feat(portal): Add SSO authentication with SecuBox core users

Portal login now authenticates against SecuBox users (UCI config) instead of hardcoded credentials. New RPCD methods in luci.secubox-users: - authenticate: Verify username/password, return session token - recover: Send password reset email - reset_password: Set new password with recovery token Portal pages: - login.html: Login form with password recovery link - reset.html: Password reset form (from email link) Features: - SHA256 password hashing - Session tokens stored in /tmp/secubox-sessions/ - Email-based password recovery via mailctl - Public ACL access (no LuCI login required) - Passwords synced to services if sync_passwords=1 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-21 12:58:38 +01:00 · 2026-02-21 12:58:38 +01:00 · e7b6039c96
commit e7b6039c96
parent 2607bfb911
3 changed files with 604 additions and 1 deletions
--- a/package/secubox/luci-app-secubox-portal/root/www/gk2-hub/login.html
+++ b/package/secubox/luci-app-secubox-portal/root/www/gk2-hub/login.html
@ -0,0 +1,274 @@
+<!DOCTYPE html>
+<html lang="fr">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>SecuBox — Authentification</title>
+<style>
+  :root {
+    --bg: #0a0a0f;
+    --surface: #12121a;
+    --border: #1a1a2e;
+    --accent: #005f9e;
+    --accent-glow: rgba(0,95,158,0.3);
+    --text: #e0e0e0;
+    --muted: #666;
+    --success: #27ae60;
+    --error: #e74c3c;
+  }
+
+  * { box-sizing: border-box; margin: 0; padding: 0; }
+
+  body {
+    background: var(--bg);
+    color: var(--text);
+    font-family: "Segoe UI", system-ui, sans-serif;
+    min-height: 100vh;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    padding: 20px;
+  }
+
+  body::before {
+    content: "";
+    position: fixed;
+    inset: 0;
+    background-image:
+      linear-gradient(rgba(0,95,158,0.03) 1px, transparent 1px),
+      linear-gradient(90deg, rgba(0,95,158,0.03) 1px, transparent 1px);
+    background-size: 50px 50px;
+    animation: gridMove 20s linear infinite;
+    pointer-events: none;
+  }
+
+  @keyframes gridMove {
+    0% { transform: translate(0, 0); }
+    100% { transform: translate(50px, 50px); }
+  }
+
+  .login-container { width: 100%; max-width: 420px; position: relative; z-index: 1; }
+
+  .login-card {
+    background: var(--surface);
+    border: 1px solid var(--border);
+    border-radius: 16px;
+    padding: 40px;
+    box-shadow: 0 20px 60px rgba(0,0,0,0.5);
+  }
+
+  .logo-section { text-align: center; margin-bottom: 35px; }
+
+  .logo {
+    width: 80px; height: 80px;
+    background: linear-gradient(135deg, var(--accent), #007acc);
+    border-radius: 16px;
+    display: inline-flex; align-items: center; justify-content: center;
+    font-family: "Courier New", monospace;
+    font-size: 2rem; font-weight: 900; color: #fff;
+    margin-bottom: 16px;
+    box-shadow: 0 8px 30px var(--accent-glow);
+  }
+
+  .logo-title { font-size: 1.8rem; font-weight: 700; letter-spacing: 3px; text-transform: uppercase; }
+  .logo-title span { color: var(--accent); }
+  .logo-subtitle { color: var(--muted); font-size: 0.85rem; font-family: "Courier New", monospace; margin-top: 5px; }
+
+  .form-group { margin-bottom: 20px; }
+  .form-label { display: block; font-size: 0.75rem; font-weight: 600; text-transform: uppercase; letter-spacing: 1.5px; color: var(--muted); margin-bottom: 8px; }
+
+  .form-input {
+    width: 100%; padding: 14px 16px;
+    background: var(--bg); border: 1px solid var(--border); border-radius: 8px;
