Implement ACL login (#218)

willnode · web-flow · commit 2d977bce2a32 · 2025-03-31T06:33:09.000+02:00
* Implement ACL login

* Make password form optional
diff --git a/includes/common.inc.php b/includes/common.inc.php
@@ -148,6 +148,9 @@
   }
 }
 
+if (!isset($config['login']) && !empty($config['login_as_acl_auth'])) {
+  require_once PHPREDIS_ADMIN_PATH . '/includes/login_acl.inc.php';
+}
 
 if ($server['db'] != 0) {
   if (!$redis->select($server['db'])) {
diff --git a/includes/config.sample.inc.php b/includes/config.sample.inc.php
@@ -61,6 +61,12 @@
     )
   ),*/
 
+  // Uncomment to enable login as ACL authentication (won't work if 'login' or 'auth' is also used)
+  // Only support using one server at this moment.
+  // If you set the default user off, browsers will be redirected to login page.
+  // The user and password will be stored in browser as plaintext so using HTTPS is strongly recommended.
+  // 'login_as_acl_auth' => true,
+
   // Use HTML form/cookie-based auth instead of HTTP Basic/Digest auth
   'cookie_auth' => false,
 
diff --git a/includes/login_acl.inc.php b/includes/login_acl.inc.php
@@ -0,0 +1,100 @@
+<?php
+
+function authCheck($login)
+{
+    global $redis;
+
+    try {
+        $redis->auth($login['username'], $login['password']);
+    } catch (Predis\Response\ServerException $exception) {
+        return false;
+    }
+    return true;
+}
+
+// This fill will perform HTTP basic authentication. The authentication data will be sent and stored as plaintext
+// Please make sure to use HTTPS proxy such as Apache or Nginx to prevent traffic eavesdropping.
+function authHttpBasic()
+{
+    $realm = 'phpRedisAdmin';
+
+    if (!isset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])) {
+        try {
+            global $redis;
+            $redis->ping();
+        } catch (Predis\Response\ServerException $exception) {
+            header('HTTP/1.1 401 Unauthorized');
+            header('WWW-Authenticate: Basic realm="' . $realm . '"');
+            die('NOAUTH -- Authentication required');
+        }
+    }
+
+    $login = [
+        'username' => $_SERVER['PHP_AUTH_USER'],
+        'password' => $_SERVER['PHP_AUTH_PW'],
+    ];
+
+    if (!authCheck($login)) {
+        header('HTTP/1.1 401 Unauthorized');
+        header('WWW-Authenticate: Basic realm="' . $realm . '"');
+        die('NOAUTH -- Authentication required');
+    }
+
+    return $login;
+}
+
+// Perform auth using a standard HTML <form> submission and cookies to save login state
+function authCookie()
+{
+    if (!empty($_COOKIE['phpRedisAdminLogin'])) {
+        // We have a cookie; is it correct?
+        // Cookie value looks like "username:password-hash"
+        $login = explode(':', $_COOKIE['phpRedisAdminLogin'], 2);
+        if (count($login) === 2) {
+            $login = [
+                'username' => $login[0],
+                'password' => $login[1],
+            ];
+            if (authCheck($login)) {
+                return $login;
+            }
+        }
+    }
+
+    if (isset($_POST['username'], $_POST['password'])) {
+        // Login form submitted; correctly?
+        $login = [
+            'username' => $_POST['username'],
+            'password' => $_POST['password'],
+        ];
+
+        if (authCheck($login)) {
+            setcookie('phpRedisAdminLogin', $login['username'] . ':' . $login['password']);
+            // This should be an absolute URL, but that's a bit of a pain to generate; this will work
+            header("Location: index.php");
+            die();
+        }
+    }
+
+    try {
+        global $redis;
+        $redis->ping();
+    } catch (Predis\Response\ServerException $exception) {
+        // If we're here, we don't have a valid login cookie and we don't have a
+        // valid form submission, so redirect to the login page if we aren't
+        // already on that page
+        if (!defined('LOGIN_PAGE')) {
+            header("Location: login.php");
+            die();
+        }
+    }
+
+    // We must be on the login page without a valid cookie or submission
+    return null;
+}
+
+if (!empty($config['cookie_auth'])) {
+    $login = authCookie();
+} else {
+    $login = authHttpBasic();
+}
diff --git a/login.php b/login.php
@@ -33,7 +33,7 @@
     <label for="inputPassword" class="sr-only">Password</label>
     <input type="password" name="password" id="inputPassword" class="form-control"
            placeholder="Password"
-           required <?= isset($_POST['username']) ? 'autofocus' : '' ?>>
+           <?= isset($_POST['username']) ? 'autofocus' : '' ?>>
 
