rmm2/backend/api/auth.go
cynfo3000 10684dfc0a feat: TOTP 2FA + diverse Verbesserungen
2FA (TOTP):
- backend/api/auth.go: zweistufiger Login-Flow mit Pending-Token (5min),
  Endpunkte /2fa/validate, /2fa/setup, /2fa/confirm, /2fa/disable
- backend/db/users.go: GetUserByID, SetTOTPSecret, EnableTOTP, DisableTOTP
- backend/db/postgres.go: Migration totp_secret + totp_enabled Spalten
- backend/models/user.go: TOTPEnabled/TOTPSecret Felder, neue Request-Typen
- backend/main.go: neue Routen registriert (/2fa/validate ohne Auth, rest geschuetzt)
- backend/go.mod+sum: github.com/pquerna/otp hinzugefuegt
- frontend/src/pages/Login.jsx: zweistufiger Login (Passwort -> TOTP)
- frontend/src/pages/SettingsPage.jsx: TwoFactorSection mit Setup/Deaktivieren
- frontend/src/stores/auth.js: validateTOTP Action
- frontend/src/api/client.js: setupTOTP, confirmTOTP, disableTOTP, validateTOTP

Weitere Aenderungen (unstaged -> jetzt committed):
- frontend/src/components/ScriptModal.jsx: neu
- frontend/src/components/AgentPanel.jsx: Erweiterungen
- frontend/src/components/ProxmoxPanel.jsx: Erweiterungen
- agent-linux/ws/handler.go: Erweiterungen
- backend/api/scheduler.go + tasks.go: Erweiterungen
- backend/db/tasks.go + models/task.go: Erweiterungen
2026-03-08 19:17:43 +01:00

348 lines
10 KiB
Go

package api
import (
"crypto/rand"
"encoding/hex"
"encoding/json"
"fmt"
"log"
"net/http"
"time"
"github.com/cynfo/rmm-backend/db"
"github.com/cynfo/rmm-backend/models"
"github.com/golang-jwt/jwt/v5"
"github.com/pquerna/otp/totp"
"golang.org/x/crypto/bcrypt"
)
type AuthHandler struct {
db *db.Database
secret []byte
}
type JWTClaims struct {
UserID int `json:"user_id"`
Username string `json:"username"`
Role string `json:"role"`
TOTPPending bool `json:"totp_pending,omitempty"` // temp token während 2FA-Schritt
jwt.RegisteredClaims
}
func NewAuthHandler(database *db.Database, jwtSecret string) *AuthHandler {
secret := jwtSecret
if secret == "" {
b := make([]byte, 32)
rand.Read(b)
secret = hex.EncodeToString(b)
log.Println("JWT Secret automatisch generiert (nicht persistent)")
}
return &AuthHandler{db: database, secret: []byte(secret)}
}
func (a *AuthHandler) EnsureDefaultAdmin() {
count, err := a.db.UserCount()
if err != nil {
log.Printf("User-Count Fehler: %v", err)
return
}
if count == 0 {
_, err := a.db.CreateUser("admin", "admin", "Administrator", "admin")
if err != nil {
log.Printf("Default-Admin anlegen fehlgeschlagen: %v", err)
} else {
log.Println("Default-Admin angelegt (admin/admin) - bitte Passwort aendern!")