+    color: var(--text); font-size: 1rem; transition: all 0.2s;
+  }
+  .form-input:focus { outline: none; border-color: var(--accent); box-shadow: 0 0 0 3px var(--accent-glow); }
+  .form-input::placeholder { color: #444; }
+
+  .btn-login {
+    width: 100%; padding: 14px;
+    background: linear-gradient(135deg, var(--accent), #007acc);
+    border: none; border-radius: 8px;
+    color: #fff; font-size: 1rem; font-weight: 600;
+    text-transform: uppercase; letter-spacing: 2px;
+    cursor: pointer; transition: all 0.2s; margin-top: 10px;
+  }
+  .btn-login:hover { transform: translateY(-2px); box-shadow: 0 8px 25px var(--accent-glow); }
+  .btn-login:active { transform: translateY(0); }
+  .btn-login.loading { opacity: 0.7; pointer-events: none; }
+
+  .msg { padding: 12px; border-radius: 8px; font-size: 0.9rem; margin-bottom: 20px; display: none; }
+  .msg.error { background: rgba(231,76,60,0.1); border: 1px solid var(--error); color: var(--error); }
+  .msg.success { background: rgba(39,174,96,0.1); border: 1px solid var(--success); color: var(--success); }
+  .msg.show { display: block; }
+
+  .recover-link { text-align: center; margin-top: 20px; font-size: 0.85rem; }
+  .recover-link a { color: var(--accent); text-decoration: none; }
+  .recover-link a:hover { text-decoration: underline; }
+
+  .footer { text-align: center; margin-top: 30px; font-size: 0.75rem; color: var(--muted); }
+  .footer a { color: var(--accent); text-decoration: none; }
+
+  #recover-form { display: none; }
+  .back-link { text-align: center; margin-top: 15px; font-size: 0.85rem; }
+  .back-link a { color: var(--muted); text-decoration: none; cursor: pointer; }
+</style>
+</head>
+<body>
+
+<div class="login-container">
+  <div class="login-card">
+    <div class="logo-section">
+      <div class="logo">S</div>
+      <h1 class="logo-title">Secu<span>Box</span></h1>
+      <p class="logo-subtitle">// PORTAIL SECURISE</p>
+    </div>
+
+    <div id="msg" class="msg"></div>
+
+    <!-- Login Form -->
+    <form id="login-form" onsubmit="return handleLogin(event)">
+      <div class="form-group">
+        <label class="form-label">Identifiant</label>
+        <input type="text" id="username" class="form-input" placeholder="prenom.nom" required autocomplete="username">
+      </div>
+
+      <div class="form-group">
+        <label class="form-label">Mot de passe</label>
+        <input type="password" id="password" class="form-input" placeholder="********" required autocomplete="current-password">
+      </div>
+
+      <button type="submit" id="btn-submit" class="btn-login">Connexion</button>
+
+      <div class="recover-link">
+        <a href="#" onclick="showRecover(); return false;">Mot de passe oublie ?</a>
+      </div>
+    </form>
+
+    <!-- Recovery Form -->
+    <form id="recover-form" onsubmit="return handleRecover(event)">
+      <div class="form-group">
+        <label class="form-label">Email</label>
+        <input type="email" id="recover-email" class="form-input" placeholder="votre@email.com" required>
+      </div>
+
+      <button type="submit" id="btn-recover" class="btn-login">Envoyer le lien</button>
+
+      <div class="back-link">
+        <a onclick="showLogin(); return false;">Retour a la connexion</a>
+      </div>
+    </form>
+
+    <div class="footer">
+      <p>SecuBox - <a href="https://cybermind.fr">CyberMind.FR</a></p>
+    </div>
+  </div>
+</div>
+
+<script>
+function showMsg(text, type) {
+  var msg = document.getElementById("msg");
+  msg.textContent = text;
