg/setting"`
store oauth login error messages in an encrypted cookie 7 years ago			`"github.com/grafana/grafana/pkg/util"`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 11 years ago			`)`

Worked on login remember cookie, and redirect after login 11 years ago			`const (`
store oauth login error messages in an encrypted cookie 7 years ago			`ViewIndex = "index"`
			`LoginErrorCookieName = "login_error"`
Worked on login remember cookie, and redirect after login 11 years ago			`)`

Adds backend hooks service so extensions can modify index data 7 years ago			`func (hs HTTPServer) LoginView(c m.ReqContext) {`
			`viewData, err := hs.setIndexViewData(c)`
feat(external_plugin): lots of refactoring for side menu link extensions and view data, #3185 10 years ago			`if err != nil {`
Changed from goconfig to its new counter part go-ini 11 years ago			`c.Handle(500, "Failed to get settings", err)`
			`return`
			`}`

feat(oauth): refactoring PR #6077 9 years ago			`enabledOAuths := make(map[string]interface{})`
			`for key, oauth := range setting.OAuthService.OAuthInfos {`
			`enabledOAuths[key] = map[string]string{"name": oauth.Name}`
			`}`

			`viewData.Settings["oauth"] = enabledOAuths`
feat(external_plugin): lots of refactoring for side menu link extensions and view data, #3185 10 years ago			`viewData.Settings["disableUserSignUp"] = !setting.AllowUserSignUp`
Merge branch 'master' into external-plugins Conflicts: pkg/api/login.go public/app/core/routes/all.js public/app/core/table_model.ts public/app/panels/table/table_model.ts public/app/plugins/panels/table/editor.ts public/app/plugins/panels/table/table_model.ts 10 years ago			`viewData.Settings["loginHint"] = setting.LoginHint`
Make password hint configurable from settings/defaults.ini 6 years ago			`viewData.Settings["passwordHint"] = setting.PasswordHint`
feat(config): changed name of allow_user_login_pass to disable_login_form, changed the section of the config option to [auth], impacts merged PR #5423 9 years ago			`viewData.Settings["disableLoginForm"] = setting.DisableLoginForm`
Login: only enabled oauth options are shown on login page 11 years ago
store oauth login error messages in an encrypted cookie 7 years ago			`if loginError, ok := tryGetEncryptedCookie(c, LoginErrorCookieName); ok {`
			`deleteCookie(c, LoginErrorCookieName)`
Add common type for oauth authorization errors 9 years ago			`viewData.Settings["loginError"] = loginError`
			`}`

Implement oauth_auto_login setting Redirect in backend 7 years ago			`if tryOAuthAutoLogin(c) {`
			`return`
			`}`

redirect logged in users from /login to home 7 years ago			`if !c.IsSignedIn {`
			`c.HTML(200, ViewIndex, viewData)`
			`return`
			`}`

			`if redirectTo, _ := url.QueryUnescape(c.GetCookie("redirect_to")); len(redirectTo) > 0 {`
			`c.SetCookie("redirect_to", "", -1, setting.AppSubUrl+"/")`
			`c.Redirect(redirectTo)`
			`return`
			`}`

			`c.Redirect(setting.AppSubUrl + "/")`
Datasource proxy & session timeout fix (casued 401 Unauthorized error after a while), Fixes #1667 10 years ago			`}`

Implement oauth_auto_login setting Redirect in backend 7 years ago			`func tryOAuthAutoLogin(c *m.ReqContext) bool {`
			`if !setting.OAuthAutoLogin {`
			`return false`
			`}`
			`oauthInfos := setting.OAuthService.OAuthInfos`
			`if len(oauthInfos) != 1 {`
			`log.Warn("Skipping OAuth auto login because multiple OAuth providers are configured.")`
			`return false`
			`}`
			`for key := range setting.OAuthService.OAuthInfos {`
			`redirectUrl := setting.AppSubUrl + "/login/" + key`
			`log.Info("OAuth auto login enabled. Redirecting to " + redirectUrl)`
			`c.Redirect(redirectUrl, 307)`
			`return true`
			`}`
			`return false`
			`}`

