Auth! (#11347)

* reload the window on 401

* backend apis for auth

* add login page

* re-enable web linter

* fix login page routing

* bypass csrf for internal auth endpoint

* disable healthcheck in devcontainer target

* include login page in vite build

* redirect to login page on 401

* implement config for users and settings

* implement JWT actual secret

* add brute force protection on login

* add support for redirecting from auth failures on api calls

* return location for redirect

* default cookie name should pass regex test

* set hash iterations to current OWASP recommendation

* move users to database instead of config

* config option to reset admin password on startup

* user management UI

* check for deleted user on refresh

* validate username and fixes

* remove password constraint

* cleanup

* fix user check on refresh

* web fixes

* implement auth via new external port

* use x-forwarded-for to rate limit login attempts by ip

* implement logout and profile

* fixes

* lint fixes

* add support for user passthru from upstream proxies

* add support for specifying a logout url

* add documentation

* Update docs/docs/configuration/authentication.md

Co-authored-by: Nicolas Mowen <nickmowen213@gmail.com>

* Update docs/docs/configuration/authentication.md

Co-authored-by: Nicolas Mowen <nickmowen213@gmail.com>

---------

Co-authored-by: Nicolas Mowen <nickmowen213@gmail.com>

web/src/components/auth/AuthForm.tsx

@@ -0,0 +1,132 @@
+"use client";
+
+import * as React from "react";
+
+import { cn } from "@/lib/utils";
+import { Input } from "@/components/ui/input";
+import { Button } from "@/components/ui/button";
+import ActivityIndicator from "@/components/indicators/activity-indicator";
+import axios, { AxiosError } from "axios";
+import { Toaster } from "@/components/ui/sonner";
+import { toast } from "sonner";
+import {
+  Form,
+  FormControl,
+  FormField,
+  FormItem,
+  FormLabel,
+} from "@/components/ui/form";
+import { useForm } from "react-hook-form";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { z } from "zod";
+
+interface UserAuthFormProps extends React.HTMLAttributes<HTMLDivElement> {}
+
+export function UserAuthForm({ className, ...props }: UserAuthFormProps) {
+  const [isLoading, setIsLoading] = React.useState<boolean>(false);
+
+  const formSchema = z.object({
+    user: z.string(),
+    password: z.string(),
+  });
+
+  const form = useForm<z.infer<typeof formSchema>>({
+    resolver: zodResolver(formSchema),
+    mode: "onChange",
+    defaultValues: {
+      user: "",
+      password: "",
+    },
+  });
+
+  const onSubmit = async (values: z.infer<typeof formSchema>) => {
+    setIsLoading(true);
+    try {
+      await axios.post(
+        "/api/login",
+        {
+          user: values.user,
+          password: values.password,
+        },
+        {
+          headers: {
+            "X-CSRF-TOKEN": 1,
+          },
+        },
+      );
+      window.location.href = "/";
+    } catch (error) {
+      if (axios.isAxiosError(error)) {
+        const err = error as AxiosError;
+        if (err.response?.status === 429) {
+          toast.error("Exceeded rate limit. Try again later.", {
+            position: "top-center",
+          });
+        } else if (err.response?.status === 400) {
+          toast.error("Login failed", {
+            position: "top-center",
+          });
+        } else {
+          toast.error("Unknown error. Check logs.", {
+            position: "top-center",
+          });
+        }
+      } else {
+        toast.error("Unknown error. Check console logs.", {
+          position: "top-center",
+        });
+      }
+
+      setIsLoading(false);
+    }
+  };
+
+  return (
+    <div className={cn("grid gap-6", className)} {...props}>
+      <Form {...form}>
+        <form onSubmit={form.handleSubmit(onSubmit)}>
+          <FormField
+            name="user"
+            render={({ field }) => (
+              <FormItem>
+                <FormLabel>User</FormLabel>
+                <FormControl>
+                  <Input
+                    className="text-md w-full border border-input bg-background p-2 hover:bg-accent hover:text-accent-foreground dark:[color-scheme:dark]"
+                    {...field}
+                  />
+                </FormControl>
+              </FormItem>
+            )}
+          />
+          <FormField
+            name="password"
+            render={({ field }) => (
+              <FormItem>
+                <FormLabel>Password</FormLabel>
+                <FormControl>
+                  <Input
+                    className="text-md w-full border border-input bg-background p-2 hover:bg-accent hover:text-accent-foreground dark:[color-scheme:dark]"
+                    type="password"
+                    {...field}
+                  />
+                </FormControl>
+              </FormItem>
+            )}
+          />
+          <div className="flex flex-row gap-2 pt-5">
+            <Button
+              variant="select"
+              disabled={isLoading}
+              className="flex flex-1"
+            >
+              {isLoading && <ActivityIndicator className="mr-2 h-4 w-4" />}
+              Login
+            </Button>
+          </div>
+        </form>
+      </Form>
+      <Toaster />
+    </div>
+  );
+}

