Auth: Accept access token as passwd with fail rate limit #782 #808 #3943

Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-12-12 00:34:13 +01:00 · 2024-01-14 18:28:17 +01:00
parent 9586a9ec69
commit fed1d8ad95
71 changed files with 930 additions and 507 deletions
--- a/internal/api/session_get.go
+++ b/internal/api/session_get.go
@@ -7,24 +7,34 @@ import (

 	"github.com/photoprism/photoprism/internal/entity"
 	"github.com/photoprism/photoprism/internal/get"
+	"github.com/photoprism/photoprism/internal/server/limiter"
 	"github.com/photoprism/photoprism/pkg/clean"
+	"github.com/photoprism/photoprism/pkg/header"
+	"github.com/photoprism/photoprism/pkg/rnd"
 )

 // GetSession returns the session data as JSON if authentication was successful.
 //
+// GET /api/v1/session
 // GET /api/v1/session/:id
+// GET /api/v1/sessions/:id
 func GetSession(router *gin.RouterGroup) {
 	getSessionHandler := func(c *gin.Context) {
+		// Disable caching of responses.
+		c.Header(header.CacheControl, header.CacheControlNoStore)
+
 		id := clean.ID(c.Param("id"))

-		// Check authentication token.
-		if id == "" {
-			// Abort if authentication token is missing or empty.
+		// Abort if session id is provided but invalid.
+		if id != "" && !rnd.IsSessionID(id) {
 			AbortBadRequest(c)
 			return
 		}

 		conf := get.Config()
+
+		// Get client IP and auth token from request headers.
+		clientIp := ClientIP(c)
 		authToken := AuthToken(c)

 		// Skip authentication if app is running in public mode.
@@ -33,18 +43,25 @@ func GetSession(router *gin.RouterGroup) {
 			sess = get.Session().Public()
 			id = sess.ID
 			authToken = sess.AuthToken()
+		} else if clientIp != "" && limiter.Auth.Reject(clientIp) {
+			// Fail if authentication error rate limit is exceeded.
+			limiter.AbortJSON(c)
+			return
 		} else {
-			sess = Session(authToken)
+			sess = Session(clientIp, authToken)
 		}

 		switch {
 		case sess == nil:
+			if clientIp != "" {
+				limiter.Auth.Reserve(clientIp)
+			}
 			AbortUnauthorized(c)
 			return
 		case sess.Expired(), sess.ID == "":
 			AbortUnauthorized(c)
 			return
-		case sess.Invalid(), sess.ID != id && !conf.Public():
+		case sess.Invalid(), id != "" && sess.ID != id && !conf.Public():
 			AbortForbidden(c)
 			return
 		}
@@ -52,8 +69,8 @@ func GetSession(router *gin.RouterGroup) {
 		// Update user information.
 		sess.RefreshUser()

-		// Add session id to response headers.
-		AddSessionHeader(c, authToken)
+		// Add auth token to response header.
+		AddAuthTokenHeader(c, authToken)

 		// Response includes user data, session data, and client config values.
 		response := GetSessionResponse(authToken, sess, get.Config().ClientSession(sess))
@@ -62,5 +79,7 @@ func GetSession(router *gin.RouterGroup) {
 		c.JSON(http.StatusOK, response)
 	}

+	router.GET("/session", getSessionHandler)
 	router.GET("/session/:id", getSessionHandler)
+	router.GET("/sessions/:id", getSessionHandler)
 }