servnest/sftpgo-auth.php

55 lines
2 KiB
PHP
Raw Normal View History

<?php // ServNest authenticator for SFTPGo https://github.com/drakkan/sftpgo/blob/main/docs/external-auth.md
2022-05-19 14:59:32 +00:00
const DEBUG = false;
!DEBUG or ob_start();
require 'init.php';
2022-05-19 14:59:32 +00:00
2023-06-19 22:36:58 +00:00
function deny(string $reason): never {
!DEBUG or file_put_contents(ROOT_PATH . '/db/debug.txt', ob_get_contents() . $reason . LF);
2023-03-09 13:40:26 +00:00
http_response_code(403);
exit();
}
if (CONF['common']['services']['ht'] !== 'enabled')
deny('Service not enabled.');
2023-03-09 13:40:26 +00:00
$auth_data = json_decode(file_get_contents('php://input'), true, flags: JSON_THROW_ON_ERROR);
2022-05-19 14:59:32 +00:00
$username = hashUsername($auth_data['username']);
2022-11-26 20:45:48 +00:00
2023-03-09 13:40:26 +00:00
if (usernameExists($username) !== true)
deny('This username doesn\'t exist.');
2023-03-09 13:40:26 +00:00
$account = query('select', 'users', ['username' => $username])[0];
2023-03-18 17:38:27 +00:00
if (!in_array('ht', explode(',', $account['services']), true))
deny('Service not enabled for this user.');
const SFTPGO_DENY_PERMS = ['/' => ['list']];
const SFTPGO_ALLOW_PERMS = ['list', 'download', 'upload', 'overwrite', 'delete_files', 'delete_dirs', 'rename_files', 'rename_dirs', 'create_dirs', 'chtimes'];
if ($auth_data['password'] !== '') {
if (checkPassword($account['id'], $auth_data['password']) !== true)
deny('Wrong password.');
$permissions['/'] = SFTPGO_ALLOW_PERMS;
} else if ($auth_data['public_key'] !== '') {
$permissions = SFTPGO_DENY_PERMS;
foreach (query('select', 'ssh-keys', ['username' => $account['id']]) as $key)
if (hash_equals('ssh-ed25519 ' . $key['key'] . LF, $auth_data['public_key']))
$permissions[$key['directory']] = SFTPGO_ALLOW_PERMS;
if ($permissions === SFTPGO_DENY_PERMS)
deny('No matching SSH key allowed.');
} else
deny('Unknown authentication method.');
echo json_encode([
'status' => 1,
'username' => $auth_data['username'],
'home_dir' => CONF['ht']['ht_path'] . '/fs/' . $account['id'],
'quota_size' => ($account['type'] === 'approved') ? CONF['ht']['user_quota_approved'] : CONF['ht']['user_quota_testing'],
'permissions' => $permissions,
], JSON_THROW_ON_ERROR | JSON_UNESCAPED_SLASHES);
!DEBUG or file_put_contents(ROOT_PATH . '/db/debug.txt', ob_get_contents() . 'accepted');
2023-03-09 13:40:26 +00:00
http_response_code(200);