photoprism/internal/config/config_auth.go

package config

import (
	"regexp"
	"strings"

	"github.com/photoprism/photoprism/pkg/rnd"
	"golang.org/x/crypto/bcrypt"
)

const (
	AuthModePublic = "public"
	AuthModePasswd = "password"
)

func isBcrypt(s string) bool {
	b, err := regexp.MatchString(`^\$2[ayb]\$.{56}$`, s)
	if err != nil {
		return false
	}
	return b
}

// Public checks if app runs in public mode and requires no authentication.
func (c *Config) Public() bool {
	if c.Demo() {
		return true
	}

	return c.options.Public
}

// SetPublic changes authentication while instance is running, for testing purposes only.
func (c *Config) SetPublic(enabled bool) {
	if c.Debug() {
		c.options.Public = enabled
	}
}

// AdminPassword returns the initial admin password.
func (c *Config) AdminPassword() string {
	return c.options.AdminPassword
}

// AuthMode returns the authentication mode.
func (c *Config) AuthMode() string {
	if c.Public() {
		return AuthModePublic
	}

	mode := strings.ToLower(strings.TrimSpace(c.options.AuthMode))

	switch mode {
	case AuthModePublic:
		return AuthModePublic
	case AuthModePasswd, "", "p", "pw", "pass", "passwd", "passwort", "passwords":
		return AuthModePasswd
	default:
		return AuthModePasswd
	}
}

// Auth checks if authentication is required.
func (c *Config) Auth() bool {
	return c.AuthMode() != AuthModePublic
}

// CheckPassword compares given password p with the admin password
func (c *Config) CheckPassword(p string) bool {
	ap := c.AdminPassword()

	if isBcrypt(ap) {
		err := bcrypt.CompareHashAndPassword([]byte(ap), []byte(p))
		return err == nil
	}

	return ap == p
}

// InvalidDownloadToken checks if the token is invalid.
func (c *Config) InvalidDownloadToken(t string) bool {
	return c.DownloadToken() != t
}

// DownloadToken returns the DOWNLOAD api token (you can optionally use a static value for permanent caching).
func (c *Config) DownloadToken() string {
	if c.options.DownloadToken == "" {
		c.options.DownloadToken = rnd.GenerateToken(8)
	}

	return c.options.DownloadToken
}

// InvalidPreviewToken checks if the preview token is invalid.
func (c *Config) InvalidPreviewToken(t string) bool {
	return c.PreviewToken() != t && c.DownloadToken() != t
}

// PreviewToken returns the preview image api token (based on the unique storage serial by default).
func (c *Config) PreviewToken() string {
	if c.options.PreviewToken == "" {
		if c.Public() {
			c.options.PreviewToken = "public"
		} else if c.Serial() == "" {
			return "********"
		} else {
			c.options.PreviewToken = c.SerialChecksum()
		}
	}

	return c.options.PreviewToken
}
Backend: Support encrypted password (#231) See issue #221, only handles bcrypt 2020-01-28 10:04:10 +00:00			`package config`

			`import (`
			`"regexp"`
Auth: Add PHOTOPRISM_AUTH_MODE config option #98 #782 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-07-07 17:12:28 +00:00			`"strings"`
Backend: Support encrypted password (#231) See issue #221, only handles bcrypt 2020-01-28 10:04:10 +00:00
Refactor download urls and client config Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-05-27 17:38:40 +00:00			`"github.com/photoprism/photoprism/pkg/rnd"`
Backend: Support encrypted password (#231) See issue #221, only handles bcrypt 2020-01-28 10:04:10 +00:00			`"golang.org/x/crypto/bcrypt"`
			`)`

Auth: Add PHOTOPRISM_AUTH_MODE config option #98 #782 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-07-07 17:12:28 +00:00			`const (`
Auth: Shorten passwd mode option (password still works) #98 #782 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-07-11 03:08:15 +00:00			`AuthModePublic = "public"`
API: Improve logs and add /api/v1/connect endpoint for auth callbacks Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-07-19 14:58:43 +00:00			`AuthModePasswd = "password"`
Auth: Add PHOTOPRISM_AUTH_MODE config option #98 #782 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-07-07 17:12:28 +00:00			`)`

Backend: Support encrypted password (#231) See issue #221, only handles bcrypt 2020-01-28 10:04:10 +00:00			`func isBcrypt(s string) bool {`
			b, err := regexp.MatchString(`^\$2[ayb]\$.{56}$`, s)
			`if err != nil {`
			`return false`
			`}`
			`return b`
			`}`

Auth: Add PHOTOPRISM_AUTH_MODE config option #98 #782 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-07-07 17:12:28 +00:00			`// Public checks if app runs in public mode and requires no authentication.`
			`func (c *Config) Public() bool {`
			`if c.Demo() {`
			`return true`
			`}`

			`return c.options.Public`
			`}`

			`// SetPublic changes authentication while instance is running, for testing purposes only.`
			`func (c *Config) SetPublic(enabled bool) {`
			`if c.Debug() {`
			`c.options.Public = enabled`
			`}`
			`}`