web/src/components/menu/AccountSettings.tsx

@@ -7,31 +7,82 @@ import { cn } from "@/lib/utils";
 import { TooltipPortal } from "@radix-ui/react-tooltip";
 import { isDesktop } from "react-device-detect";
 import { VscAccount } from "react-icons/vsc";
+import {
+  DropdownMenu,
+  DropdownMenuContent,
+  DropdownMenuItem,
+  DropdownMenuLabel,
+  DropdownMenuSeparator,
+  DropdownMenuTrigger,
+} from "../ui/dropdown-menu";
+import { Drawer, DrawerContent, DrawerTrigger } from "../ui/drawer";
+import { DialogClose } from "../ui/dialog";
+import { LuLogOut } from "react-icons/lu";
+import useSWR from "swr";
 
 type AccountSettingsProps = {
   className?: string;
 };
 export default function AccountSettings({ className }: AccountSettingsProps) {
+  const { data: profile } = useSWR("profile");
+  const { data: config } = useSWR("config");
+  const logoutUrl = config?.auth.logout_url || "/api/logout";
+
+  const Container = isDesktop ? DropdownMenu : Drawer;
+  const Trigger = isDesktop ? DropdownMenuTrigger : DrawerTrigger;
+  const Content = isDesktop ? DropdownMenuContent : DrawerContent;
+  const MenuItem = isDesktop ? DropdownMenuItem : DialogClose;
+
   return (
-    <Tooltip>
-      <TooltipTrigger asChild>
-        <div
-          className={cn(
-            "flex flex-col items-center justify-center",
-            isDesktop
-              ? "cursor-pointer rounded-lg bg-secondary text-secondary-foreground hover:bg-muted"
-              : "text-secondary-foreground",
-            className,
-          )}
+    <div className={className}>
+      <Container>
+        <Trigger asChild>
+          <a href="#">
+            <Tooltip>
+              <TooltipTrigger asChild>
+                <div
+                  className={cn(
+                    "flex flex-col items-center justify-center",
+                    isDesktop
+                      ? "cursor-pointer rounded-lg bg-secondary text-secondary-foreground hover:bg-muted"
+                      : "text-secondary-foreground",
+                    className,
+                  )}
+                >
+                  <VscAccount className="size-5 md:m-[6px]" />
+                </div>
+              </TooltipTrigger>
+              <TooltipPortal>
+                <TooltipContent side="right">
+                  <p>Account</p>
+                </TooltipContent>
+              </TooltipPortal>
+            </Tooltip>
+          </a>
+        </Trigger>
+        <Content
+          className={
+            isDesktop ? "mr-5 w-72" : "max-h-[75dvh] overflow-hidden p-2"
+          }
         >
-          <VscAccount className="size-5 md:m-[6px]" />
-        </div>
-      </TooltipTrigger>
-      <TooltipPortal>
-        <TooltipContent side="right">
-          <p>Account</p>
-        </TooltipContent>
-      </TooltipPortal>
-    </Tooltip>
+          <div className="w-full flex-col overflow-y-auto overflow-x-hidden">
+            <DropdownMenuLabel>
+              Current User: {profile?.username || "anonymous"}
+            </DropdownMenuLabel>
+            <DropdownMenuSeparator className={isDesktop ? "mt-3" : "mt-1"} />
+            <MenuItem
+              className={
+                isDesktop ? "cursor-pointer" : "flex items-center p-2 text-sm"
+              }
+            >
+              <a className="flex" href={logoutUrl}>
+                <LuLogOut className="mr-2 size-4" />
+                <span>Logout</span>
+              </a>
+            </MenuItem>
+          </div>
+        </Content>
+      </Container>
+    </div>
   );
 }

