Initial commit

routes/api/auth/ldap/+server.ts

@@ -0,0 +1,81 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from '@sveltejs/kit';
+import { authorize } from '$lib/server/authorize';
+import { getLdapConfigs, createLdapConfig } from '$lib/server/db';
+
+// GET /api/auth/ldap - List all LDAP configurations
+export const GET: RequestHandler = async ({ cookies }) => {
+	const auth = await authorize(cookies);
+
+	// Allow access when auth is disabled (setup mode) or when user is admin
+	if (auth.authEnabled && (!auth.isAuthenticated || !auth.isAdmin)) {
+		return json({ error: 'Unauthorized' }, { status: 401 });
+	}
+
+	if (!auth.isEnterprise) {
+		return json({ error: 'Enterprise license required' }, { status: 403 });
+	}
+
+	try {
+		const configs = await getLdapConfigs();
+		// Don't return passwords
+		const sanitized = configs.map(config => ({
+			...config,
+			bindPassword: config.bindPassword ? '********' : undefined
+		}));
+		return json(sanitized);
+	} catch (error) {
+		console.error('Failed to get LDAP configs:', error);
+		return json({ error: 'Failed to get LDAP configurations' }, { status: 500 });
+	}
+};
+
+// POST /api/auth/ldap - Create a new LDAP configuration
+export const POST: RequestHandler = async ({ request, cookies }) => {
+	const auth = await authorize(cookies);
+
+	// Allow access when auth is disabled (setup mode) or when user is admin
+	if (auth.authEnabled && (!auth.isAuthenticated || !auth.isAdmin)) {
+		return json({ error: 'Unauthorized' }, { status: 401 });
+	}
+
+	if (!auth.isEnterprise) {
+		return json({ error: 'Enterprise license required' }, { status: 403 });
+	}
+
+	try {
+		const data = await request.json();
+
+		// Validate required fields
+		if (!data.name || !data.serverUrl || !data.baseDn) {
+			return json({ error: 'Name, server URL, and base DN are required' }, { status: 400 });
+		}
+
+		const config = await createLdapConfig({
+			name: data.name,
+			enabled: data.enabled ?? false,
+			serverUrl: data.serverUrl,
+			bindDn: data.bindDn || undefined,
+			bindPassword: data.bindPassword || undefined,
+			baseDn: data.baseDn,
+			userFilter: data.userFilter || '(uid={{username}})',
+			usernameAttribute: data.usernameAttribute || 'uid',
+			emailAttribute: data.emailAttribute || 'mail',
+			displayNameAttribute: data.displayNameAttribute || 'cn',
+			groupBaseDn: data.groupBaseDn || undefined,
+			groupFilter: data.groupFilter || undefined,
+			adminGroup: data.adminGroup || undefined,
+			roleMappings: data.roleMappings || undefined,
+			tlsEnabled: data.tlsEnabled ?? false,
+			tlsCa: data.tlsCa || undefined
+		});
+
+		return json({
+			...config,
+			bindPassword: config.bindPassword ? '********' : undefined
+		}, { status: 201 });
+	} catch (error) {
+		console.error('Failed to create LDAP config:', error);
+		return json({ error: 'Failed to create LDAP configuration' }, { status: 500 });
+	}
+};

