🗝
summary refs log tree commit diff
path: root/src/server/nginx_check.rs
diff options
context:
space:
mode:
Diffstat (limited to 'src/server/nginx_check.rs')
-rw-r--r--src/server/nginx_check.rs41
1 files changed, 41 insertions, 0 deletions
diff --git a/src/server/nginx_check.rs b/src/server/nginx_check.rs
new file mode 100644
index 0000000..7b67f26
--- /dev/null
+++ b/src/server/nginx_check.rs
@@ -0,0 +1,41 @@
+// for ngx_http_auth_request_module authentication
+// make sure you have cookie_domain set properly
+// depends on https://git.mia.jetzt/sysconf/tree/patches/nginx_auth_redirect.patch
+
+use axum::{
+    extract::{Path, State},
+    http::StatusCode,
+    response::{IntoResponse, Redirect, Response},
+    routing::get,
+    Router,
+};
+use axum_extra::extract::CookieJar;
+
+use crate::server::{account_auth, store::Store};
+
+use super::{ApiState, WebBase};
+
+pub fn bind(app: Router<ApiState>) -> Router<ApiState> {
+    app.route("/nginx_check/:scope", get(nginx_check))
+}
+
+#[axum::debug_handler(state = ApiState)]
+async fn nginx_check(
+    jar: CookieJar,
+    Path(scope): Path<String>,
+    State(store): State<Store>,
+    State(WebBase(web_base)): State<WebBase>,
+) -> Response {
+    let nevermind = || Redirect::to(&format!("{web_base}/logout")).into_response();
+    let Some(name) = account_auth(&jar, &store).await else {
+        return nevermind();
+    };
+    let Some(account) = store.get_account(&name).await else {
+        return nevermind();
+    };
+    if account.scopes.contains(&scope) {
+        StatusCode::OK.into_response()
+    } else {
+        StatusCode::FORBIDDEN.into_response()
+    }
+}
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-11-25 04:29:49 +0000