+  msg.className = "msg " + type + " show";
+}
+
+function hideMsg() {
+  document.getElementById("msg").className = "msg";
+}
+
+function showRecover() {
+  document.getElementById("login-form").style.display = "none";
+  document.getElementById("recover-form").style.display = "block";
+  hideMsg();
+}
+
+function showLogin() {
+  document.getElementById("recover-form").style.display = "none";
+  document.getElementById("login-form").style.display = "block";
+  hideMsg();
+}
+
+function rpcCall(method, params) {
+  return fetch("/ubus", {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      jsonrpc: "2.0",
+      id: 1,
+      method: "call",
+      params: ["00000000000000000000000000000000", "luci.secubox-users", method, params]
+    })
+  }).then(function(r) { return r.json(); });
+}
+
+function handleLogin(e) {
+  e.preventDefault();
+
+  var btn = document.getElementById("btn-submit");
+  var username = document.getElementById("username").value.trim();
+  var password = document.getElementById("password").value;
+
+  btn.classList.add("loading");
+  btn.textContent = "Verification...";
+  hideMsg();
+
+  rpcCall("authenticate", { username: username, password: password })
+    .then(function(resp) {
+      if (resp.result && resp.result[1] && resp.result[1].success) {
+        var data = resp.result[1];
+        sessionStorage.setItem("secubox_token", data.token);
+        sessionStorage.setItem("secubox_user", data.username);
+        sessionStorage.setItem("secubox_email", data.email);
+        showMsg("Connexion reussie!", "success");
+        setTimeout(function() { window.location.href = "/portal.html"; }, 500);
+      } else {
+        var err = (resp.result && resp.result[1]) ? resp.result[1].error : "Erreur de connexion";
+        showMsg(err, "error");
+        btn.classList.remove("loading");
+        btn.textContent = "Connexion";
+      }
+    })
+    .catch(function() {
+      showMsg("Erreur serveur", "error");
+      btn.classList.remove("loading");
+      btn.textContent = "Connexion";
+    });
+
+  return false;
+}
+
+function handleRecover(e) {
+  e.preventDefault();
+
+  var btn = document.getElementById("btn-recover");
+  var email = document.getElementById("recover-email").value.trim();
+
+  btn.classList.add("loading");
+  btn.textContent = "Envoi...";
+  hideMsg();
+
+  rpcCall("recover", { email: email })
+    .then(function(resp) {
+      if (resp.result && resp.result[1]) {
+        showMsg(resp.result[1].message || "Email envoye si le compte existe", "success");
+      }
+      btn.classList.remove("loading");
+      btn.textContent = "Envoyer le lien";
+    })
+    .catch(function() {
+      showMsg("Erreur serveur", "error");
+      btn.classList.remove("loading");
+      btn.textContent = "Envoyer le lien";
+    });
+
+  return false;
+}
+
+// Check if already authenticated
+if (sessionStorage.getItem("secubox_token")) {
+  window.location.href = "/portal.html";
+}
+</script>
+
+</body>
+</html>
--- a/package/secubox/luci-app-secubox-portal/root/www/gk2-hub/reset.html
+++ b/package/secubox/luci-app-secubox-portal/root/www/gk2-hub/reset.html
@ -0,0 +1,196 @@
+<!DOCTYPE html>
+<html lang="fr">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>SecuBox — Reset Password</title>
+<style>
+  :root {
+    --bg: #0a0a0f;
+    --surface: #12121a;
+    --border: #1a1a2e;
+    --accent: #005f9e;
+    --accent-glow: rgba(0,95,158,0.3);
+    --text: #e0e0e0;
+    --muted: #666;
+    --success: #27ae60;
+    --error: #e74c3c;
+  }
+