}
}
}
func (a *AuthHandler) GenerateToken(user *models.User) (string, time.Time, error) {
expiresAt := time.Now().Add(8 * time.Hour)
claims := JWTClaims{
UserID: user.ID,
Username: user.Username,
Role: user.Role,
RegisteredClaims: jwt.RegisteredClaims{
ExpiresAt: jwt.NewNumericDate(expiresAt),
IssuedAt: jwt.NewNumericDate(time.Now()),
},
}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
signed, err := token.SignedString(a.secret)
return signed, expiresAt, err
}
// Kurzlebiger Token nur für den TOTP-Schritt (5 Minuten, kein echter API-Zugriff)
func (a *AuthHandler) generateTOTPPendingToken(user *models.User) (string, error) {
claims := JWTClaims{
UserID: user.ID,
Username: user.Username,
Role: user.Role,
TOTPPending: true,
RegisteredClaims: jwt.RegisteredClaims{
ExpiresAt: jwt.NewNumericDate(time.Now().Add(5 * time.Minute)),
IssuedAt: jwt.NewNumericDate(time.Now()),
},
}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
return token.SignedString(a.secret)
}
func (a *AuthHandler) ValidateToken(tokenStr string) (*JWTClaims, error) {
token, err := jwt.ParseWithClaims(tokenStr, &JWTClaims{}, func(t *jwt.Token) (interface{}, error) {
if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
}
return a.secret, nil
})
if err != nil {
return nil, err
}
claims, ok := token.Claims.(*JWTClaims)
if !ok || !token.Valid {
return nil, fmt.Errorf("invalid token")
}
// Echte API-Calls mit Pending-Token ablehnen
if claims.TOTPPending {
return nil, fmt.Errorf("totp pending token not valid for api access")
}
return claims, nil
}
// POST /api/v1/auth/login
func (a *AuthHandler) Login(w http.ResponseWriter, r *http.Request) {
var req models.LoginRequest
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
writeError(w, http.StatusBadRequest, "Ungueltige Anfrage")
return
}
user, err := a.db.GetUserByUsername(req.Username)
if err != nil || user == nil {
writeError(w, http.StatusUnauthorized, "Ungueltige Anmeldedaten")
return
}
if err := bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(req.Password)); err != nil {
writeError(w, http.StatusUnauthorized, "Ungueltige Anmeldedaten")
return
}
// 2FA aktiv → Pending-Token zurückgeben
if user.TOTPEnabled {
pendingToken, err := a.generateTOTPPendingToken(user)
if err != nil {
writeError(w, http.StatusInternalServerError, "Token-Generierung fehlgeschlagen")
return
}
go a.db.AddAuditLog(user.Username, "login_2fa_pending", "user", "", user.Username, "", r.RemoteAddr)
writeJSON(w, http.StatusOK, models.LoginResponse{
TOTPRequired: true,
TOTPToken: pendingToken,
})
return
}
// Kein 2FA → direkt JWT
token, expiresAt, err := a.GenerateToken(user)
if err != nil {
writeError(w, http.StatusInternalServerError, "Token-Generierung fehlgeschlagen")
return
}
a.db.UpdateUserLastLogin(user.ID)
go a.db.AddAuditLog(user.Username, "login", "user", "", user.Username, "", r.RemoteAddr)
writeJSON(w, http.StatusOK, models.LoginResponse{
Token: token,
ExpiresAt: expiresAt.Format(time.RFC3339),
User: user,
})
}
// POST /api/v1/auth/2fa/validate — zweiter Schritt beim Login
func (a *AuthHandler) TOTPValidate(w http.ResponseWriter, r *http.Request) {
var req models.TOTPValidateRequest
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
writeError(w, http.StatusBadRequest, "Ungueltige Anfrage")
return
}
// Pending-Token parsen (ohne ValidateToken, der lehnt Pending-Tokens ab)
jwtToken, err := jwt.ParseWithClaims(req.TOTPToken, &JWTClaims{}, func(t *jwt.Token) (interface{}, error) {
if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("unexpected signing method")
}
return a.secret, nil
})
if err != nil {
writeError(w, http.StatusUnauthorized, "Ungueltige Session")
return
}
claims, ok := jwtToken.Claims.(*JWTClaims)
if !ok || !jwtToken.Valid || !claims.TOTPPending {
writeError(w, http.StatusUnauthorized, "Ungueltige Session")
return
}
user, err := a.db.GetUserByID(claims.UserID)
if err != nil || user == nil || !user.TOTPEnabled {
writeError(w, http.StatusUnauthorized, "Ungueltige Session")
return
}
if !totp.Validate(req.Code, user.TOTPSecret) {
writeError(w, http.StatusUnauthorized, "Ungültiger 2FA-Code")
return
}
token, expiresAt, err := a.GenerateToken(user)
if err != nil {
