🎨 Add cookie-based auth in publish proxy (#15692)

* chore(publish-auth): Add TODO for cookie-based auth in publish proxy A TODO comment was added to indicate future implementation of authentication using cookies in the PublishServiceTransport RoundTrip method. * 🎨 Add session-based authentication for publish proxy Introduces session management using cookies for the publish reverse proxy server. Adds session ID generation, storage, and validation in kernel/model/auth.go, and updates the proxy transport to check for valid sessions before falling back to basic authentication. Sets a session cookie upon successful basic auth login. * 🐛 Fixed the issue of repeatedly setting cookies * 🎨 Dynamically remove invalid session IDs * ♻️ Revert changes in pnpm-lock.yaml
2025-12-16 14:40:12 +01:00 · 2025-08-28 16:20:12 +08:00 · 2025-08-28 16:20:12 +08:00 · ff4d215f78
commit ff4d215f78
parent 2a4adf089f
3 changed files with 67 additions and 7 deletions
--- a/kernel/go.mod
+++ b/kernel/go.mod
@ -37,6 +37,7 @@ require (
 	github.com/go-ole/go-ole v1.3.0
 	github.com/gofrs/flock v0.12.1
 	github.com/golang-jwt/jwt/v5 v5.2.2
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/css v1.0.1
 	github.com/gorilla/websocket v1.5.3
 	github.com/imroc/req/v3 v3.54.2
@ -129,7 +130,6 @@ require (
 	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0 // indirect
 	github.com/google/pprof v0.0.0-20250607225305-033d6d78b36a // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gopherjs/gopherjs v1.17.2 // indirect
 	github.com/gorilla/context v1.1.2 // indirect
 	github.com/gorilla/securecookie v1.1.2 // indirect
--- a/kernel/model/auth.go
+++ b/kernel/model/auth.go
@ -19,8 +19,10 @@ package model
 import (
 	"crypto/rand"
 	"net/http"
 	"sync"
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/google/uuid"
 	"github.com/siyuan-note/logging"
 )
@ -29,12 +31,15 @@ type Account struct {
 	Password string
 	Token    string
 }
-type AccountsMap map[string]*Account
+type AccountsMap map[string]*Account // username -> account
 type SessionsMap map[string]string   // sessionID -> username
 type ClaimsKeyType string
 const (
 	XAuthTokenKey = "X-Auth-Token"
 	SessionIdCookieName = "publish-visitor-session-id"
 	ClaimsContextKey = "claims"
 	iss = "siyuan-publish-reverse-proxy-server"
@ -46,13 +51,37 @@ const (
 var (
 	accountsMap = AccountsMap{}
-	jwtKey      = make([]byte, 32)
+	sessionsMap = SessionsMap{}
 	sessionLock = sync.Mutex{}
 	jwtKey = make([]byte, 32)
 )
 func GetBasicAuthAccount(username string) *Account {
 	return accountsMap[username]
 }
 func GetBasicAuthUsernameBySessionID(sessionID string) string {
 	return sessionsMap[sessionID]
 }
 func GetNewSessionID() string {
 	sessionID := uuid.New().String()
 	return sessionID
 }
 func AddSession(sessionID, username string) {
 	sessionLock.Lock()
 	defer sessionLock.Unlock()
 	sessionsMap[sessionID] = username
 }
 func DeleteSession(sessionID string) {
 	sessionLock.Lock()
 	defer sessionLock.Unlock()
 	delete(sessionsMap, sessionID)
 }
 func InitAccounts() {
 	accountsMap = AccountsMap{
 		"": &Account{}, // 匿名用户
--- a/kernel/server/proxy/publish.go
+++ b/kernel/server/proxy/publish.go
@ -125,10 +125,28 @@ func rewrite(r *httputil.ProxyRequest) {
 func (PublishServiceTransport) RoundTrip(request *http.Request) (response *http.Response, err error) {
 	if model.Conf.Publish.Auth.Enable {
 		// Session Auth
 		sessionIdCookie, cookieErr := request.Cookie(model.SessionIdCookieName)
 		if cookieErr == nil {
 			// Check session ID
 			sessionID := sessionIdCookie.Value
 			if username := model.GetBasicAuthUsernameBySessionID(sessionID); username != "" {
 				// Valid session
 				if account := model.GetBasicAuthAccount(username); account != nil {
 					// Valid account
 					request.Header.Set(model.XAuthTokenKey, account.Token)
 					response, err = http.DefaultTransport.RoundTrip(request)
 					return
 				} else {
 					// Invalid account, remove session
 					model.DeleteSession(sessionID)
 				}
 			}
 		}
 		// Basic Auth
 		username, password, ok := request.BasicAuth()
 		account := model.GetBasicAuthAccount(username)
 		if !ok ||
 			account == nil ||
 			account.Username == "" || // 匿名用户
@ -149,13 +167,26 @@ func (PublishServiceTransport) RoundTrip(request *http.Request) (response *http.
 				ContentLength: -1,
 			}, nil
 		} else {
 			// set session cookie
 			sessionID := model.GetNewSessionID()
 			cookie := &http.Cookie{
 				Name:     model.SessionIdCookieName,
 				Value:    sessionID,
 				Path:     "/",
 				HttpOnly: true,
 			}
 			model.AddSession(sessionID, username)
 			// set JWT
 			request.Header.Set(model.XAuthTokenKey, account.Token)
 			response, err = http.DefaultTransport.RoundTrip(request)
 			response.Header.Add("Set-Cookie", cookie.String())
 			return
 		}
 	} else {
 		request.Header.Set(model.XAuthTokenKey, model.GetBasicAuthAccount("").Token)
 		response, err = http.DefaultTransport.RoundTrip(request)
 		return
 	}
 	response, err = http.DefaultTransport.RoundTrip(request)
 	return
 }