web/src/components/overlay/CreateUserDialog.tsx

@@ -0,0 +1,111 @@
+import { Button } from "../ui/button";
+import {
+  Form,
+  FormControl,
+  FormField,
+  FormItem,
+  FormLabel,
+  FormMessage,
+} from "../ui/form";
+import { Input } from "../ui/input";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { useForm } from "react-hook-form";
+import { z } from "zod";
+import ActivityIndicator from "../indicators/activity-indicator";
+import { useState } from "react";
+import {
+  Dialog,
+  DialogContent,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+} from "../ui/dialog";
+
+type CreateUserOverlayProps = {
+  show: boolean;
+  onCreate: (user: string, password: string) => void;
+  onCancel: () => void;
+};
+export default function CreateUserDialog({
+  show,
+  onCreate,
+  onCancel,
+}: CreateUserOverlayProps) {
+  const [isLoading, setIsLoading] = useState<boolean>(false);
+
+  const formSchema = z.object({
+    user: z
+      .string()
+      .min(1)
+      .regex(/^[A-Za-z0-9._]+$/, {
+        message: "Username may only include letters, numbers, . or _",
+      }),
+    password: z.string(),
+  });
+
+  const form = useForm<z.infer<typeof formSchema>>({
+    resolver: zodResolver(formSchema),
+    mode: "onChange",
+    defaultValues: {
+      user: "",
+      password: "",
+    },
+  });
+
+  const onSubmit = async (values: z.infer<typeof formSchema>) => {
+    setIsLoading(true);
+    await onCreate(values.user, values.password);
+    form.reset();
+    setIsLoading(false);
+  };
+
+  return (
+    <Dialog open={show} onOpenChange={onCancel}>
+      <DialogContent>
+        <DialogHeader>
+          <DialogTitle>Create User</DialogTitle>
+        </DialogHeader>
+        <Form {...form}>
+          <form onSubmit={form.handleSubmit(onSubmit)}>
+            <FormField
+              name="user"
+              render={({ field }) => (
+                <FormItem>
+                  <FormLabel>User</FormLabel>
+                  <FormControl>
+                    <Input
+                      className="w-full border border-input bg-background p-2 hover:bg-accent hover:text-accent-foreground dark:[color-scheme:dark]"
+                      {...field}
+                    />
+                  </FormControl>
+                  <FormMessage />
+                </FormItem>
+              )}
+            />
+            <FormField
+              name="password"
+              render={({ field }) => (
+                <FormItem>
+                  <FormLabel>Password</FormLabel>
+                  <FormControl>
+                    <Input
+                      className="w-full border border-input bg-background p-2 hover:bg-accent hover:text-accent-foreground dark:[color-scheme:dark]"
+                      type="password"
+                      {...field}
+                    />
+                  </FormControl>
+                </FormItem>
+              )}
+            />
+            <DialogFooter className="mt-4">
+              <Button variant="select" disabled={isLoading}>
+                {isLoading && <ActivityIndicator className="mr-2 h-4 w-4" />}
+                Create User
+              </Button>
+            </DialogFooter>
+          </form>
+        </Form>
+      </DialogContent>
+    </Dialog>
+  );
+}