routes/api/auth/ldap/[id]/+server.ts

@@ -0,0 +1,131 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from '@sveltejs/kit';
+import { authorize } from '$lib/server/authorize';
+import { getLdapConfig, updateLdapConfig, deleteLdapConfig } from '$lib/server/db';
+
+// GET /api/auth/ldap/[id] - Get a specific LDAP configuration
+export const GET: RequestHandler = async ({ params, cookies }) => {
+	const auth = await authorize(cookies);
+
+	// Allow access when auth is disabled (setup mode) or when user is admin
+	if (auth.authEnabled && (!auth.isAuthenticated || !auth.isAdmin)) {
+		return json({ error: 'Unauthorized' }, { status: 401 });
+	}
+
+	if (!auth.isEnterprise) {
+		return json({ error: 'Enterprise license required' }, { status: 403 });
+	}
+
+	const id = parseInt(params.id!, 10);
+	if (isNaN(id)) {
+		return json({ error: 'Invalid ID' }, { status: 400 });
+	}
+
+	try {
+		const config = await getLdapConfig(id);
+		if (!config) {
+			return json({ error: 'LDAP configuration not found' }, { status: 404 });
+		}
+
+		return json({
+			...config,
+			bindPassword: config.bindPassword ? '********' : undefined
+		});
+	} catch (error) {
+		console.error('Failed to get LDAP config:', error);
+		return json({ error: 'Failed to get LDAP configuration' }, { status: 500 });
+	}
+};
+
+// PUT /api/auth/ldap/[id] - Update a LDAP configuration
+export const PUT: RequestHandler = async ({ params, request, cookies }) => {
+	const auth = await authorize(cookies);
+
+	// Allow access when auth is disabled (setup mode) or when user is admin
+	if (auth.authEnabled && (!auth.isAuthenticated || !auth.isAdmin)) {
+		return json({ error: 'Unauthorized' }, { status: 401 });
+	}
+
+	if (!auth.isEnterprise) {
+		return json({ error: 'Enterprise license required' }, { status: 403 });
+	}
+
+	const id = parseInt(params.id!, 10);
+	if (isNaN(id)) {
+		return json({ error: 'Invalid ID' }, { status: 400 });
+	}
+
+	try {
+		const existing = await getLdapConfig(id);
+		if (!existing) {
+			return json({ error: 'LDAP configuration not found' }, { status: 404 });
+		}
+
+		const data = await request.json();
+
+		// Don't update password if it's the masked value
+		const updateData: any = {};
+		if (data.name !== undefined) updateData.name = data.name;
+		if (data.enabled !== undefined) updateData.enabled = data.enabled;
+		if (data.serverUrl !== undefined) updateData.serverUrl = data.serverUrl;
+		if (data.bindDn !== undefined) updateData.bindDn = data.bindDn;
+		if (data.bindPassword !== undefined && data.bindPassword !== '********') {
+			updateData.bindPassword = data.bindPassword;
+		}
+		if (data.baseDn !== undefined) updateData.baseDn = data.baseDn;
+		if (data.userFilter !== undefined) updateData.userFilter = data.userFilter;
+		if (data.usernameAttribute !== undefined) updateData.usernameAttribute = data.usernameAttribute;
+		if (data.emailAttribute !== undefined) updateData.emailAttribute = data.emailAttribute;
+		if (data.displayNameAttribute !== undefined) updateData.displayNameAttribute = data.displayNameAttribute;
+		if (data.groupBaseDn !== undefined) updateData.groupBaseDn = data.groupBaseDn;
+		if (data.groupFilter !== undefined) updateData.groupFilter = data.groupFilter;
+		if (data.adminGroup !== undefined) updateData.adminGroup = data.adminGroup;
+		if (data.roleMappings !== undefined) updateData.roleMappings = data.roleMappings;
+		if (data.tlsEnabled !== undefined) updateData.tlsEnabled = data.tlsEnabled;
+		if (data.tlsCa !== undefined) updateData.tlsCa = data.tlsCa;
+
+		const config = await updateLdapConfig(id, updateData);
+		if (!config) {
+			return json({ error: 'Failed to update configuration' }, { status: 500 });
+		}
+
+		return json({
+			...config,
+			bindPassword: config.bindPassword ? '********' : undefined
+		});
+	} catch (error) {
+		console.error('Failed to update LDAP config:', error);
+		return json({ error: 'Failed to update LDAP configuration' }, { status: 500 });
+	}
+};
+
+// DELETE /api/auth/ldap/[id] - Delete a LDAP configuration
+export const DELETE: RequestHandler = async ({ params, cookies }) => {
+	const auth = await authorize(cookies);
+
+	// Allow access when auth is disabled (setup mode) or when user is admin
+	if (auth.authEnabled && (!auth.isAuthenticated || !auth.isAdmin)) {
+		return json({ error: 'Unauthorized' }, { status: 401 });
+	}
+
+	if (!auth.isEnterprise) {
+		return json({ error: 'Enterprise license required' }, { status: 403 });
+	}
+
+	const id = parseInt(params.id!, 10);
+	if (isNaN(id)) {
+		return json({ error: 'Invalid ID' }, { status: 400 });
+	}
+
+	try {
+		const deleted = await deleteLdapConfig(id);
+		if (!deleted) {
+			return json({ error: 'LDAP configuration not found' }, { status: 404 });
+		}
+
+		return json({ success: true });
+	} catch (error) {
+		console.error('Failed to delete LDAP config:', error);
+		return json({ error: 'Failed to delete LDAP configuration' }, { status: 500 });
+	}
+};

routes/api/auth/ldap/[id]/test/+server.ts

@@ -0,0 +1,37 @@
+import { json } from '@sveltejs/kit';
+import type { RequestHandler } from '@sveltejs/kit';
+import { testLdapConnection } from '$lib/server/auth';
+import { authorize } from '$lib/server/authorize';
+import { getLdapConfig } from '$lib/server/db';
+
+// POST /api/auth/ldap/[id]/test - Test LDAP connection
+export const POST: RequestHandler = async ({ params, cookies }) => {
+	const auth = await authorize(cookies);
+
+	// Allow access when auth is disabled (setup mode) or when user is admin
+	if (auth.authEnabled && (!auth.isAuthenticated || !auth.isAdmin)) {
+		return json({ error: 'Unauthorized' }, { status: 401 });
+	}
+
+	if (!auth.isEnterprise) {
+		return json({ error: 'Enterprise license required' }, { status: 403 });
+	}
+
+	const id = parseInt(params.id!, 10);
+	if (isNaN(id)) {
+		return json({ error: 'Invalid ID' }, { status: 400 });
+	}
+
+	try {
+		const config = await getLdapConfig(id);
+		if (!config) {
+			return json({ error: 'LDAP configuration not found' }, { status: 404 });
+		}
+
+		const result = await testLdapConnection(id);
+		return json(result);
+	} catch (error) {
+		console.error('Failed to test LDAP connection:', error);
+		return json({ error: 'Failed to test LDAP connection' }, { status: 500 });
+	}
+};