akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
c27f4e40a39773508e01d313e82a3f54544a491b
caddy-proxy-manager/app/api/forward-auth/session-login/route.ts
akanealw 99819b70ff
Some checks failed
Build and Push Docker Images (Trusted) / build-and-push (., docker/caddy/Dockerfile, caddy) (push) Has been cancelled
Details
Build and Push Docker Images (Trusted) / build-and-push (., docker/l4-port-manager/Dockerfile, l4-port-manager) (push) Has been cancelled
Details
Build and Push Docker Images (Trusted) / build-and-push (., docker/web/Dockerfile, web) (push) Has been cancelled
Details
Tests / test (push) Has been cancelled
Details
added caddy-proxy-manager for testing
2026-04-21 22:49:08 +00:00

83 lines
2.9 KiB
TypeScript
Executable File
Raw Blame History

import { NextRequest, NextResponse } from "next/server";
import { auth } from "@/src/lib/auth";
import { config } from "@/src/lib/config";
import {
createForwardAuthSession,
createExchangeCode,
checkHostAccessByDomain,
consumeRedirectIntent
} from "@/src/lib/models/forward-auth";
import { logAuditEvent } from "@/src/lib/audit";
/**
* Forward auth session login — uses an existing NextAuth session to create
* a forward auth session. Called automatically when the portal detects the
* user is already logged in (e.g. after OAuth).
*/
export async function POST(request: NextRequest) {
try {
// CSRF: verify the request originates from the CPM portal
const origin = request.headers.get("origin");
const baseOrigin = new URL(config.baseUrl).origin;
if (!origin || origin !== baseOrigin) {
return NextResponse.json({ error: "Forbidden" }, { status: 403 });
}
const session = await auth();
if (!session?.user?.id) {
return NextResponse.json({ error: "Not authenticated" }, { status: 401 });
}
const body = await request.json();
const rid = typeof body.rid === "string" ? body.rid : "";
if (!rid) {
return NextResponse.json({ error: "Missing redirect intent" }, { status: 400 });
}
// Consume the redirect intent — returns the server-stored redirect URI
const redirectUri = await consumeRedirectIntent(rid);
if (!redirectUri) {
return NextResponse.json({ error: "Invalid or expired redirect intent. Please try again." }, { status: 400 });
}
const targetUrl = new URL(redirectUri);
const userId = Number(session.user.id);
// Check if user has access to the target host
const { hasAccess } = await checkHostAccessByDomain(userId, targetUrl.hostname);
if (!hasAccess) {
logAuditEvent({
userId,
action: "forward_auth_access_denied",
entityType: "proxy_host",
summary: `Forward auth access denied for user ${session.user.email} to host ${targetUrl.hostname}`
});
return NextResponse.json(
{ error: "You do not have access to this application." },
{ status: 403 }
);
}
// Create forward auth session and exchange code
const { session: faSession } = await createForwardAuthSession(userId);
const { rawCode } = await createExchangeCode(faSession.id, redirectUri);
logAuditEvent({
userId,
action: "forward_auth_login",
entityType: "user",
entityId: userId,
summary: `Forward auth login (session) for user ${session.user.email} to ${targetUrl.hostname}`
});
const callbackUrl = new URL("/.cpm-auth/callback", targetUrl.origin);
callbackUrl.searchParams.set("code", rawCode);
return NextResponse.json({ redirectTo: callbackUrl.toString() });
} catch (error) {
console.error("Forward auth session login error:", error);
return NextResponse.json({ error: "Internal server error" }, { status: 500 });
}
}
Reference in New Issue View Git Blame Copy Permalink