improves readability of loginping handler 7 years ago			`func (hs HTTPServer) LoginAPIPing(c m.ReqContext) Response {`
			`if c.IsSignedIn \|\| c.IsAnonymous {`
			`return JSON(200, "Logged in")`
Worked on login remember cookie, and redirect after login 11 years ago			`}`

improves readability of loginping handler 7 years ago			`return Error(401, "Unauthorized", nil)`
Changed from goconfig to its new counter part go-ini 11 years ago			`}`

inject login/logout hooks 7 years ago			`func (hs HTTPServer) LoginPost(c m.ReqContext, cmd dtos.LoginCommand) Response {`
disable inviting new users to orgs if login form is disabled 8 years ago			`if setting.DisableLoginForm {`
Make golint happier 7 years ago			`return Error(401, "Login is disabled", nil)`
disable inviting new users to orgs if login form is disabled 8 years ago			`}`

switch to passing ReqContext as a property 7 years ago			`authQuery := &m.LoginUserQuery{`
			`ReqContext: c,`
			`Username: cmd.User,`
			`Password: cmd.Password,`
			`IpAddress: c.Req.RemoteAddr,`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 11 years ago			`}`

switch to passing ReqContext as a property 7 years ago			`if err := bus.Dispatch(authQuery); err != nil {`
WIP: Protect against brute force (frequent) login attempts (#10031) * db: add login attempt migrations * db: add possibility to create login attempts * db: add possibility to retrieve login attempt count per username * auth: validation and update of login attempts for invalid credentials If login attempt count for user authenticating is 5 or more the last 5 minutes we temporarily block the user access to login * db: add possibility to delete expired login attempts * cleanup: Delete login attempts older than 10 minutes The cleanup job are running continuously and triggering each 10 minute * fix typo: rename consequent to consequent * auth: enable login attempt validation for ldap logins * auth: disable login attempts validation by configuration Setting is named DisableLoginAttemptsValidation and is false by default Config disable_login_attempts_validation is placed under security section #7616 * auth: don't run cleanup of login attempts if feature is disabled #7616 * auth: rename settings.go to ldap_settings.go * auth: refactor AuthenticateUser Extract grafana login, ldap login and login attemp validation together with their tests to separate files. Enables testing of many more aspects when authenticating a user. #7616 * auth: rename login attempt validation to brute force login protection Setting DisableLoginAttemptsValidation => DisableBruteForceLoginProtection Configuration disable_login_attempts_validation => disable_brute_force_login_protection #7616 8 years ago			`if err == login.ErrInvalidCredentials \|\| err == login.ErrTooManyLoginAttempts {`
Make golint happier 7 years ago			`return Error(401, "Invalid username or password", err)`
Initial work on ldap support, #1450 10 years ago			`}`

Make golint happier 7 years ago			`return Error(500, "Error while trying to authenticate user", err)`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 11 years ago			`}`

Started work on LDAP again, #1450 10 years ago			`user := authQuery.User`

inject login/logout hooks 7 years ago			`hs.loginUserWithUser(user, c)`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 11 years ago
Worked on login remember cookie, and redirect after login 11 years ago			`result := map[string]interface{}{`
			`"message": "Logged in",`
			`}`