+  * { box-sizing: border-box; margin: 0; padding: 0; }
+
+  body {
+    background: var(--bg);
+    color: var(--text);
+    font-family: "Segoe UI", system-ui, sans-serif;
+    min-height: 100vh;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    padding: 20px;
+  }
+
+  body::before {
+    content: "";
+    position: fixed;
+    inset: 0;
+    background-image:
+      linear-gradient(rgba(0,95,158,0.03) 1px, transparent 1px),
+      linear-gradient(90deg, rgba(0,95,158,0.03) 1px, transparent 1px);
+    background-size: 50px 50px;
+    pointer-events: none;
+  }
+
+  .container { width: 100%; max-width: 420px; position: relative; z-index: 1; }
+
+  .card {
+    background: var(--surface);
+    border: 1px solid var(--border);
+    border-radius: 16px;
+    padding: 40px;
+    box-shadow: 0 20px 60px rgba(0,0,0,0.5);
+  }
+
+  .logo-section { text-align: center; margin-bottom: 35px; }
+  .logo {
+    width: 80px; height: 80px;
+    background: linear-gradient(135deg, var(--accent), #007acc);
+    border-radius: 16px;
+    display: inline-flex; align-items: center; justify-content: center;
+    font-family: "Courier New", monospace;
+    font-size: 2rem; font-weight: 900; color: #fff;
+    margin-bottom: 16px;
+    box-shadow: 0 8px 30px var(--accent-glow);
+  }
+  .logo-title { font-size: 1.5rem; font-weight: 700; letter-spacing: 2px; }
+  .logo-title span { color: var(--accent); }
+
+  .form-group { margin-bottom: 20px; }
+  .form-label { display: block; font-size: 0.75rem; font-weight: 600; text-transform: uppercase; letter-spacing: 1.5px; color: var(--muted); margin-bottom: 8px; }
+  .form-input {
+    width: 100%; padding: 14px 16px;
+    background: var(--bg); border: 1px solid var(--border); border-radius: 8px;
+    color: var(--text); font-size: 1rem;
+  }
+  .form-input:focus { outline: none; border-color: var(--accent); box-shadow: 0 0 0 3px var(--accent-glow); }
+
+  .btn {
+    width: 100%; padding: 14px;
+    background: linear-gradient(135deg, var(--accent), #007acc);
+    border: none; border-radius: 8px;
+    color: #fff; font-size: 1rem; font-weight: 600;
+    text-transform: uppercase; letter-spacing: 2px;
+    cursor: pointer; margin-top: 10px;
+  }
+  .btn:hover { transform: translateY(-2px); box-shadow: 0 8px 25px var(--accent-glow); }
+  .btn.loading { opacity: 0.7; pointer-events: none; }
+
+  .msg { padding: 12px; border-radius: 8px; font-size: 0.9rem; margin-bottom: 20px; display: none; text-align: center; }
+  .msg.error { background: rgba(231,76,60,0.1); border: 1px solid var(--error); color: var(--error); }
+  .msg.success { background: rgba(39,174,96,0.1); border: 1px solid var(--success); color: var(--success); }
+  .msg.show { display: block; }
+
+  .footer { text-align: center; margin-top: 25px; font-size: 0.85rem; }
+  .footer a { color: var(--accent); text-decoration: none; }
+</style>
+</head>
+<body>
+
+<div class="container">
+  <div class="card">
+    <div class="logo-section">
+      <div class="logo">S</div>
+      <h1 class="logo-title">Nouveau <span>mot de passe</span></h1>
+    </div>
+
+    <div id="msg" class="msg"></div>
+
+    <form id="reset-form" onsubmit="return handleReset(event)">
+      <div class="form-group">
+        <label class="form-label">Nouveau mot de passe</label>
+        <input type="password" id="password" class="form-input" placeholder="********" required minlength="8">
+      </div>
+
+      <div class="form-group">
+        <label class="form-label">Confirmer</label>
+        <input type="password" id="password2" class="form-input" placeholder="********" required>
