Implement session authentication (removing uuid from url) #72

Iam54r1n4 · 2023-12-18T17:37:04Z

No description provided.

- filling the username and password (password saved in database as plaintext)

because we send username and password with base64 encoding, so we're not limited to assci

THEN we check session cookies

chg: g.user and g.admin to g.account

- seperate storing account id in session

hiddifypanel/models/admin.py

hiddify-com · 2023-12-30T08:52:04Z

hiddifypanel/models/admin.py

+
+
+@event.listens_for(AdminUser, "before_insert")
+def before_insert(mapper, connection, target):


ببریم توی baseaccount

hiddify-com · 2023-12-30T08:52:45Z

hiddifypanel/models/admin.py

@@ -171,6 +174,16 @@ def bulk_register_admins(users=[], commit=True):


 def current_admin_or_owner():


میدونم خودم نوشتم ولی چرا اخه؟ریسک امنیتی ایجاد میکنه

hiddifypanel/models/base_account.py

hiddifypanel/panel/commercial/restapi/v2/admin/server_status_api.py

hiddifypanel/panel/commercial/restapi/v2/admin/admin_users_api.py

hiddify-com · 2023-12-30T10:23:20Z

hiddifypanel/panel/commercial/restapi/v2/admin/admin_user_api.py

-
+
+
+def has_permission(admin) -> bool:


خیلی پرمیژن ها قاطی پاتی شده

hiddifypanel/panel/commercial/telegrambot/Usage.py

hiddify-com · 2023-12-30T10:27:31Z

hiddifypanel/panel/common.py

+            else:
+                values['proxy_path'] = hconfig(ConfigEnum.proxy_path_admin)
+
+        if hiddify.is_api_v1_call(endpoint=endpoint) and 'admin_uuid' not in values:


این چیه؟

Sarina added 30 commits December 10, 2023 09:49

add: auth to api (incomplete)

b55c8a2

add: username & password to user model and admin model

e313142

- filling the username and password (password saved in database as plaintext)

add: auth to admin apis

38ad0de

add: get_user_roles to authentication.py

8780435

refactor: user apis

f86d9e3

fix: rename

5a9c06f

add: auth to admin panel endpoints

10b81d7

using non-assci name in building username

1587cf1

because we send username and password with base64 encoding, so we're not limited to assci

fix: basic authentication verify password function

f14f51b

add: athentication with session

0a17700

fix: add authentication(role-based) for ModelView classes

53f6397

add: admin route backward compatibility

27d4518

chg: if client sent user/pass we try to authenticate with the user/pass,

9c3dd7e

THEN we check session cookies

chg: authentication

2a1febf

chg: remove <user_secret> from routing in blueprint

07a2d36

add: some functions in utils

d9c63e0

add: api auth, basic auth, old url backward compatibility middlewares

b9e03bb

chg: g.user and g.admin to g.account

fix: using g.account instead of g.user/g.admin

f736c1a

add: role authentication for views

5d42c91

add: redirect_to_user.html

47e4793

fix: setup session data for admin

6c0344f

chg: rename

67c3dd6

add: server-side(redis) session instead of client-side

89fbee5

fix: backward compatibility

f0dc241

fix: admin link in invalid proxy

4ca8129

fix: remove links with uuid

3008b26

Merge branch 'auth' of github.com:Iam54r1n4/HiddifyPanel into auth

7875a47

add: auth for apps api

fb453fb

fix: creating empty session(in redis) for every request

b840da4

fix: bug

2867a1a

Iam54r1n4 added 27 commits December 30, 2023 03:43

clean: unused var

9d143ea

fix: add just proxy_path_admin and proxy_path_client

0caf45d

fix: typo in redirect.html file

a2d1f2a

chg: api v1 blueprint name

9381402

new: handle new proxy paths (test)

ec9462a

fix: bug

54da087

fix: backward compatibility

6463c01

using: proper using of proxy path (for panel links)

a57cf52

new: implement custom flask-login for

0def804

- seperate storing account id in session

del: unused var

4436cbb

add: get by username password

2e88920

new: account atuhentication approach

c2a5b89

chg: admin login links

bd64c04

fix: api v1 telegram endpoints

f132a26

fix: remove user/pass from short api link

b82f4a7

fix: api v1 routing

0a17460

fix: short api

73292a7

fix: short api again

b0cb11f

fix: auto removing UUIDs from api requests

7b71ad6

del: duplicate function

9624462

new: check permission for AdminUsersApi

c97c076

new: check permission for AdminUserApi

1c4fdbf

fix: bug in QuickSetup

e112324

fix: bug

37d45eb

new: base class for admin and user models

956032d

fix: admin me api

cd2365f

fix: proxy path validation

8f7aedd

Iam54r1n4 force-pushed the auth branch from 2f07277 to 8f7aedd Compare December 30, 2023 00:13

hiddify-com reviewed Dec 30, 2023

View reviewed changes

hiddify-com merged commit fb21765 into hiddify:main Dec 30, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Implement session authentication (removing uuid from url) #72

Implement session authentication (removing uuid from url) #72

Iam54r1n4 commented Dec 18, 2023

hiddify-com Dec 30, 2023

hiddify-com Dec 30, 2023

hiddify-com Dec 30, 2023

hiddify-com Dec 30, 2023



		@event.listens_for(AdminUser, "before_insert")
		def before_insert(mapper, connection, target):

		@@ -171,6 +174,16 @@ def bulk_register_admins(users=[], commit=True):


		def current_admin_or_owner():

Implement session authentication (removing uuid from url) #72

Implement session authentication (removing uuid from url) #72

Conversation

Iam54r1n4 commented Dec 18, 2023

hiddify-com Dec 30, 2023

Choose a reason for hiding this comment

hiddify-com Dec 30, 2023

Choose a reason for hiding this comment

hiddify-com Dec 30, 2023

Choose a reason for hiding this comment

hiddify-com Dec 30, 2023

Choose a reason for hiding this comment