Auth! (#11347)

* reload the window on 401 * backend apis for auth * add login page * re-enable web linter * fix login page routing * bypass csrf for internal auth endpoint * disable healthcheck in devcontainer target * include login page in vite build * redirect to login page on 401 * implement config for users and settings * implement JWT actual secret * add brute force protection on login * add support for redirecting from auth failures on api calls * return location for redirect * default cookie name should pass regex test * set hash iterations to current OWASP recommendation * move users to database instead of config * config option to reset admin password on startup * user management UI * check for deleted user on refresh * validate username and fixes * remove password constraint * cleanup * fix user check on refresh * web fixes * implement auth via new external port * use x-forwarded-for to rate limit login attempts by ip * implement logout and profile * fixes * lint fixes * add support for user passthru from upstream proxies * add support for specifying a logout url * add documentation * Update docs/docs/configuration/authentication.md Co-authored-by: Nicolas Mowen <nickmowen213@gmail.com> * Update docs/docs/configuration/authentication.md Co-authored-by: Nicolas Mowen <nickmowen213@gmail.com> --------- Co-authored-by: Nicolas Mowen <nickmowen213@gmail.com>
2024-05-18 11:36:13 -05:00
parent a70dd02788
commit 1133202cbd
48 changed files with 2541 additions and 833 deletions
--- a/docker/main/rootfs/usr/local/nginx/conf/nginx.conf
+++ b/docker/main/rootfs/usr/local/nginx/conf/nginx.conf
@@ -62,6 +62,9 @@ http {
    }

    server {
+        # intended for external traffic, protected by auth
+        listen [::]:8080 ipv6only=off;
+        # intended for internal traffic, not protected by auth
        listen [::]:5000 ipv6only=off;

        # vod settings
@@ -95,7 +98,10 @@ http {
        gzip on;
        gzip_types application/vnd.apple.mpegurl;

+        include auth_location.conf;
+
        location /vod/ {
+            include auth_request.conf;
            aio threads;
            vod hls;

@@ -107,6 +113,7 @@ http {
        }

        location /stream/ {
+            include auth_request.conf;
            add_header Cache-Control "no-store";
            expires off;

@@ -121,7 +128,7 @@ http {
        }

        location /clips/ {
-
+            include auth_request.conf;
            types {
                video/mp4 mp4;
                image/jpeg jpg;
@@ -137,6 +144,7 @@ http {
        }

        location /recordings/ {
+            include auth_request.conf;
            types {
                video/mp4 mp4;
            }
@@ -147,6 +155,7 @@ http {
        }

        location /exports/ {
+            include auth_request.conf;
            types {
                video/mp4 mp4;
            }
@@ -157,17 +166,20 @@ http {
        }

        location /ws {
+            include auth_request.conf;
            proxy_pass http://mqtt_ws/;
            include proxy.conf;
        }

        location /live/jsmpeg/ {
+            include auth_request.conf;
            proxy_pass http://jsmpeg/;
            include proxy.conf;
        }

        # frigate lovelace card uses this path
        location /live/mse/api/ws {
+            include auth_request.conf;
            limit_except GET {
                deny  all;
            }
@@ -176,6 +188,7 @@ http {
        }

        location /live/webrtc/api/ws {
+            include auth_request.conf;
            limit_except GET {
                deny  all;
            }
@@ -185,6 +198,7 @@ http {

        # pass through go2rtc player
        location /live/webrtc/webrtc.html {
+            include auth_request.conf;
            limit_except GET {
                deny  all;
            }
@@ -194,6 +208,7 @@ http {

        # frontend uses this to fetch the version
        location /api/go2rtc/api {
+            include auth_request.conf;
            limit_except GET {
                deny  all;
            }
@@ -203,6 +218,7 @@ http {

        # integration uses this to add webrtc candidate
        location /api/go2rtc/webrtc {
+            include auth_request.conf;
            limit_except POST {
                deny  all;
            }
@@ -211,12 +227,14 @@ http {
        }

        location ~* /api/.*\.(jpg|jpeg|png|webp|gif)$ {
+            include auth_request.conf;
            rewrite ^/api/(.*)$ $1 break;
            proxy_pass http://frigate_api;
            include proxy.conf;
        }

        location /api/ {
+            include auth_request.conf;
            add_header Cache-Control "no-store";
            expires off;
            proxy_pass http://frigate_api/;
@@ -231,12 +249,21 @@ http {
            add_header X-Cache-Status $upstream_cache_status;

            location /api/vod/ {
+                include auth_request.conf;
                proxy_pass http://frigate_api/vod/;
                include proxy.conf;
                proxy_cache off;
            }

+            location /api/login {
+                auth_request off;
+                rewrite ^/api(/.*)$ $1 break;
+                proxy_pass http://frigate_api;
+                include proxy.conf;
+            }
+
            location /api/stats {
+                include auth_request.conf;
                access_log off;
                rewrite ^/api(/.*)$ $1 break;
                proxy_pass http://frigate_api;
@@ -244,6 +271,7 @@ http {
            }

            location /api/version {
+                include auth_request.conf;
                access_log off;
                rewrite ^/api(/.*)$ $1 break;
                proxy_pass http://frigate_api;
@@ -252,6 +280,7 @@ http {
        }

        location / {
+            # do not require auth for static assets
            add_header Cache-Control "no-store";
            expires off;

@@ -273,7 +302,7 @@ http {
            sub_filter_once off;

            root /opt/frigate/web;
-            try_files $uri $uri/ /index.html;
+            try_files $uri $uri.html $uri/ /index.html;
        }
    }
 }