home: imp auth

internal/dnsforward/config.go

@@ -98,10 +98,10 @@ type FilteringConfig struct {
 	AllowedClients    []string `yaml:"allowed_clients"`    // IP addresses of whitelist clients
 	DisallowedClients []string `yaml:"disallowed_clients"` // IP addresses of clients that should be blocked
 	BlockedHosts      []string `yaml:"blocked_hosts"`      // hosts that should be blocked
-	// TrustedProxies is the list of IP addresses and CIDR networks to
+	// TrustedProxies is the list of IP addresses and CIDR networks to detect
-	// detect proxy servers addresses the DoH requests from which should be
+	// proxy servers addresses the DoH requests from which should be handled.
-	// handled.  The value of nil or an empty slice for this field makes
+	// The value of nil or an empty slice for this field makes Proxy not trust
-	// Proxy not trust any address.
+	// any address.
 	TrustedProxies []string `yaml:"trusted_proxies"`
 
 	// DNS cache settings

internal/home/auth.go

@@ -403,8 +403,8 @@ func realIP(r *http.Request) (ip net.IP, err error) {
 		return ip, nil
 	}
 
-	// When everything else fails, just return the remote address as
+	// When everything else fails, just return the remote address as understood
-	// understood by the stdlib.
+	// by the stdlib.
 	ipStr, err := netutil.SplitHost(r.RemoteAddr)
 	if err != nil {
 		return nil, fmt.Errorf("getting ip from client addr: %w", err)
@@ -423,7 +423,8 @@ func handleLogin(w http.ResponseWriter, r *http.Request) {
 	}
 
 	var remoteAddr string
-	// The realIP couldn't be used here due to security issues.
+	// realIP cannot be used here without taking TrustedProxies into accound due
+	// to security issues.
 	//
 	// See https://github.com/AdguardTeam/AdGuardHome/issues/2799.
 	//
@@ -437,12 +438,7 @@ func handleLogin(w http.ResponseWriter, r *http.Request) {
 	if blocker := Context.auth.blocker; blocker != nil {
 		if left := blocker.check(remoteAddr); left > 0 {
 			w.Header().Set("Retry-After", strconv.Itoa(int(left.Seconds())))
-			httpError(
+			httpError(w, http.StatusTooManyRequests, "auth: blocked for %s", left)
-				w,
-				http.StatusTooManyRequests,
-				"auth: blocked for %s",
-				left,
-			)
 
 			return
 		}
@@ -456,18 +452,18 @@ func handleLogin(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	var ip net.IP
+	// Use realIP here, since this IP address is only used for logging.
-	ip, err = realIP(r)
+	ip, err := realIP(r)
-
-	if len(cookie) == 0 {
 	if err != nil {
-			log.Info("auth: getting real ip from request: %s", err)
+		log.Error("auth: getting real ip from request: %s", err)
 	} else if ip == nil {
 		// Technically shouldn't happen.
-			log.Info("auth: failed to login user %q from unknown ip", req.Name)
+		log.Error("auth: unknown ip")
-		} else {
-			log.Info("auth: failed to login user %q from ip %q", req.Name, ip)
 	}
+
+	if len(cookie) == 0 {
+		log.Info("auth: failed to login user %q from ip %v", req.Name, ip)
+
 		time.Sleep(1 * time.Second)
 
 		http.Error(w, "invalid username or password", http.StatusBadRequest)
@@ -475,20 +471,13 @@ func handleLogin(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if err != nil {
+	log.Info("auth: user %q successfully logged in from ip %v", req.Name, ip)
-		log.Info("auth: getting real ip from request: %s", err)
-	} else if ip == nil {
-		// Technically shouldn't happen.
-		log.Info("auth: user %q successfully logged in from unknown ip", req.Name)
-	} else {
-		log.Info("auth: user %q successfully logged in from ip %q", req.Name, ip)
-	}
 
-	w.Header().Set("Set-Cookie", cookie)
+	h := w.Header()
-
+	h.Set("Set-Cookie", cookie)
-	w.Header().Set("Cache-Control", "no-store, no-cache, must-revalidate, proxy-revalidate")
+	h.Set("Cache-Control", "no-store, no-cache, must-revalidate, proxy-revalidate")
-	w.Header().Set("Pragma", "no-cache")
+	h.Set("Pragma", "no-cache")
-	w.Header().Set("Expires", "0")
+	h.Set("Expires", "0")
 
 	returnOK(w)
 }