preliminary web support for auth (#26)

Some caveats: * it doesn't record the peer IP yet, which makes it harder to verify sessions are valid. This is a little annoying to do in hyper now (see hyperium/hyper#1410). The direct peer might not be what we want right now anyway because there's no TLS support yet (see #27). In the meantime, the sane way to expose Moonfire NVR to the Internet is via a proxy server, and recording the proxy's IP is not useful. Maybe better to interpret a RFC 7239 Forwarded header (and/or the older X-Forwarded-{For,Proto} headers). * it doesn't ever use Secure (https-only) cookies, for a similar reason. It's not safe to use even with a tls proxy until this is fixed. * there's no "moonfire-nvr config" support for inspecting/invalidating sessions yet. * in debug builds, logging in is crazy slow. See libpasta/libpasta#9. Some notes: * I removed the Javascript "no-use-before-defined" lint, as some of the functions form a cycle. * Fixed #20 along the way. I needed to add support for properly returning non-OK HTTP statuses to signal unauthorized and such. * I removed the Access-Control-Allow-Origin header support, which was at odds with the "SameSite=lax" in the cookie header. The "yarn start" method for running a local proxy server accomplishes the same thing as the Access-Control-Allow-Origin support in a more secure manner.
2025-11-20 01:50:24 -05:00 · 2018-11-25 21:31:50 -08:00
parent 679370c77a
commit 422cd2a75e
21 changed files with 923 additions and 212 deletions
--- a/ui-src/lib/MoonfireAPI.js
+++ b/ui-src/lib/MoonfireAPI.js
@@ -158,4 +158,37 @@ export default class MoonfireAPI {
      cache: cacheOk,
    });
  }
+
+  /**
+   * Start a new AJAX request to log in.
+   *
+   * @param  {String} username
+   * @param  {String} password
+   * @return {Request}
+   */
+  login(username, password) {
+    return $.ajax(this._builder.makeUrl('login'), {
+      data: {
+        username: username,
+        password: password,
+      },
+      method: 'POST',
+    });
+  }
+
+  /**
+   * Start a new AJAX request to log out.
+   *
+   * @param  {String} csrf: the csrf request token as returned in
+   *         <tt>/api/</tt> response JSON.
+   * @return {Request}
+   */
+  logout(csrf) {
+    return $.ajax(this._builder.makeUrl('logout'), {
+      data: {
+        csrf: csrf,
+      },
+      method: 'POST',
+    });
+  }
 }