134 lines
3.8 KiB
Elixir
134 lines
3.8 KiB
Elixir
defmodule SsoBsnWeb.Router do
|
|
use SsoBsnWeb, :router
|
|
use SsoBsnWeb, :verified_routes
|
|
|
|
import SsoBsnWeb.UserAuth
|
|
|
|
pipeline :browser do
|
|
plug :accepts, ["html"]
|
|
plug :fetch_session
|
|
plug :fetch_live_flash
|
|
plug :put_root_layout, html: {SsoBsnWeb.Layouts, :root}
|
|
plug :protect_from_forgery
|
|
plug :put_secure_browser_headers
|
|
plug :fetch_current_user
|
|
end
|
|
|
|
pipeline :api do
|
|
plug :accepts, ["json"]
|
|
plug Corsica, origins: "*"
|
|
end
|
|
|
|
scope "/", SsoBsnWeb do
|
|
pipe_through :browser
|
|
|
|
get "/", PageController, :home
|
|
get "/redirect", UserSessionController, :redirect_next
|
|
end
|
|
|
|
# Other scopes may use custom stacks.
|
|
# scope "/api", SsoBsnWeb do
|
|
# pipe_through :api
|
|
# end
|
|
|
|
# Enable LiveDashboard in development
|
|
if Application.compile_env(:sso_bsn, :dev_routes) do
|
|
# If you want to use the LiveDashboard in production, you should put
|
|
# it behind authentication and allow only admins to access it.
|
|
# If your application does not have an admins-only section yet,
|
|
# you can use Plug.BasicAuth to set up some basic authentication
|
|
# as long as you are also using SSL (which you should anyway).
|
|
import Phoenix.LiveDashboard.Router
|
|
|
|
scope "/dev" do
|
|
pipe_through :browser
|
|
|
|
live_dashboard "/dashboard", metrics: SsoBsnWeb.Telemetry
|
|
end
|
|
end
|
|
|
|
## Authentication routes
|
|
defp ts_auth(conn, _) do
|
|
{o1, o2, o3, o4} = conn.remote_ip
|
|
case System.cmd("tailscale", ["whois", "--json", "#{o1}.#{o2}.#{o3}.#{o4}"], stderr_to_stdout: true) do
|
|
{json, 0} ->
|
|
username = Jason.decode!(json)["UserProfile"]["DisplayName"]
|
|
user = SsoBsn.Accounts.get_user_by_username(username)
|
|
login_token = SsoBsn.Accounts.generate_user_login_token(user)
|
|
conn |> redirect(to: if next = conn.query_params["next"] do ~p"/users/log_in/#{login_token}?next=#{next}" else ~p"/users/log_in/#{login_token}" end) |> halt()
|
|
{_, 1} ->
|
|
conn
|
|
end
|
|
end
|
|
|
|
scope "/", SsoBsnWeb do
|
|
pipe_through [:browser, :redirect_if_user_is_authenticated, :ts_auth]
|
|
|
|
live_session :redirect_if_user_is_authenticated,
|
|
on_mount: [{SsoBsnWeb.UserAuth, :redirect_if_user_is_authenticated}] do
|
|
live "/users/register", UserRegistrationLive, :new
|
|
live "/users/log_in", UserLoginLive, :new
|
|
end
|
|
|
|
get "/users/log_in/:token", UserSessionController, :login
|
|
end
|
|
|
|
scope "/", SsoBsnWeb do
|
|
pipe_through [:browser, :require_authenticated_user]
|
|
|
|
live_session :require_authenticated_user,
|
|
on_mount: [{SsoBsnWeb.UserAuth, :ensure_authenticated}] do
|
|
live "/users/settings", UserSettingsLive, :edit
|
|
end
|
|
end
|
|
|
|
scope "/", SsoBsnWeb do
|
|
pipe_through [:browser]
|
|
|
|
delete "/users/log_out", UserSessionController, :delete
|
|
end
|
|
|
|
scope "/", SsoBsnWeb do
|
|
pipe_through [:api, :fetch_session, :fetch_current_user]
|
|
|
|
get "/whoami", UserSessionController, :check_auth
|
|
end
|
|
|
|
|
|
# OIDC
|
|
scope "/oauth", SsoBsnWeb.Oauth do
|
|
pipe_through :api
|
|
|
|
post "/revoke", RevokeController, :revoke
|
|
post "/token", TokenController, :token
|
|
post "/introspect", IntrospectController, :introspect
|
|
end
|
|
|
|
|
|
scope "/openid", SsoBsnWeb.Openid do
|
|
pipe_through :api
|
|
|
|
get "/userinfo", UserinfoController, :userinfo
|
|
post "/userinfo", UserinfoController, :userinfo
|
|
get "/jwks", JwksController, :jwks_index
|
|
end
|
|
|
|
scope "/oauth", SsoBsnWeb.Oauth do
|
|
pipe_through [:browser, :fetch_current_user]
|
|
|
|
get "/authorize", AuthorizeController, :authorize
|
|
end
|
|
|
|
scope "/openid", SsoBsnWeb.Openid do
|
|
pipe_through [:browser, :fetch_current_user]
|
|
|
|
get "/authorize", AuthorizeController, :authorize
|
|
end
|
|
|
|
scope "/.well-known", SsoBsnWeb do
|
|
pipe_through :api
|
|
get "/openid-configuration", Openid.ConfigurationController, :config
|
|
get "/webfinger", Webfinger, :webfinger
|
|
end
|
|
end
|