feat: add WebUI API token authorization (#4197)

* return 401 instead of 403, provide www-authenticate header, redirect to the login page, add cookie token support * set cookies completely through js in auth page
2024-12-19 20:57:54 +00:00 · 2024-11-19 21:43:02 +04:00 · 2024-11-19 21:43:02 +04:00 · de148cb2ad
commit de148cb2ad
parent 8a4df3af99
3 changed files with 119 additions and 96 deletions
--- a/core/http/app_test.go
+++ b/core/http/app_test.go
@ -345,7 +345,7 @@ var _ = Describe("API test", func() {
 			It("Should fail if the api key is missing", func() {
 				err, sc := postInvalidRequest("http://127.0.0.1:9090/models/available")
 				Expect(err).ToNot(BeNil())
-				Expect(sc).To(Equal(403))
+				Expect(sc).To(Equal(401))
 			})
 		})

--- a/core/http/middleware/auth.go
+++ b/core/http/middleware/auth.go
@ -7,7 +7,6 @@ import (
 	"github.com/dave-gray101/v2keyauth"
 	"github.com/gofiber/fiber/v2"
 	"github.com/gofiber/fiber/v2/middleware/keyauth"
-	"github.com/microcosm-cc/bluemonday"
 	"github.com/mudler/LocalAI/core/config"
 )

@ -16,7 +15,7 @@ import (
 // Therefore `dave-gray101/v2keyauth` contains the v2 backport of the middleware until v3 stabilizes and we migrate.

 func GetKeyAuthConfig(applicationConfig *config.ApplicationConfig) (*v2keyauth.Config, error) {
-	customLookup, err := v2keyauth.MultipleKeySourceLookup([]string{"header:Authorization", "header:x-api-key", "header:xi-api-key"}, keyauth.ConfigDefault.AuthScheme)
+	customLookup, err := v2keyauth.MultipleKeySourceLookup([]string{"header:Authorization", "header:x-api-key", "header:xi-api-key", "cookie:token"}, keyauth.ConfigDefault.AuthScheme)
 	if err != nil {
 		return nil, err
 	}
@ -36,10 +35,11 @@ func getApiKeyErrorHandler(applicationConfig *config.ApplicationConfig) fiber.Er
 			if len(applicationConfig.ApiKeys) == 0 {
 				return ctx.Next() // if no keys are set up, any error we get here is not an error.
 			}
+			ctx.Set("WWW-Authenticate", "Bearer")
 			if applicationConfig.OpaqueErrors {
-				return ctx.SendStatus(403)
+				return ctx.SendStatus(401)
 			}
-			return ctx.Status(403).SendString(bluemonday.StrictPolicy().Sanitize(err.Error()))
+			return ctx.Status(401).Render("views/login", nil)
 		}
 		if applicationConfig.OpaqueErrors {
 			return ctx.SendStatus(500)
--- a/core/http/views/login.html
+++ b/core/http/views/login.html
@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Open Authenticated Website</title>
+</head>
+<body>
+    <h1>Authorization is required</h1>
+    <input type="text" id="token" placeholder="Token" />
+    <button onclick="login()">Login</button>
+    <script>
+        function login() {
+            const token = document.getElementById('token').value;
+            var date = new Date();
+            date.setTime(date.getTime() + (24*60*60*1000));
+            document.cookie = `token=${token}; expires=${date.toGMTString()}`;
+
+            window.location.reload();
+        }
+    </script>
+</body>
+</html>