servnest/sftpgo-auth.php

<?php declare(strict_types=1);
// ServNest authenticator for SFTPGo https://github.com/drakkan/sftpgo/blob/main/docs/external-auth.md

const DEBUG = false;
!DEBUG or ob_start();

require 'init.php';

function deny(string $reason): never {
	!DEBUG or file_put_contents(ROOT_PATH . '/db/debug.txt', ob_get_contents() . $reason . LF);
	http_response_code(403);
	exit();
}

if (CONF['common']['services']['ht'] !== 'enabled')
	deny('Service not enabled.');

$auth_data = json_decode(file_get_contents('php://input'), true, flags: JSON_THROW_ON_ERROR);

$username = hashUsername($auth_data['username']);

if (usernameExists($username) !== true)
	deny('This username doesn\'t exist.');

$account = query('select', 'users', ['username' => $username])[0];

if (!in_array('ht', explode(',', $account['services']), true))
	deny('Service not enabled for this user.');

const SFTPGO_DENY_PERMS = ['/' => ['list']];
const SFTPGO_ALLOW_PERMS = ['list', 'download', 'upload', 'overwrite', 'delete_files', 'delete_dirs', 'rename_files', 'rename_dirs', 'create_dirs', 'chmod', 'chtimes'];
if ($auth_data['password'] !== '') {
	if (checkPassword($account['id'], $auth_data['password']) !== true)
		deny('Wrong password.');
	$permissions['/'] = SFTPGO_ALLOW_PERMS;
} else if ($auth_data['public_key'] !== '') {
	$permissions = SFTPGO_DENY_PERMS;
	foreach (query('select', 'ssh-keys', ['username' => $account['id']]) as $key)
		if (hash_equals('ssh-ed25519 ' . $key['key'] . LF, $auth_data['public_key']))
			$permissions[$key['directory']] = SFTPGO_ALLOW_PERMS;
	if ($permissions === SFTPGO_DENY_PERMS)
		deny('No matching SSH key allowed.');
} else
	deny('Unknown authentication method.');

echo json_encode([
	'status' => 1,
	'username' => $auth_data['username'],
	'home_dir' => CONF['ht']['ht_path'] . '/fs/' . $account['id'],
	'quota_size' => ($account['type'] === 'approved') ? CONF['ht']['user_quota_approved'] : CONF['ht']['user_quota_testing'],
	'permissions' => $permissions,
], JSON_THROW_ON_ERROR | JSON_UNESCAPED_SLASHES);

!DEBUG or file_put_contents(ROOT_PATH . '/db/debug.txt', ob_get_contents() . 'accepted');
http_response_code(200);
declare(strict_types=1); 2023-07-17 21:15:18 +02:00			`<?php declare(strict_types=1);`
			`// ServNest authenticator for SFTPGo https://github.com/drakkan/sftpgo/blob/main/docs/external-auth.md`
SFTPGo authentication 2022-05-19 16:59:32 +02:00
Add debug option in SFTPGo authenticator 2023-04-15 18:01:19 +02:00			`const DEBUG = false;`
			`!DEBUG or ob_start();`

init.php + jobs + job to delete old testing accounts 2023-06-08 17:36:44 +02:00			`require 'init.php';`
SFTPGo authentication 2022-05-19 16:59:32 +02:00
Add type in functions signatures 2023-06-20 00:36:58 +02:00			`function deny(string $reason): never {`
Add debug message when denying SFTP login 2023-06-03 18:44:48 +02:00			`!DEBUG or file_put_contents(ROOT_PATH . '/db/debug.txt', ob_get_contents() . $reason . LF);`
Fix sftpgo-auth.php 2023-03-09 14:40:26 +01:00			`http_response_code(403);`
			`exit();`
			`}`

			`if (CONF['common']['services']['ht'] !== 'enabled')`
Add debug message when denying SFTP login 2023-06-03 18:44:48 +02:00			`deny('Service not enabled.');`
Fix sftpgo-auth.php 2023-03-09 14:40:26 +01:00
Use Apache - Allows customization through .htaccess - No need to configure or reload a server when adding a site - Content negotiation 2023-04-10 00:50:42 +02:00			`$auth_data = json_decode(file_get_contents('php://input'), true, flags: JSON_THROW_ON_ERROR);`
SFTPGo authentication 2022-05-19 16:59:32 +02:00
Internal ID, Argon2 for usernames, username changes 2022-11-30 23:12:42 +01:00			`$username = hashUsername($auth_data['username']);`
Use a hash as internal username 2022-11-26 21:45:48 +01:00
Fix sftpgo-auth.php 2023-03-09 14:40:26 +01:00			`if (usernameExists($username) !== true)`
Add debug message when denying SFTP login 2023-06-03 18:44:48 +02:00			`deny('This username doesn\'t exist.');`
Fix sftpgo-auth.php 2023-03-09 14:40:26 +01:00
Allow SSH keys authentication for SFTP(Go) 2023-06-15 03:35:42 +02:00			`$account = query('select', 'users', ['username' => $username])[0];`
Minor fixes 2023-03-18 18:38:27 +01:00
Allow SSH keys authentication for SFTP(Go) 2023-06-15 03:35:42 +02:00			`if (!in_array('ht', explode(',', $account['services']), true))`
			`deny('Service not enabled for this user.');`
Add debug option in SFTPGo authenticator 2023-04-15 18:01:19 +02:00
Allow SSH keys authentication for SFTP(Go) 2023-06-15 03:35:42 +02:00			`const SFTPGO_DENY_PERMS = ['/' => ['list']];`
sftpgo-auth: allow chmod 2023-09-20 18:47:26 +02:00			`const SFTPGO_ALLOW_PERMS = ['list', 'download', 'upload', 'overwrite', 'delete_files', 'delete_dirs', 'rename_files', 'rename_dirs', 'create_dirs', 'chmod', 'chtimes'];`
Allow SSH keys authentication for SFTP(Go) 2023-06-15 03:35:42 +02:00			`if ($auth_data['password'] !== '') {`
			`if (checkPassword($account['id'], $auth_data['password']) !== true)`
			`deny('Wrong password.');`
			`$permissions['/'] = SFTPGO_ALLOW_PERMS;`
			`} else if ($auth_data['public_key'] !== '') {`
			`$permissions = SFTPGO_DENY_PERMS;`
			`foreach (query('select', 'ssh-keys', ['username' => $account['id']]) as $key)`
			`if (hash_equals('ssh-ed25519 ' . $key['key'] . LF, $auth_data['public_key']))`
			`$permissions[$key['directory']] = SFTPGO_ALLOW_PERMS;`
			`if ($permissions === SFTPGO_DENY_PERMS)`
			`deny('No matching SSH key allowed.');`
			`} else`
			`deny('Unknown authentication method.');`

			`echo json_encode([`
			`'status' => 1,`
			`'username' => $auth_data['username'],`
			`'home_dir' => CONF['ht']['ht_path'] . '/fs/' . $account['id'],`
			`'quota_size' => ($account['type'] === 'approved') ? CONF['ht']['user_quota_approved'] : CONF['ht']['user_quota_testing'],`
			`'permissions' => $permissions,`
			`], JSON_THROW_ON_ERROR \| JSON_UNESCAPED_SLASHES);`

			`!DEBUG or file_put_contents(ROOT_PATH . '/db/debug.txt', ob_get_contents() . 'accepted');`
Fix sftpgo-auth.php 2023-03-09 14:40:26 +01:00			`http_response_code(200);`