+      </div>
+
+      <button type="submit" id="btn-reset" class="btn">Reinitialiser</button>
+    </form>
+
+    <div class="footer">
+      <a href="/login.html">Retour a la connexion</a>
+    </div>
+  </div>
+</div>
+
+<script>
+var token = new URLSearchParams(window.location.search).get("token");
+
+if (!token) {
+  document.getElementById("msg").textContent = "Token invalide ou manquant";
+  document.getElementById("msg").className = "msg error show";
+  document.getElementById("reset-form").style.display = "none";
+}
+
+function showMsg(text, type) {
+  var msg = document.getElementById("msg");
+  msg.textContent = text;
+  msg.className = "msg " + type + " show";
+}
+
+function handleReset(e) {
+  e.preventDefault();
+
+  var password = document.getElementById("password").value;
+  var password2 = document.getElementById("password2").value;
+  var btn = document.getElementById("btn-reset");
+
+  if (password !== password2) {
+    showMsg("Les mots de passe ne correspondent pas", "error");
+    return false;
+  }
+
+  if (password.length < 8) {
+    showMsg("Minimum 8 caracteres", "error");
+    return false;
+  }
+
+  btn.classList.add("loading");
+  btn.textContent = "En cours...";
+
+  fetch("/ubus", {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      jsonrpc: "2.0",
+      id: 1,
+      method: "call",
+      params: ["00000000000000000000000000000000", "luci.secubox-users", "reset_password", { token: token, password: password }]
+    })
+  })
+  .then(function(r) { return r.json(); })
+  .then(function(resp) {
+    if (resp.result && resp.result[1] && resp.result[1].success) {
+      showMsg("Mot de passe mis a jour! Redirection...", "success");
+      setTimeout(function() { window.location.href = "/login.html"; }, 2000);
+    } else {
+      var err = (resp.result && resp.result[1]) ? resp.result[1].error : "Erreur";
+      showMsg(err, "error");
+      btn.classList.remove("loading");
+      btn.textContent = "Reinitialiser";
+    }
+  })
+  .catch(function() {
+    showMsg("Erreur serveur", "error");
+    btn.classList.remove("loading");
+    btn.textContent = "Reinitialiser";
+  });
+
+  return false;
+}
+</script>
+
+</body>
+</html>
--- a/package/secubox/luci-app-secubox-users/root/usr/libexec/rpcd/luci.secubox-users
+++ b/package/secubox/luci-app-secubox-users/root/usr/libexec/rpcd/luci.secubox-users
@ -168,9 +168,139 @@ update_password() {
 	fi
 }

+# Portal authentication - verify username/password
+authenticate() {
+	read -r input
+	local username=$(echo "$input" | jsonfilter -e '@.username' 2>/dev/null)
+	local password=$(echo "$input" | jsonfilter -e '@.password' 2>/dev/null)
+
+	if [ -z "$username" ] || [ -z "$password" ]; then
+		echo '{"success":false,"error":"Username and password required"}'
+		return
+	fi
+
+	# Check user exists and is enabled
+	local enabled=$(uci -q get ${CONFIG}.${username}.enabled)
+	if [ "$enabled" != "1" ]; then
+		echo '{"success":false,"error":"Invalid credentials"}'
+		return
+	fi
+
+	# Get stored hash and verify
+	local stored_hash=$(uci -q get ${CONFIG}.${username}.password_hash)
+	local input_hash=$(echo -n "$password" | sha256sum | cut -d' ' -f1)
+
+	if [ "$stored_hash" = "$input_hash" ]; then
+		local email=$(uci -q get ${CONFIG}.${username}.email)
+		local token=$(head -c 32 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | head -c 32)
+		local expiry=$(($(date +%s) + 86400))
+
+		# Store session
+		mkdir -p /tmp/secubox-sessions