web/src/components/overlay/DeleteUserDialog.tsx

@@ -0,0 +1,40 @@
+import { Button } from "../ui/button";
+import {
+  Dialog,
+  DialogContent,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+} from "../ui/dialog";
+
+type SetPasswordProps = {
+  show: boolean;
+  onDelete: () => void;
+  onCancel: () => void;
+};
+export default function DeleteUserDialog({
+  show,
+  onDelete,
+  onCancel,
+}: SetPasswordProps) {
+  return (
+    <Dialog open={show} onOpenChange={onCancel}>
+      <DialogContent>
+        <DialogHeader>
+          <DialogTitle>Delete User</DialogTitle>
+        </DialogHeader>
+        <div>Are you sure?</div>
+        <DialogFooter>
+          <Button
+            className="flex items-center gap-1"
+            variant="destructive"
+            size="sm"
+            onClick={onDelete}
+          >
+            Delete
+          </Button>
+        </DialogFooter>
+      </DialogContent>
+    </Dialog>
+  );
+}

web/src/components/overlay/SetPasswordDialog.tsx

@@ -0,0 +1,51 @@
+import { Button } from "../ui/button";
+import { Input } from "../ui/input";
+import { useState } from "react";
+import {
+  Dialog,
+  DialogContent,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+} from "../ui/dialog";
+
+type SetPasswordProps = {
+  show: boolean;
+  onSave: (password: string) => void;
+  onCancel: () => void;
+};
+export default function SetPasswordDialog({
+  show,
+  onSave,
+  onCancel,
+}: SetPasswordProps) {
+  const [password, setPassword] = useState<string>();
+
+  return (
+    <Dialog open={show} onOpenChange={onCancel}>
+      <DialogContent>
+        <DialogHeader>
+          <DialogTitle>Set Password</DialogTitle>
+        </DialogHeader>
+        <Input
+          className="w-full border border-input bg-background p-2 hover:bg-accent hover:text-accent-foreground dark:[color-scheme:dark]"
+          type="password"
+          value={password}
+          onChange={(event) => setPassword(event.target.value)}
+        />
+        <DialogFooter>
+          <Button
+            className="flex items-center gap-1"
+            variant="select"
+            size="sm"
+            onClick={() => {
+              onSave(password!);
+            }}
+          >
+            Save
+          </Button>
+        </DialogFooter>
+      </DialogContent>
+    </Dialog>
+  );
+}

