🎨 Add cookie-based auth in publish proxy (#15692)

* chore(publish-auth): Add TODO for cookie-based auth in publish proxy A TODO comment was added to indicate future implementation of authentication using cookies in the PublishServiceTransport RoundTrip method. * 🎨 Add session-based authentication for publish proxy Introduces session management using cookies for the publish reverse proxy server. Adds session ID generation, storage, and validation in kernel/model/auth.go, and updates the proxy transport to check for valid sessions before falling back to basic authentication. Sets a session cookie upon successful basic auth login. * 🐛 Fixed the issue of repeatedly setting cookies * 🎨 Dynamically remove invalid session IDs * ♻️ Revert changes in pnpm-lock.yaml
2025-12-16 14:40:12 +01:00 · 2025-08-28 16:20:12 +08:00 · 2025-08-28 16:20:12 +08:00 · ff4d215f78
commit ff4d215f78
parent 2a4adf089f
3 changed files with 67 additions and 7 deletions
--- a/kernel/server/proxy/publish.go
+++ b/kernel/server/proxy/publish.go
@ -125,10 +125,28 @@ func rewrite(r *httputil.ProxyRequest) {

 func (PublishServiceTransport) RoundTrip(request *http.Request) (response *http.Response, err error) {
 	if model.Conf.Publish.Auth.Enable {
+		// Session Auth
+		sessionIdCookie, cookieErr := request.Cookie(model.SessionIdCookieName)
+		if cookieErr == nil {
+			// Check session ID
+			sessionID := sessionIdCookie.Value
+			if username := model.GetBasicAuthUsernameBySessionID(sessionID); username != "" {
+				// Valid session
+				if account := model.GetBasicAuthAccount(username); account != nil {
+					// Valid account
+					request.Header.Set(model.XAuthTokenKey, account.Token)
+					response, err = http.DefaultTransport.RoundTrip(request)
+					return
+				} else {
+					// Invalid account, remove session
+					model.DeleteSession(sessionID)
+				}
+			}
+		}
+
 		// Basic Auth
 		username, password, ok := request.BasicAuth()
 		account := model.GetBasicAuthAccount(username)
-
 		if !ok ||
 			account == nil ||
 			account.Username == "" || // 匿名用户
@ -149,13 +167,26 @@ func (PublishServiceTransport) RoundTrip(request *http.Request) (response *http.
 				ContentLength: -1,
 			}, nil
 		} else {
+			// set session cookie
+			sessionID := model.GetNewSessionID()
+			cookie := &http.Cookie{
+				Name:     model.SessionIdCookieName,
+				Value:    sessionID,
+				Path:     "/",
+				HttpOnly: true,
+			}
+			model.AddSession(sessionID, username)
+
 			// set JWT
 			request.Header.Set(model.XAuthTokenKey, account.Token)
+			response, err = http.DefaultTransport.RoundTrip(request)
+
+			response.Header.Add("Set-Cookie", cookie.String())
+			return
 		}
 	} else {
 		request.Header.Set(model.XAuthTokenKey, model.GetBasicAuthAccount("").Token)
+		response, err = http.DefaultTransport.RoundTrip(request)
+		return
 	}
-
-	response, err = http.DefaultTransport.RoundTrip(request)
-	return
 }