     <button class="btn btn-lg btn-primary btn-block" type="submit">Log in</button>
 </form>
diff --git a/logout.php b/logout.php
@@ -8,6 +8,10 @@
     setcookie('phpRedisAdminLogin', '', 1);
     header("Location: login.php");
     die();
+} else if (isset($config['login_as_acl_auth'])) {
+    // HTTP Basic auth
+    header('HTTP/1.1 401 Unauthorized');
+    die('<html><head><meta http-equiv="refresh" content="0; url=/index.php" /></head></html>');
 } else {
     // HTTP Digest auth
     $needed_parts = array(
diff --git a/overview.php b/overview.php
@@ -10,16 +10,24 @@
       $server['db'] = 0;
   }
 
-  // Setup a connection to Redis.
-  if(isset($server['scheme']) && $server['scheme'] === 'unix' && $server['path']) {
-    $redis = new Predis\Client(array('scheme' => 'unix', 'path' => $server['path']));
+
+  if (isset($config['login_as_acl_auth'])) {
+    // Currently only support one server at a time
+    if ($i > 0) {
+      break;
+    }
   } else {
-    $redis = !$server['port'] ? new Predis\Client($server['host']) : new Predis\Client('tcp://'.$server['host'].':'.$server['port']);
-  }
-  try {
-    $redis->connect();
-  } catch (Predis\CommunicationException $exception) {
-    $redis = false;
+    // Setup a connection to Redis.
+    if(isset($server['scheme']) && $server['scheme'] === 'unix' && $server['path']) {
+      $redis = new Predis\Client(array('scheme' => 'unix', 'path' => $server['path']));
+    } else {
+      $redis = !$server['port'] ? new Predis\Client($server['host']) : new Predis\Client('tcp://'.$server['host'].':'.$server['port']);
+    }
+    try {
+      $redis->connect();
+    } catch (Predis\CommunicationException $exception) {
+      $redis = false;
+    }
   }
 
   if(!$redis) {
@@ -38,6 +46,9 @@
 
       $info[$i]         = $redis->info();
       $info[$i]['size'] = $redis->dbSize();
+      if (isset($config['login_as_acl_auth'])) {
+        $info[$i]['username'] = $redis->acl->whoami();
+      }
 
       if (!isset($info[$i]['Server'])) {
         $info[$i]['Server'] = array(
@@ -83,6 +94,10 @@
 
   <tr><td><div>Uptime:</div></td><td><div><?php echo format_time($info[$i]['Server']['uptime_in_seconds'])?></div></td></tr>
 
+  <?php if(isset($info[$i]['username'])): ?>
+  <tr><td><div>Username:</div></td><td><div><?php echo ($info[$i]['username'])?></div></td></tr>
+  <?php endif ?>
+
   <tr><td><div>Last save:</div></td><td><div>
     <?php 
         if (isset($info[$i]['Persistence']['rdb_last_save_time'])) {

Original file line number	Diff line number	Diff line change
`@@ -148,6 +148,9 @@`
`148`	`148`	`}`
`149`	`149`	`}`
`150`	`150`
	`151`	`+if (!isset($config['login']) && !empty($config['login_as_acl_auth'])) {`
	`152`	`+ require_once PHPREDIS_ADMIN_PATH . '/includes/login_acl.inc.php';`
	`153`	`+}`
`151`	`154`
`152`	`155`	`if ($server['db'] != 0) {`
`153`	`156`	`if (!$redis->select($server['db'])) {`