Rethought login

2024-07-08 13:34:54 -03:00 · 2024-07-08 13:34:54 -03:00 · a896f2e032
commit a896f2e032
parent fe52566872
3 changed files with 26 additions and 8 deletions
--- a/TODO.md
+++ b/TODO.md
@ -18,12 +18,12 @@
 * Sanitize all inputs
 * ✅ Streaming responses in slow operations like scaling down
  or building
-* Make more things configurable / remove hardcoded stuff
+* ✅ Make more things configurable / remove hardcoded stuff
  * ✅ Make server take options from file
  * ✅ Make server take options from environment
  * ✅ Make server password configurable
-  * admin/admin auth client side [WIP, broke everything]
-  * `faaso login` is not working properly yet with proxy
+  * ✅ admin/admin auth client side
+  * ✅ `faaso login` is not working properly yet with proxy
 * CD for binaries and images for at least arm64/x86
 * Multi-container docker logs [faaso logs -f FUNKO]
 * ✅ Direct error and above to stderr, others to stdout,
--- a/src/commands/login.cr
+++ b/src/commands/login.cr
@ -9,10 +9,28 @@ module Faaso
        else
          password = STDIN.gets.to_s
        end
-        # Testing with auth/ which is guaranteed locked
-        Crest.get(
-          "#{server}auth/", \
-             user: "admin", password: password).body
+        # This is tricky. If the service is running behind a reverse proxy
+        # then /version is locked, but if it's not, only /auth is locked.
+        # So we try /version first without a password, and if it succeeds
+        # we try /auth with the password. If /version fails, we try /version
+        # with the password
+        #
+        begin
+          # Version without password.
+          Crest.get("#{server}version/")
+          # Auth with password
+          begin
+            Crest.get("#{server}auth/", user: "admin", password: password)
+          rescue ex : Crest::Unauthorized
+            # Failed with auth/
+            Log.error { "Wrong password" }
+            return 1
+          end
+        rescue ex : Crest::Unauthorized
+          # Version with password
+          Crest.get("#{server}version/", user: "admin", password: password)
+        end
+
        # If we got here the password is ok
        CONFIG.hosts[server] = {"admin", password}
        Config.save
--- a/src/daemon/config.cr
+++ b/src/daemon/config.cr
@ -20,7 +20,7 @@ class Config
 end

 class ConfigAuthHandler < Kemal::BasicAuth::Handler
-  only ["/auth"]
+  only ["/auth", "/auth/*"]

  def call(context)
    return call_next(context) unless only_match?(context)