			`// AdminPassword returns the initial admin password.`
			`func (c *Config) AdminPassword() string {`
			`return c.options.AdminPassword`
			`}`

			`// AuthMode returns the authentication mode.`
			`func (c *Config) AuthMode() string {`
			`if c.Public() {`
			`return AuthModePublic`
			`}`

Auth: Shorten passwd mode option (password still works) #98 #782 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-07-11 03:08:15 +00:00			`mode := strings.ToLower(strings.TrimSpace(c.options.AuthMode))`

			`switch mode {`
			`case AuthModePublic:`
			`return AuthModePublic`
API: Improve logs and add /api/v1/connect endpoint for auth callbacks Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-07-19 14:58:43 +00:00			`case AuthModePasswd, "", "p", "pw", "pass", "passwd", "passwort", "passwords":`
Auth: Shorten passwd mode option (password still works) #98 #782 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-07-11 03:08:15 +00:00			`return AuthModePasswd`
			`default:`
			`return AuthModePasswd`
			`}`
Auth: Add PHOTOPRISM_AUTH_MODE config option #98 #782 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-07-07 17:12:28 +00:00			`}`

			`// Auth checks if authentication is required.`
			`func (c *Config) Auth() bool {`
			`return c.AuthMode() != AuthModePublic`
			`}`

Some more comment improvements (#257) * Improve comment in classify package * improve comment in config package * improve entity package comments * grammar error in comments 2020-02-21 00:14:45 +00:00			`// CheckPassword compares given password p with the admin password`
Backend: Support encrypted password (#231) See issue #221, only handles bcrypt 2020-01-28 10:04:10 +00:00			`func (c *Config) CheckPassword(p string) bool {`
			`ap := c.AdminPassword()`

			`if isBcrypt(ap) {`
			`err := bcrypt.CompareHashAndPassword([]byte(ap), []byte(p))`
			`return err == nil`
			`}`

			`return ap == p`
			`}`
Refactor download urls and client config Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-05-27 17:38:40 +00:00
Config: Add option to skip all RAW images when indexing #2227 2022-04-06 15:46:41 +00:00			`// InvalidDownloadToken checks if the token is invalid.`
Refactor download urls and client config Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-05-27 17:38:40 +00:00			`func (c *Config) InvalidDownloadToken(t string) bool {`
			`return c.DownloadToken() != t`
			`}`

			`// DownloadToken returns the DOWNLOAD api token (you can optionally use a static value for permanent caching).`
			`func (c *Config) DownloadToken() string {`
UX: Add global server config options tab to Settings UI 2020-12-18 19:42:12 +00:00			`if c.options.DownloadToken == "" {`
Download: Add Disabled, Originals, MediaRaw & MediaSidecar Flags #2234 Extends DownloadSettings with 4 additional options: - Name: File name pattern for downloaded files (existed) - Disabled: Disables downloads - Originals: Only download files stored in "originals" folder - MediaRaw: Include RAW image files - MediaSidecar: Include metadata sidecar files (JSON, XMP, YAML) 2022-04-15 07:42:07 +00:00			`c.options.DownloadToken = rnd.GenerateToken(8)`
Refactor download urls and client config Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-05-27 17:38:40 +00:00			`}`

UX: Add global server config options tab to Settings UI 2020-12-18 19:42:12 +00:00			`return c.options.DownloadToken`
Refactor download urls and client config Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-05-27 17:38:40 +00:00			`}`

Config: Add option to skip all RAW images when indexing #2227 2022-04-06 15:46:41 +00:00			`// InvalidPreviewToken checks if the preview token is invalid.`
Use static logo in sidebar navigation Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-06-26 14:11:56 +00:00			`func (c *Config) InvalidPreviewToken(t string) bool {`
Rename ThumbToken to PreviewToken Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-05-27 17:56:56 +00:00			`return c.PreviewToken() != t && c.DownloadToken() != t`
Refactor download urls and client config Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-05-27 17:38:40 +00:00			`}`

Config: Improve preview token security 2021-01-02 14:08:39 +00:00			`// PreviewToken returns the preview image api token (based on the unique storage serial by default).`
Rename ThumbToken to PreviewToken Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-05-27 17:56:56 +00:00			`func (c *Config) PreviewToken() string {`
UX: Add global server config options tab to Settings UI 2020-12-18 19:42:12 +00:00			`if c.options.PreviewToken == "" {`
API: Refactor response headers #822 #846 2021-01-08 08:02:30 +00:00			`if c.Public() {`
			`c.options.PreviewToken = "public"`
Config: Add option to skip all RAW images when indexing #2227 2022-04-06 15:46:41 +00:00			`} else if c.Serial() == "" {`
			`return "********"`
API: Refactor response headers #822 #846 2021-01-08 08:02:30 +00:00			`} else {`
			`c.options.PreviewToken = c.SerialChecksum()`
			`}`
Refactor download urls and client config Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-05-27 17:38:40 +00:00			`}`

UX: Add global server config options tab to Settings UI 2020-12-18 19:42:12 +00:00			`return c.options.PreviewToken`
Refactor download urls and client config Signed-off-by: Michael Mayer <michael@liquidbytes.net> 2020-05-27 17:38:40 +00:00			`}`