56 lines
2.1 KiB
PHP
56 lines
2.1 KiB
PHP
<?php declare(strict_types=1);
|
|
// ServNest authenticator for SFTPGo https://github.com/drakkan/sftpgo/blob/main/docs/external-auth.md
|
|
|
|
const DEBUG = false;
|
|
!DEBUG or ob_start();
|
|
|
|
require 'init.php';
|
|
|
|
function deny(string $reason): never {
|
|
!DEBUG or file_put_contents(ROOT_PATH . '/db/debug.txt', ob_get_contents() . $reason . LF);
|
|
http_response_code(403);
|
|
exit();
|
|
}
|
|
|
|
if (CONF['common']['services']['ht'] !== 'enabled')
|
|
deny('Service not enabled.');
|
|
|
|
$auth_data = json_decode(file_get_contents('php://input'), true, flags: JSON_THROW_ON_ERROR);
|
|
|
|
$username = hashUsername($auth_data['username']);
|
|
|
|
if (usernameExists($username) !== true)
|
|
deny('This username doesn\'t exist.');
|
|
|
|
$account = query('select', 'users', ['username' => $username])[0];
|
|
|
|
if (!in_array('ht', explode(',', $account['services']), true))
|
|
deny('Service not enabled for this user.');
|
|
|
|
const SFTPGO_DENY_PERMS = ['/' => ['list']];
|
|
const SFTPGO_ALLOW_PERMS = ['list', 'download', 'upload', 'overwrite', 'delete_files', 'delete_dirs', 'rename_files', 'rename_dirs', 'create_dirs', 'chmod', 'chtimes'];
|
|
if ($auth_data['password'] !== '') {
|
|
if (checkPassword($account['id'], $auth_data['password']) !== true)
|
|
deny('Wrong password.');
|
|
$permissions['/'] = SFTPGO_ALLOW_PERMS;
|
|
} else if ($auth_data['public_key'] !== '') {
|
|
$permissions = SFTPGO_DENY_PERMS;
|
|
foreach (query('select', 'ssh-keys', ['username' => $account['id']]) as $key)
|
|
if (hash_equals('ssh-ed25519 ' . $key['key'] . LF, $auth_data['public_key']))
|
|
$permissions[$key['directory']] = SFTPGO_ALLOW_PERMS;
|
|
if ($permissions === SFTPGO_DENY_PERMS)
|
|
deny('No matching SSH key allowed.');
|
|
} else
|
|
deny('Unknown authentication method.');
|
|
|
|
echo json_encode([
|
|
'status' => 1,
|
|
'username' => $auth_data['username'],
|
|
'home_dir' => CONF['ht']['ht_path'] . '/fs/' . $account['id'],
|
|
'quota_size' => ($account['type'] === 'approved') ? CONF['ht']['user_quota_approved'] : CONF['ht']['user_quota_testing'],
|
|
'permissions' => $permissions,
|
|
], JSON_THROW_ON_ERROR | JSON_UNESCAPED_SLASHES);
|
|
|
|
!DEBUG or file_put_contents(ROOT_PATH . '/db/debug.txt', ob_get_contents() . 'accepted');
|
|
http_response_code(200);
|