			`if redirectTo, _ := url.QueryUnescape(c.GetCookie("redirect_to")); len(redirectTo) > 0 {`
			`result["redirectUrl"] = redirectTo`
			`c.SetCookie("redirect_to", "", -1, setting.AppSubUrl+"/")`
			`}`

convert old metrics to prom metrics 8 years ago			`metrics.M_Api_Login_Post.Inc()`
Added server metrics 10 years ago
Make golint happier 7 years ago			`return JSON(200, result)`
Initial work on ldap support, #1450 10 years ago			`}`

inject login/logout hooks 7 years ago			`func (hs HTTPServer) loginUserWithUser(user m.User, c *m.ReqContext) {`
User / Account model split, User and account now seperate entities, collaborators are now AccountUsers 11 years ago			`if user == nil {`
move auth token middleware/hooks to middleware package fix/adds auth token middleware tests 6 years ago			`hs.log.Error("user login with nil user")`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 11 years ago			`}`

move auth token middleware/hooks to middleware package fix/adds auth token middleware tests 6 years ago			`userToken, err := hs.AuthTokenService.CreateToken(user.Id, c.RemoteAddr(), c.Req.UserAgent())`
inject login/logout hooks 7 years ago			`if err != nil {`
move auth token middleware/hooks to middleware package fix/adds auth token middleware tests 6 years ago			`hs.log.Error("failed to create auth token", "error", err)`
Do not set remember me cookie when days are set to zero 9 years ago			`}`
move auth token middleware/hooks to middleware package fix/adds auth token middleware tests 6 years ago
change UserToken from interface to struct 6 years ago			`middleware.WriteSessionCookie(c, userToken.UnhashedToken, hs.Cfg.LoginMaxLifetimeDays)`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 11 years ago			`}`

inject login/logout hooks 7 years ago			`func (hs HTTPServer) Logout(c m.ReqContext) {`
move UserToken and UserTokenService to models package 6 years ago			`if err := hs.AuthTokenService.RevokeToken(c.UserToken); err != nil && err != m.ErrUserTokenNotFound {`
move auth token middleware/hooks to middleware package fix/adds auth token middleware tests 6 years ago			`hs.log.Error("failed to revoke auth token", "error", err)`
			`}`

			`middleware.WriteSessionCookie(c, "", -1)`
inject login/logout hooks 7 years ago
Fix #9847 Add a generic signout_redirect_url to enable oauth logout Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 7 years ago			`if setting.SignoutRedirectUrl != "" {`
			`c.Redirect(setting.SignoutRedirectUrl)`
			`} else {`
			`c.Redirect(setting.AppSubUrl + "/login")`
			`}`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 11 years ago			`}`
store oauth login error messages in an encrypted cookie 7 years ago
			`func tryGetEncryptedCookie(ctx *m.ReqContext, cookieName string) (string, bool) {`
			`cookie := ctx.GetCookie(cookieName)`
			`if cookie == "" {`
			`return "", false`
			`}`

			`decoded, err := hex.DecodeString(cookie)`
			`if err != nil {`
			`return "", false`
			`}`

build: partially replace gometalinter with golangci-lint (#16610) we still use gometalinter for goconst since it doesn't report errors for duplicated in test files 6 years ago			`decryptedError, err := util.Decrypt(decoded, setting.SecretKey)`
store oauth login error messages in an encrypted cookie 7 years ago			`return string(decryptedError), err == nil`
			`}`

			`func deleteCookie(ctx *m.ReqContext, cookieName string) {`
			`ctx.SetCookie(cookieName, "", -1, setting.AppSubUrl+"/")`
			`}`

			`func (hs HTTPServer) trySetEncryptedCookie(ctx m.ReqContext, cookieName string, value string, maxAge int) error {`
			`encryptedError, err := util.Encrypt([]byte(value), setting.SecretKey)`
			`if err != nil {`
			`return err`
			`}`

			`http.SetCookie(ctx.Resp, &http.Cookie{`
			`Name: cookieName,`
			`MaxAge: 60,`
			`Value: hex.EncodeToString(encryptedError),`
			`HttpOnly: true,`
			`Path: setting.AppSubUrl + "/",`
changes needed for api/middleware due to configuration settings 6 years ago			`Secure: hs.Cfg.CookieSecure,`
			`SameSite: hs.Cfg.CookieSameSite,`
store oauth login error messages in an encrypted cookie 7 years ago			`})`

			`return nil`
			`}`