writeError(w, http.StatusInternalServerError, "Token-Generierung fehlgeschlagen")
return
}
a.db.UpdateUserLastLogin(user.ID)
go a.db.AddAuditLog(user.Username, "login_2fa_success", "user", "", user.Username, "", r.RemoteAddr)
writeJSON(w, http.StatusOK, models.LoginResponse{
Token: token,
ExpiresAt: expiresAt.Format(time.RFC3339),
User: user,
})
}
// POST /api/v1/auth/2fa/setup — Secret generieren, QR-URI zurückgeben
func (a *AuthHandler) TOTPSetup(w http.ResponseWriter, r *http.Request) {
claims, ok := r.Context().Value(UserContextKey).(*JWTClaims)
if !ok {
writeError(w, http.StatusUnauthorized, "Nicht authentifiziert")
return
}
user, err := a.db.GetUserByID(claims.UserID)
if err != nil || user == nil {
writeError(w, http.StatusNotFound, "User nicht gefunden")
return
}
key, err := totp.Generate(totp.GenerateOpts{
Issuer: "cynfo RMM",
AccountName: user.Username,
Period: 30,
Digits: 6,
})
if err != nil {
writeError(w, http.StatusInternalServerError, "TOTP-Generierung fehlgeschlagen")
return
}
if err := a.db.SetTOTPSecret(user.ID, key.Secret()); err != nil {
writeError(w, http.StatusInternalServerError, "Speichern fehlgeschlagen")
return
}
writeJSON(w, http.StatusOK, models.TOTPSetupResponse{
Secret: key.Secret(),
URI: key.URL(),
})
}
// POST /api/v1/auth/2fa/confirm — ersten Code prüfen und 2FA aktivieren
func (a *AuthHandler) TOTPConfirm(w http.ResponseWriter, r *http.Request) {
claims, ok := r.Context().Value(UserContextKey).(*JWTClaims)
if !ok {
writeError(w, http.StatusUnauthorized, "Nicht authentifiziert")
return
}
var req models.TOTPConfirmRequest
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
writeError(w, http.StatusBadRequest, "Ungueltige Anfrage")
return
}
user, err := a.db.GetUserByID(claims.UserID)
if err != nil || user == nil || user.TOTPSecret == "" {
writeError(w, http.StatusBadRequest, "Kein Setup gefunden — bitte zuerst /2fa/setup aufrufen")
return
}
if !totp.Validate(req.Code, user.TOTPSecret) {
writeError(w, http.StatusUnauthorized, "Ungültiger Code")
return
}
if err := a.db.EnableTOTP(user.ID); err != nil {
writeError(w, http.StatusInternalServerError, "Aktivierung fehlgeschlagen")
return
}
go a.db.AddAuditLog(claims.Username, "2fa_enabled", "user", "", claims.Username, "", r.RemoteAddr)
writeJSON(w, http.StatusOK, map[string]any{"ok": true})
}
// POST /api/v1/auth/2fa/disable — 2FA deaktivieren (Passwort + aktueller Code nötig)
func (a *AuthHandler) TOTPDisable(w http.ResponseWriter, r *http.Request) {
claims, ok := r.Context().Value(UserContextKey).(*JWTClaims)
if !ok {
writeError(w, http.StatusUnauthorized, "Nicht authentifiziert")
return
}
var req models.TOTPDisableRequest
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
writeError(w, http.StatusBadRequest, "Ungueltige Anfrage")
return
}
user, err := a.db.GetUserByID(claims.UserID)
if err != nil || user == nil {
writeError(w, http.StatusNotFound, "User nicht gefunden")
return
}
if err := bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(req.Password)); err != nil {
writeError(w, http.StatusUnauthorized, "Falsches Passwort")
return
}
if user.TOTPEnabled {
if !totp.Validate(req.Code, user.TOTPSecret) {
writeError(w, http.StatusUnauthorized, "Ungültiger 2FA-Code")
return
}
}
if err := a.db.DisableTOTP(user.ID); err != nil {
writeError(w, http.StatusInternalServerError, "Deaktivierung fehlgeschlagen")
return
}
go a.db.AddAuditLog(claims.Username, "2fa_disabled", "user", "", claims.Username, "", r.RemoteAddr)
writeJSON(w, http.StatusOK, map[string]any{"ok": true})
}
// GET /api/v1/auth/me
func (a *AuthHandler) Me(w http.ResponseWriter, r *http.Request) {
claims, ok := r.Context().Value(UserContextKey).(*JWTClaims)
if !ok {
writeError(w, http.StatusUnauthorized, "Nicht authentifiziert")
return
}
user, err := a.db.GetUserByUsername(claims.Username)
if err != nil || user == nil {
writeError(w, http.StatusNotFound, "User nicht gefunden")
return
}
writeJSON(w, http.StatusOK, user)
}
// SetupAuthRoutes registriert Auth-Routes (ohne Auth-Middleware)
func (a *AuthHandler) SetupAuthRoutes(mux *http.ServeMux) {
mux.HandleFunc("POST /api/v1/auth/login", a.Login)
mux.HandleFunc("POST /api/v1/auth/2fa/validate", a.TOTPValidate)
}