feat(admin): add -urlPrefix flag for subdirectory deployment (#8670)
Allow the admin server to run behind a reverse proxy under a subdirectory by adding a -urlPrefix flag (e.g. -urlPrefix=/seaweedfs). Closes #8646
This commit is contained in:
Chris Lu
@@ -10,24 +10,25 @@ import (
|
||||
|
||||
// ShowLogin displays the login page.
|
||||
func (s *AdminServer) ShowLogin(w http.ResponseWriter, r *http.Request) {
|
||||
http.Redirect(w, r, "/login", http.StatusSeeOther)
|
||||
http.Redirect(w, r, P(r.Context(), "/login"), http.StatusSeeOther)
|
||||
}
|
||||
|
||||
// HandleLogin handles login form submission.
|
||||
func (s *AdminServer) HandleLogin(store sessions.Store, adminUser, adminPassword, readOnlyUser, readOnlyPassword string) http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
prefix := URLPrefixFromContext(r.Context())
|
||||
if err := r.ParseForm(); err != nil {
|
||||
http.Redirect(w, r, "/login?error=Invalid form submission", http.StatusSeeOther)
|
||||
http.Redirect(w, r, prefix+"/login?error=Invalid form submission", http.StatusSeeOther)
|
||||
return
|
||||
}
|
||||
session, err := store.Get(r, sessionName)
|
||||
if err != nil {
|
||||
http.Redirect(w, r, "/login?error=Unable to create session. Please try again or contact administrator.", http.StatusSeeOther)
|
||||
http.Redirect(w, r, prefix+"/login?error=Unable to create session. Please try again or contact administrator.", http.StatusSeeOther)
|
||||
return
|
||||
}
|
||||
|
||||
if err := ValidateSessionCSRFToken(session, r); err != nil {
|
||||
http.Redirect(w, r, "/login?error=Invalid CSRF token", http.StatusSeeOther)
|
||||
http.Redirect(w, r, prefix+"/login?error=Invalid CSRF token", http.StatusSeeOther)
|
||||
return
|
||||
}
|
||||
|
||||
@@ -56,31 +57,32 @@ func (s *AdminServer) HandleLogin(store sessions.Store, adminUser, adminPassword
|
||||
session.Values["role"] = role
|
||||
csrfToken, err := generateCSRFToken()
|
||||
if err != nil {
|
||||
http.Redirect(w, r, "/login?error=Unable to create session. Please try again or contact administrator.", http.StatusSeeOther)
|
||||
http.Redirect(w, r, prefix+"/login?error=Unable to create session. Please try again or contact administrator.", http.StatusSeeOther)
|
||||
return
|
||||
}
|
||||
session.Values[sessionCSRFTokenKey] = csrfToken
|
||||
if err := session.Save(r, w); err != nil {
|
||||
// Log the detailed error server-side for diagnostics.
|
||||
glog.Errorf("Failed to save session for user %s: %v", loginUsername, err)
|
||||
http.Redirect(w, r, "/login?error=Unable to create session. Please try again or contact administrator.", http.StatusSeeOther)
|
||||
http.Redirect(w, r, prefix+"/login?error=Unable to create session. Please try again or contact administrator.", http.StatusSeeOther)
|
||||
return
|
||||
}
|
||||
|
||||
http.Redirect(w, r, "/admin", http.StatusSeeOther)
|
||||
http.Redirect(w, r, prefix+"/admin", http.StatusSeeOther)
|
||||
return
|
||||
}
|
||||
|
||||
// Authentication failed.
|
||||
http.Redirect(w, r, "/login?error=Invalid credentials", http.StatusSeeOther)
|
||||
http.Redirect(w, r, prefix+"/login?error=Invalid credentials", http.StatusSeeOther)
|
||||
}
|
||||
}
|
||||
|
||||
// HandleLogout handles user logout.
