Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Hide detection action menu for unauthenticated users #420

Merged
merged 11 commits into from
Jan 31, 2025
Merged

feat: Hide detection action menu for unauthenticated users #420

merged 11 commits into from
Jan 31, 2025

Conversation

tphakala
Copy link
Owner

Avoid unauthenticated users from reviewing and deleting detections by protecting routes and UI elements

tphakala added 10 commits January 28, 2025 16:07
@tphakala
feat: add authentication middleware to detection routes
70a1266 
- Added authentication middleware to DELETE, POST, and review detection routes
- Introduced Security struct to manage access control in detection views
- Implemented IsAccessAllowed method to check user authentication status
- Added security context to detection and recent detections templates
@tphakala
feat: add security context to action menu template
f0f09ee 
- Updated actionMenu template to support security context
- Added conditional rendering based on security access
- Passed security and note data to action menu template
- Refactored template references to use nested data structure
@tphakala
Merge branch 'main' into protect-action-menu
b8118fb
@tphakala
refactor: modify login and authentication routes
e1714fa 
- Change default login redirect to root path "/"
- Commented out login and logout routes
- Added helper function to check protected routes
@tphakala
refactor: simplify action menu template and move security check to pa…
6299d0f 
…rent template
@tphakala
refactor: conditionally render action menu based on access permissions
d37c932
@tphakala
feat: enhance local network authentication and cookie handling
6e51ad4 
- Added subnet detection for local network clients
- Implemented configurable cookie store for local network access
- Added methods to check and convert IP subnets
- Updated basic authorization token handling to support local network scenarios
@tphakala
feat: pass server instance to handlers for enhanced configuration
d59dab8 
- Updated handlers initialization to include server instance
- Allows handlers to access server-level configurations and methods
@tphakala
refactor: update security handling in detections handlers
6b03b02 
- Replaced custom Security struct with map[string]interface{}
- Moved security-related methods to Handlers struct
- Added GetSecurity method to centralize security state retrieval
- Updated Detections and RecentDetections handlers to use new security approach
@tphakala
feat: add icons to action menu buttons
fa992a6 
- Added SVG icons for review detection, show/hide species, and delete detection buttons
- Improved visual hierarchy and clarity of action menu items
- Wrapped button text with flex container for consistent icon and text alignment
@coderabbitai coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 31, 2025
edited
Loading

Caution

Review failed

The pull request is closed.

Walkthrough

This pull request introduces changes to the authentication and security mechanisms within the application. Modifications include updating the login redirection logic, adding a Security context to detection handlers, enhancing the Handlers struct with new fields, and implementing checks for protected routes. Additionally, the login/logout routes have been disabled, and access controls have been enforced for certain actions. These changes collectively aim to improve the application's security and user access management.

Changes

File Change Summary
internal/httpcontroller/auth_routes.go Modified login page redirect to root path ("/") instead of settings page
internal/httpcontroller/handlers/detections.go Added Security map to detection handlers with authentication and access information
internal/httpcontroller/handlers/handlers.go Added new fields for Cloudflare access, debug mode, and server interface
Introduced GetSecurity method for security context
internal/httpcontroller/middleware.go Added isProtectedRoute function to check route protection
internal/httpcontroller/routes.go Commented out login/logout routes
Added authentication middleware to detection-related routes
internal/httpcontroller/server.go Updated Handlers initialization to pass server instance
internal/security/basic.go Added local subnet detection functions
Enhanced basic auth token handling
views/elements/actionMenu.html Improved SVG icons and conditional rendering
views/fragments/listDetections.html Added conditional Action Menu rendering based on access rights
views/fragments/recentDetections.html Added conditional Action Menu rendering based on access rights

Possibly related PRs

Poem

🐰 In the realm of bits and bytes so bright,
A rabbit hops through security's might.
Redirects dance, routes now secure,
Access controlled, permissions pure.
Code leaps forward with playful delight! 🔒

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fa992a6 and 7675278.

📒 Files selected for processing (1)
  • internal/httpcontroller/auth_routes.go (1 hunks)

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Generate unit testing code for this file.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai generate unit testing code for this file.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and generate unit testing code.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

coderabbitai[bot]
coderabbitai bot reviewed Jan 31, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (2)
internal/security/basic.go (1)

104-108: Add logging for local network access.

When special handling is applied for local network clients, it should be logged for security auditing.

 	if clientIP := net.ParseIP(c.RealIP()); isInLocalSubnet(clientIP) {
+		// Log when local network access is detected
+		log.Printf("Local network access detected from IP: %s", clientIP)
 		// For clients in the local subnet, allow non-HTTPS cookies
 		configureLocalNetworkCookieStore()
 	}
internal/httpcontroller/handlers/detections.go (1)

130-130: Consider refactoring duplicated security map initialization.

