Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Automatic login for ProxyAuth plugin, improved security documentation #1400

Merged
merged 3 commits into from
Jan 21, 2024
Merged

Automatic login for ProxyAuth plugin, improved security documentation #1400

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
081726d
added automatic login
PhilippMundhenk Jan 21, 2024
59c0f5c
documented auto login, improved security documentation
PhilippMundhenk Jan 21, 2024
b947db2
added documentation for usage of custom_logout_link
PhilippMundhenk Jan 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 18 additions & 2 deletions plugins/proxy-auth/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ The following example is for Traefik with Authelia and Dovecot as mailserver.

The following steps are require in SnappyMail:

- To open SnappyMail through a reverse proxy server, make sure to enable the correct secfetch policies: ```mode=navigate,dest=document,site=cross-site,user=true``` in the admin panel -> Config -> Security -> secfetch_allow.
- To open SnappyMail through a reverse proxy server (with redirect of authentication system), make sure to enable the correct secfetch policies: ```mode=navigate,dest=document,site=cross-site,user=true;mode=navigate,dest=document,site=same-site,user=true``` in the admin panel -> Config -> Security -> secfetch_allow.
- Activate plugin in admin panel -> Extensions
- Configure the plugin with the required data:
- Master User Separator is dependent on Dovecot config (see below)
Expand All @@ -21,6 +21,7 @@ The following steps are require in SnappyMail:
- Header Name is dependent on authentication solution. This is the header containing the name of currently logged in user. In case of Authelia, this is "Remote-User".
- Check Proxy: Since this plugin partially bypasses authentication, it is important to only allow this access from well-defined hosts. It is highly recommended to activate this option!
- When checking for reverse proxy, it is required to set the IP filter to either an IP address or a subnet.
- Automatic Login: Automatically logs in the user of user header is present (see below)

This concludes the setup of SnappyMail.

Expand Down Expand Up @@ -50,12 +51,16 @@ passdb {

You then need to create a master user in /etc/dovecot/master-users:
```
admin:PASSWORD
admin:PASSWORD::::::allow_nets=local,172.17.0.0/16
```
where the encrypted password ```PASSWORD``` can be created from a cleartext password with ```doveadm pw -s CRYPT```.
It should start with ```{CRYPT}```.
Username and password need to configured in the SnappyMail ProxyAuth plugin (see above).

You likely also want to limit the access by an IP address filter, e.g., to ```local,172.17.0.0/16```, if you are running Postfix (```local```) and within a default Docker environment (```172.17.0.0/16```).
Otherwise, master user login (assuming password is known) is possible from every connectable system.
This is an unnecessary security risk.

Additionally, you need to set the master user separator in /etc/dovecot/conf.d/10-auth.conf, e.g., ```auth_master_user_separator = *```.
The separator needs to be configured in the SnappyMail ProxyAuth plugin (see above).

Expand All @@ -64,3 +69,14 @@ The separator needs to be configured in the SnappyMail ProxyAuth plugin (see abo
Once configured correctly, you should be able to access SnappyMail through your reverse proxy at ```https://snappymail.tld/?ProxyAuth```.
If your reverse proxy provides the username in the configured header (e.g., Remote-User), you will automatically be logged in to your account.
If not, you will be redirected to the login page.

## Automatic Login

By default, automatic login is activated.
Behind the scenes, this checks for the existence of the configured user header (through ```/?UserHeaderSet```) and automatically redirects to ```https://snappymail.tld/?ProxyAuth```, trying to log in the user.
Note that due to this implementation, logout is impossible, as once logged out, the user will automatically be logged in again.
The user is always considered logged in, as authentication is handled through reverse proxy and authentication system.

Auto login can be disabled in the plugin settings.
You can also change the logout link in admin panel -> Config -> custom_logout_link to the one of your authentication system, e.g., ```https://auth.yourdomain.com/logout```.
In this case, you can log out from your overall system via SnappyMail.
32 changes: 31 additions & 1 deletion plugins/proxy-auth/index.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,9 @@ class ProxyAuthPlugin extends \RainLoop\Plugins\AbstractPlugin

public function Init() : void
{
$this->addJs('js/auto-login.js');
$this->addPartHook('ProxyAuth', 'ServiceProxyAuth');
$this->addPartHook('UserHeaderSet', 'ServiceUserHeaderSet');
$this->addHook('login.credentials', 'MapEmailAddress');
}

Expand Down Expand Up @@ -140,6 +142,28 @@ public function ServiceProxyAuth() : bool
return true;
}

public function ServiceUserHeaderSet() : bool
{
$oActions = \RainLoop\Api::Actions();

$oLogger = $oActions->Logger();
$sLevel = LOG_DEBUG;
$sPrefix = "ProxyAuth";

$sHeaderName = \trim($this->Config()->getDecrypted('plugin', 'header_name', ''));

$sRemoteUser = $this->Manager()->Actions()->Http()->GetHeader($sHeaderName);
$sMsg = "Remote User: " . $sRemoteUser;
$oLogger->Write($sMsg, $sLevel, $sPrefix);

if (strlen($sRemoteUser) > 0) {
\MailSo\Base\Http::StatusHeader('200');
} else {
\MailSo\Base\Http::StatusHeader('401');
}
return true;
}

protected function configMapping() : array
{
return array(
Expand Down Expand Up @@ -178,7 +202,13 @@ protected function configMapping() : array
->SetType(\RainLoop\Enumerations\PluginPropertyType::STRING_TEXT)
->SetDescription('IP or Subnet of proxy, auth header will only be accepted from this address')
->SetDefaultValue('10.1.0.0/24')
->SetEncrypted()
->SetEncrypted(),
\RainLoop\Plugins\Property::NewInstance('auto_login')
->SetAllowedInJs(true)
->SetLabel('Activate automatic login')
->SetType(\RainLoop\Enumerations\PluginPropertyType::BOOL)
->SetDescription('Activates automatic login, if User Header is set (note: Use custom_logout_link to enable logout, see plugin README)')
->SetDefaultValue(true)
);
}
}
32 changes: 32 additions & 0 deletions plugins/proxy-auth/js/auto-login.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
(rl => {

rl && addEventListener('rl-view-model', e => {
const id = e.detail.viewModelTemplateID;
if (e.detail && ('Login' === id)) {
let
auto_login = window.rl.pluginSettingsGet('proxy-auth', 'auto_login');
;

const
ForwardProxyAuth = () => {
if (auto_login) {
var xhr = new XMLHttpRequest();
xhr.open("GET", "/?UserHeaderSet", true);

xhr.onreadystatechange = function () {
if (xhr.readyState == 4 && xhr.status == 200) {
window.location.href = "/?ProxyAuth";
}
};

xhr.send();
}
};

window.ForwardProxyAuth = ForwardProxyAuth;

ForwardProxyAuth();
}
});
})(window.rl);