|
||||
func (s *AdminServer) HandleLogout(store sessions.Store, w http.ResponseWriter, r *http.Request) {
|
||||
prefix := URLPrefixFromContext(r.Context())
|
||||
session, err := store.Get(r, sessionName)
|
||||
if err != nil {
|
||||
http.Redirect(w, r, "/login", http.StatusSeeOther)
|
||||
http.Redirect(w, r, prefix+"/login", http.StatusSeeOther)
|
||||
return
|
||||
}
|
||||
for key := range session.Values {
|
||||
@@ -90,5 +92,5 @@ func (s *AdminServer) HandleLogout(store sessions.Store, w http.ResponseWriter,
|
||||
if err := session.Save(r, w); err != nil {
|
||||
glog.Warningf("Failed to save session during logout: %v", err)
|
||||
}
|
||||
http.Redirect(w, r, "/login", http.StatusSeeOther)
|
||||
http.Redirect(w, r, prefix+"/login", http.StatusSeeOther)
|
||||
}
|
||||
|
||||
@@ -1,13 +1,18 @@
|
||||
package dash
|
||||
|
||||
import "context"
|
||||
import (
|
||||
"context"
|
||||
|
||||
"github.com/a-h/templ"
|
||||
)
|
||||
|
||||
type contextKey string
|
||||
|
||||
const (
|
||||
contextUsernameKey contextKey = "admin.username"
|
||||
contextRoleKey contextKey = "admin.role"
|
||||
contextCSRFKey contextKey = "admin.csrf"
|
||||
contextUsernameKey contextKey = "admin.username"
|
||||
contextRoleKey contextKey = "admin.role"
|
||||
contextCSRFKey contextKey = "admin.csrf"
|
||||
contextURLPrefixKey contextKey = "admin.urlprefix"
|
||||
)
|
||||
|
||||
// WithAuthContext stores auth metadata on the request context.
|
||||
@@ -56,3 +61,31 @@ func CSRFTokenFromContext(ctx context.Context) string {
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
// WithURLPrefix stores the URL prefix on the context.
|
||||
func WithURLPrefix(ctx context.Context, prefix string) context.Context {
|
||||
return context.WithValue(ctx, contextURLPrefixKey, prefix)
|
||||
}
|
||||
|
||||
// URLPrefixFromContext retrieves the URL prefix from context.
|
||||
func URLPrefixFromContext(ctx context.Context) string {
|
||||
if ctx == nil {
|
||||
return ""
|
||||
}
|
||||
if value, ok := ctx.Value(contextURLPrefixKey).(string); ok {
|
||||
return value
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
// P returns the URL prefix prepended to the given path.
|
||||
// Use in Go handlers for redirect URLs.
|
||||
func P(ctx context.Context, path string) string {
|
||||
return URLPrefixFromContext(ctx) + path
|
||||
}
|
||||
|
||||
// PUrl returns the URL prefix prepended to the given path as a templ.SafeURL.
|
||||
// Use in templ templates for href attributes.
|
||||
func PUrl(ctx context.Context, path string) templ.SafeURL {
|
||||
return templ.SafeURL(URLPrefixFromContext(ctx) + path)
|
||||
}
|
||||
|
||||
@@ -65,10 +65,11 @@ func RequireAuth(store sessions.Store) mux.MiddlewareFunc {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
username, role, csrfToken, err := validateSession(store, w, r)
|
||||
if err != nil {
|
||||
prefix := URLPrefixFromContext(r.Context())
|
||||
if verr, ok := err.(*sessionValidationError); ok && verr.kind == sessionValidationErrorKindUnauthenticated {
|
||||
http.Redirect(w, r, "/login", http.StatusTemporaryRedirect)
|
||||
http.Redirect(w, r, prefix+"/login", http.StatusTemporaryRedirect)
|
||||
} else {
|
||||
http.Redirect(w, r, "/login?error=Unable to initialize session", http.StatusTemporaryRedirect)
|
||||
http.Redirect(w, r, prefix+"/login?error=Unable to initialize session", http.StatusTemporaryRedirect)
|
||||
}
|
||||
return
|
||||
}
|
||||
@@ -121,7 +122,7 @@ func RequireWriteAccess() mux.MiddlewareFunc {
|
||||
"message": "This operation requires admin access. Read-only users can only view data.",
|
||||
})
|
||||
} else {
|
||||
http.Redirect(w, r, "/admin?error=Insufficient permissions", http.StatusSeeOther)
|
||||
http.Redirect(w, r, URLPrefixFromContext(r.Context())+"/admin?error=Insufficient permissions", http.StatusSeeOther)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user