The security map initialization is duplicated in both Detections and RecentDetections handlers. Consider using the GetSecurity method to reduce duplication.

Apply this diff to use the GetSecurity method:

-		Security: map[string]interface{}{
-			"Enabled":       h.Settings.Security.BasicAuth.Enabled || h.Settings.Security.GoogleAuth.Enabled || h.Settings.Security.GithubAuth.Enabled,
-			"AccessAllowed": h.Server.IsAccessAllowed(c),
-			"IsCloudflare":  h.CloudflareAccess.IsEnabled(c),
-		},
+		Security: h.GetSecurity(c),

Also applies to: 149-153, 224-224, 228-232

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8f40379 and fa992a6.

📒 Files selected for processing (10)
  • internal/httpcontroller/auth_routes.go (1 hunks)
  • internal/httpcontroller/handlers/detections.go (3 hunks)
  • internal/httpcontroller/handlers/handlers.go (5 hunks)
  • internal/httpcontroller/middleware.go (1 hunks)
  • internal/httpcontroller/routes.go (2 hunks)
  • internal/httpcontroller/server.go (1 hunks)
  • internal/security/basic.go (3 hunks)
  • views/elements/actionMenu.html (4 hunks)
  • views/fragments/listDetections.html (2 hunks)
  • views/fragments/recentDetections.html (2 hunks)
⏰ Context from checks skipped due to timeout of 90000ms (1)
  • GitHub Check: Analyze (go)
🔇 Additional comments (13)
internal/httpcontroller/middleware.go (1)

124-127: Consider expanding protected route patterns.

The current implementation only protects paths starting with "/settings/". Consider if other sensitive paths should also be protected, such as paths related to detection management, user data, or system configuration.

internal/httpcontroller/auth_routes.go (1)

82-83: LGTM! Good security improvement.

Changing the default redirect from "/settings/main" to "/" is a good security practice as it prevents unauthenticated users from being automatically redirected to protected routes.

Also applies to: 88-89

internal/httpcontroller/server.go (1)

68-68: LGTM! Proper dependency injection.

Adding the Server instance to the handlers initialization allows for proper access to authentication methods.

internal/httpcontroller/routes.go (2)

123-123: LGTM! Authentication middleware added to sensitive routes.

The addition of s.AuthMiddleware to detection-related routes (/detections/delete, /detections/ignore, /detections/review) properly protects these endpoints from unauthenticated access.

Also applies to: 126-126, 129-129

113-114: ⚠️ Potential issue

Verify the impact of commenting out login/logout routes.

The login/logout routes are commented out without providing alternative routes. This could prevent users from authenticating, which seems inconsistent with the PR objective of protecting routes for unauthenticated users.

Let's verify if alternative login/logout routes exist:

internal/httpcontroller/handlers/handlers.go (2)

37-39: LGTM! Well-structured security-related fields added.

The new fields in the Handlers struct are well-organized and provide necessary security context:

  • CloudflareAccess for Cloudflare integration
  • debug for debug mode control
  • Server interface for access control

244-249: LGTM! Clean security state management implementation.

The Security struct and GetSecurity method provide a clean interface for managing and checking security state:

  • Encapsulates all security-related flags
  • Provides a single source of truth for security checks
  • Method implementation properly aggregates security state from multiple sources

Also applies to: 251-258

views/elements/actionMenu.html (1)

27-30: LGTM! Enhanced UI with consistent icon usage.

The changes improve the UI by:

  • Adding descriptive icons for each action
  • Using templates for conditional rendering
  • Maintaining accessibility with descriptive text alongside icons

Also applies to: 67-78, 109-111

views/fragments/recentDetections.html (3)

14-17: LGTM! Secure implementation of the action menu column header.

The conditional rendering based on $.Security.AccessAllowed is correctly implemented, with appropriate responsive design considerations.

130-134: LGTM! Secure implementation of the action menu cell.

The conditional rendering is consistent with the header implementation, ensuring proper access control.

Line range hint 141-142: Verify mobile view implementation.

The action menu is completely omitted in the mobile view. While this is consistent with the desktop view's responsive behavior (where action menu is hidden on small screens), please confirm this is the intended behavior for mobile users.

views/fragments/listDetections.html (2)

75-77: LGTM! Consistent implementation with recentDetections.html.

The security check and styling are properly aligned with the implementation in recentDetections.html.

236-240: LGTM! Secure and consistent implementation.

The conditional rendering maintains consistency with both the header and recentDetections.html implementation.

internal/security/basic.go Show resolved Hide resolved
@tphakala
refactor: simplify login redirect handling
7675278 
- Remove commented-out redirect paths
- Consistently set default redirect to root path "/"
- Clarify redirect logic for login route
@tphakala tphakala merged commit b80ea87 into main Jan 31, 2025
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@tphakala