web/src/components/settings/Authentication.tsx

@@ -0,0 +1,161 @@
+import { useCallback, useEffect, useState } from "react";
+import ActivityIndicator from "@/components/indicators/activity-indicator";
+import { FrigateConfig } from "@/types/frigateConfig";
+import { Toaster } from "@/components/ui/sonner";
+import useSWR from "swr";
+import Heading from "../ui/heading";
+import { User } from "@/types/user";
+import { Button } from "../ui/button";
+import SetPasswordDialog from "../overlay/SetPasswordDialog";
+import axios from "axios";
+import CreateUserDialog from "../overlay/CreateUserDialog";
+import { toast } from "sonner";
+import DeleteUserDialog from "../overlay/DeleteUserDialog";
+import { Card } from "../ui/card";
+
+export default function Authentication() {
+  const { data: config } = useSWR<FrigateConfig>("config");
+  const { data: users, mutate: mutateUsers } = useSWR<User[]>("users");
+
+  const [showSetPassword, setShowSetPassword] = useState(false);
+  const [showCreate, setShowCreate] = useState(false);
+  const [showDelete, setShowDelete] = useState(false);
+
+  const [selectedUser, setSelectedUser] = useState<string>();
+
+  useEffect(() => {
+    document.title = "Authentication Settings - Frigate";
+  }, []);
+
+  const onSavePassword = useCallback((user: string, password: string) => {
+    axios
+      .put(`users/${user}/password`, {
+        password: password,
+      })
+      .then((response) => {
+        if (response.status == 200) {
+          setShowSetPassword(false);
+        }
+      })
+      .catch((_error) => {
+        toast.error("Error setting password", {
+          position: "top-center",
+        });
+      });
+  }, []);
+
+  const onCreate = async (user: string, password: string) => {
+    try {
+      await axios.post("users", {
+        username: user,
+        password: password,
+      });
+      setShowCreate(false);
+      mutateUsers((users) => {
+        users?.push({ username: user });
+        return users;
+      }, false);
+    } catch (error) {
+      toast.error("Error creating user. Check server logs.", {
+        position: "top-center",
+      });
+    }
+  };
+
+  const onDelete = async (user: string) => {
+    try {
+      await axios.delete(`users/${user}`);
+      setShowDelete(false);
+      mutateUsers((users) => {
+        return users?.filter((u) => {
+          return u.username !== user;
+        });
+      }, false);
+    } catch (error) {
+      toast.error("Error deleting user. Check server logs.", {
+        position: "top-center",
+      });
+    }
+  };
+
+  if (!config || !users) {
+    return <ActivityIndicator />;
+  }
+
+  return (
+    <div className="flex size-full flex-col md:flex-row">
+      <Toaster position="top-center" closeButton={true} />
+      <div className="order-last mb-10 mt-2 flex h-full w-full flex-col overflow-y-auto rounded-lg border-[1px] border-secondary-foreground bg-background_alt p-2 md:order-none md:mb-0 md:mr-2 md:mt-0">
+        <Heading as="h3" className="my-2">
+          Users
+        </Heading>
+        <div className="flex flex-row items-center justify-end gap-2">
+          <Button
+            variant="select"
+            onClick={() => {
+              setShowCreate(true);
+            }}
+          >
+            Add User
+          </Button>
+        </div>
+        <div className="mt-3 space-y-3">
+          {users.map((u) => (
+            <Card key={u.username} className="mb-1 p-2">
+              <div className="flex items-center gap-3">
+                <div className="ml-3 flex flex-none shrink overflow-hidden text-ellipsis align-middle text-lg">
+                  {u.username}
+                </div>
+                <div className="flex flex-1 justify-end space-x-2 ">
+                  <Button
+                    variant="secondary"
+                    onClick={() => {
+                      setShowSetPassword(true);
+                      setSelectedUser(u.username);
+                    }}
+                  >
+                    Set Password
+                  </Button>
+                  <Button
+                    variant="destructive"
+                    onClick={() => {
+                      setShowDelete(true);
+                      setSelectedUser(u.username);
+                    }}
+                  >
+                    Delete
+                  </Button>
+                </div>
+              </div>
+            </Card>
+          ))}
+        </div>
+      </div>
+      <SetPasswordDialog
+        show={showSetPassword}
+        onCancel={() => {
+          setShowSetPassword(false);
+        }}
+        onSave={(password) => {
+          onSavePassword(selectedUser!, password);
+        }}
+      />
+      <DeleteUserDialog
+        show={showDelete}
+        onCancel={() => {
+          setShowDelete(false);
+        }}
+        onDelete={() => {
+          onDelete(selectedUser!);
+        }}
+      />
+      <CreateUserDialog
+        show={showCreate}
+        onCreate={onCreate}
+        onCancel={() => {
+          setShowCreate(false);
+        }}
+      />
+    </div>
+  );
+}

web/src/components/settings/General.tsx

@@ -80,7 +80,7 @@ export default function General() {
             <div className="mt-2 space-y-6">
               <div className="space-y-0.5">
                 <div className="text-md">Default Playback Rate</div>
-                <div className="text-sm text-muted-foreground my-2">
+                <div className="my-2 text-sm text-muted-foreground">
                   <p>Default playback rate for recordings playback.</p>
                 </div>
               </div>
@@ -106,7 +106,7 @@ export default function General() {
                 </SelectGroup>
               </SelectContent>
             </Select>
-            <Separator className="flex my-2 bg-secondary" />
+            <Separator className="my-2 flex bg-secondary" />
             <div className="mt-2 space-y-6">
               <div className="space-y-0.5">
                 <div className="text-md">Low Data Mode</div>