diff --git a/.github/workflows/docker-image.yaml b/.github/workflows/docker-image.yaml index 800b630..f09775b 100644 --- a/.github/workflows/docker-image.yaml +++ b/.github/workflows/docker-image.yaml @@ -76,7 +76,7 @@ jobs: echo "RELEASE_TAG=,docker.io/${IMAGE_NAME}:latest" >> $GITHUB_ENV else echo "Labeling image with commit SHA: ${GITHUB_SHA}" - echo "IMAGE_TAG=${GITHUB_SHA}" >> $GITHUB_ENV + echo "IMAGE_TAG=canary-${GITHUB_SHA}" >> $GITHUB_ENV fi - name: Push to DockerHub diff --git a/README.md b/README.md index ac2d5c1..209b5ed 100644 --- a/README.md +++ b/README.md @@ -69,13 +69,13 @@ Please feel free to open an issue if you have any questions or suggestions. These options can be configured by setting environment variables using `-e KEY="VALUE"` in the `docker run` command. -| Option | Description | Optional | -|-------------------|--------------------------------------------------------------------------------------------------------------------------------------|----------| -| `WG_HOST` | The public IP address of the WireGuard server. | | -| `UI_PASSWORD` | The password for the admin UI. | | -| `ORIGIN` | In case you want to access the web-admin remotely, you must set this to the host you are using, for example, `http://hostname:port`. | ✔️ | -| `TOR_USE_BRIDGES` | Set this to `1` and then mount the bridges file at `/etc/torrc.d/bridges.conf`. | ✔️ | -| `TOR_*` | The `Torrc` proxy configuration. (e.g. `SocksPort` as `TOR_SOCKSPORT="9050"`) | ✔️ | +| Option | Description | Optional | +|-------------------|----------------------------------------------------------------------------------------------------------------------------------------|----------| +| `WG_HOST` | The public IP address of the WireGuard server. | | +| `UI_PASSWORD` | The password for the admin UI. | | +| `ORIGIN` | In case you want to access the web-admin remotely, you must set this to the host you are using, for example, `http://:3000`. | ✔️ | +| `TOR_USE_BRIDGES` | Set this to `1` and then mount the bridges file at `/etc/torrc.d/bridges.conf`. | ✔️ | +| `TOR_*` | The `Torrc` proxy configuration. (e.g. `SocksPort` as `TOR_SOCKSPORT="9050"`) | ✔️ | ## Support the Project diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 53b95b1..88dc527 100644 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -11,27 +11,25 @@ remove_duplicated_lines() { mv "$temp_file" "$file" } -remove_duplicate_env() { - local file="$1" - local temp_file="/tmp/$(basename "$file")" - awk -F "=" -e '!seen[$1]++' "$file" >"$temp_file" - mv "$temp_file" "$file" -} - to_camel_case() { echo "${1}" | awk -F_ '{for(i=1;i<=NF;i++) $i=toupper(substr($i,1,1)) tolower(substr($i,2));}1' OFS="" } +echo " " +echo " _ ___ ___ __ _ " +echo "| | / (_)_______ / | ____/ /___ ___ (_)___ " +echo "| | /| / / / ___/ _ \/ /| |/ __ / __ \`__ \/ / __ \\" +echo "| |/ |/ / / / / __/ ___ / /_/ / / / / / / / / / /" +echo "|__/|__/_/_/ \___/_/ |_\__,_/_/ /_/ /_/_/_/ /_/ " +echo " " + mkdir -p /var/vlogs -if [ ! -f "${ENV_FILE}" ]; then - echo "" >"${ENV_FILE}" -fi - +touch "${ENV_FILE}" chmod 400 "${ENV_FILE}" if ! grep -q "AUTH_SECRET" "${ENV_FILE}"; then - cat "${ENV_FILE}" &>/dev/null </dev/null </dev/null </dev/null <"/tmp/$(basename "${ENV_FILE}")" && + mv "/tmp/$(basename "${ENV_FILE}")" "${ENV_FILE}" # IP address of the container inet_address="$(hostname -i | awk '{print $1}')" @@ -91,14 +93,6 @@ screen -L -Logfile /var/vlogs/tor -dmS tor \ screen -L -Logfile /var/vlogs/redis -dmS redis \ bash -c "redis-server --port 6479 --daemonize no --dir /data --appendonly yes" -echo " " -echo " _ ___ ___ __ _ " -echo "| | / (_)_______ / | ____/ /___ ___ (_)___ " -echo "| | /| / / / ___/ _ \/ /| |/ __ / __ \`__ \/ / __ \\" -echo "| |/ |/ / / / / __/ ___ / /_/ / / / / / / / / / /" -echo "|__/|__/_/_/ \___/_/ |_\__,_/_/ /_/ /_/_/_/ /_/ " -echo " " - sleep 1 echo -e "\n======================== Versions ========================" echo -e "Alpine Version: \c" && cat /etc/alpine-release diff --git a/web/src/hooks.server.ts b/web/src/hooks.server.ts index 6a77340..d97e5b6 100644 --- a/web/src/hooks.server.ts +++ b/web/src/hooks.server.ts @@ -3,9 +3,7 @@ import { verifyToken } from '$lib/auth'; import 'dotenv/config'; export const handle: Handle = async ({ event, resolve }) => { - const { HASHED_PASSWORD } = process.env; - - if (!!HASHED_PASSWORD && !AUTH_EXCEPTION.includes(event.url.pathname)) { + if (!AUTH_EXCEPTION.includes(event.url.pathname)) { const token = event.cookies.get('authorization'); const token_valid = await verifyToken(token ?? ''); diff --git a/web/src/index.test.ts b/web/src/index.test.ts deleted file mode 100644 index aa93426..0000000 --- a/web/src/index.test.ts +++ /dev/null @@ -1,7 +0,0 @@ -import { describe, expect, it } from 'vitest'; - -describe('sum test', () => { - it('adds 1 + 2 to equal 3', () => { - expect(1 + 2).toBe(3); - }); -}); diff --git a/web/src/lib/auth.ts b/web/src/lib/auth.ts index 38638e5..5a151a4 100644 --- a/web/src/lib/auth.ts +++ b/web/src/lib/auth.ts @@ -3,26 +3,36 @@ import 'dotenv/config'; import Hex from 'crypto-js/enc-hex'; import { randomUUID } from 'node:crypto'; import SHA256 from 'crypto-js/sha256'; +import { client } from '$lib/redis'; export const AUTH_SECRET = process.env.AUTH_SECRET || Hex.stringify(SHA256(randomUUID())); export async function generateToken(): Promise { const now = Math.floor(Date.now() / 1000); - return jwt.sign( + const oneHour = 60 * 60; + const token = jwt.sign( { ok: true, iat: now, - exp: now + 60 * 60, + exp: now + oneHour, }, AUTH_SECRET, ); + await client.setex(token, oneHour, '1'); + return token; } export async function verifyToken(token: string): Promise { try { const decode = jwt.verify(token, AUTH_SECRET); - return !!decode; + if (!decode) return false; + const exists = await client.exists(token); + return exists === 1; } catch (e) { return false; } } + +export async function revokeToken(token: string): Promise { + await client.del(token); +} diff --git a/web/src/routes/login/+page.server.ts b/web/src/routes/login/+page.server.ts index 0cc5c1f..dc1b767 100644 --- a/web/src/routes/login/+page.server.ts +++ b/web/src/routes/login/+page.server.ts @@ -50,6 +50,6 @@ export const actions: Actions = { event.cookies.set('authorization', token); } - return { ok: true }; + return { form, ok: true }; }, }; diff --git a/web/src/routes/logout/+page.server.ts b/web/src/routes/logout/+page.server.ts index 7cdc075..fba7627 100644 --- a/web/src/routes/logout/+page.server.ts +++ b/web/src/routes/logout/+page.server.ts @@ -1,7 +1,12 @@ import type { PageServerLoad } from './$types'; import { redirect } from '@sveltejs/kit'; +import { revokeToken } from '$lib/auth'; -export const load: PageServerLoad = ({ cookies }) => { +export const load: PageServerLoad = async ({ cookies }) => { + if (!!cookies.get('authorization')) { + const token = cookies.get('authorization')!; + await revokeToken(token).catch(() => {}); + } cookies.delete('authorization'); throw redirect(302, '/login'); };