+		echo "${username}:${expiry}" > /tmp/secubox-sessions/${token}
+
+		# Log success
+		logger -t secubox-portal "Login success: $username"
+
+		echo "{\"success\":true,\"username\":\"$username\",\"email\":\"$email\",\"token\":\"$token\"}"
+	else
+		logger -t secubox-portal "Login failed: $username"
+		echo '{"success":false,"error":"Invalid credentials"}'
+	fi
+}
+
+# Password recovery - send reset email
+recover() {
+	read -r input
+	local email=$(echo "$input" | jsonfilter -e '@.email' 2>/dev/null)
+
+	if [ -z "$email" ]; then
+		echo '{"success":false,"error":"Email required"}'
+		return
+	fi
+
+	# Find user by email
+	local username=""
+	for user in $(uci show ${CONFIG} 2>/dev/null | grep "=user$" | cut -d. -f2 | cut -d= -f1); do
+		local user_email=$(uci -q get ${CONFIG}.${user}.email)
+		if [ "$user_email" = "$email" ]; then
+			username="$user"
+			break
+		fi
+	done
+
+	if [ -z "$username" ]; then
+		# Don't reveal if email exists - always return success
+		echo '{"success":true,"message":"If this email exists, a recovery link has been sent"}'
+		return
+	fi
+
+	# Generate reset token
+	local reset_token=$(head -c 32 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | head -c 24)
+	local expiry=$(($(date +%s) + 3600))
+
+	mkdir -p /tmp/secubox-recovery
+	echo "${username}:${expiry}" > /tmp/secubox-recovery/${reset_token}
+
+	# Send recovery email
+	local domain=$(uci -q get ${CONFIG}.main.domain || echo "secubox.in")
+	local portal_url="https://portal.${domain}/reset.html?token=${reset_token}"
+
+	# Use mailctl if available, otherwise sendmail
+	if [ -x /usr/sbin/mailctl ]; then
+		echo -e "Subject: SecuBox Password Recovery\n\nClick here to reset your password:\n${portal_url}\n\nThis link expires in 1 hour." | mailctl send "$email" 2>/dev/null &
+	fi
+
+	logger -t secubox-portal "Recovery email sent: $username"
+	echo '{"success":true,"message":"If this email exists, a recovery link has been sent"}'
+}
+
+# Reset password with token
+reset_password() {
+	read -r input
+	local token=$(echo "$input" | jsonfilter -e '@.token' 2>/dev/null)
+	local password=$(echo "$input" | jsonfilter -e '@.password' 2>/dev/null)
+
+	if [ -z "$token" ] || [ -z "$password" ]; then
+		echo '{"success":false,"error":"Token and password required"}'
+		return
+	fi
+
+	local token_file="/tmp/secubox-recovery/${token}"
+	if [ ! -f "$token_file" ]; then
+		echo '{"success":false,"error":"Invalid or expired token"}'
+		return
+	fi
+
+	local data=$(cat "$token_file")
+	local username=$(echo "$data" | cut -d: -f1)
+	local expiry=$(echo "$data" | cut -d: -f2)
+	local now=$(date +%s)
+
+	if [ "$now" -gt "$expiry" ]; then
+		rm -f "$token_file"
+		echo '{"success":false,"error":"Token expired"}'
+		return
+	fi
+
+	# Update password
+	local new_hash=$(echo -n "$password" | sha256sum | cut -d' ' -f1)
+	uci set ${CONFIG}.${username}.password_hash="$new_hash"
+	uci commit ${CONFIG}
+
+	# Cleanup token
+	rm -f "$token_file"
+
+	# Sync to services if enabled
+	[ "$(uci -q get ${CONFIG}.main.sync_passwords)" = "1" ] && secubox-users sync "$username" "$password" 2>/dev/null &
+
+	logger -t secubox-portal "Password reset: $username"
+	echo '{"success":true,"message":"Password updated"}'
+}
+
 list_methods() {
 	cat <<'EOFM'
-{"status":{},"users":{},"add":{"username":"str","password":"str","services":"str"},"delete":{"username":"str"},"passwd":{"username":"str","password":"str"}}
+{"status":{},"users":{},"add":{"username":"str","password":"str","services":"str"},"delete":{"username":"str"},"passwd":{"username":"str","password":"str"},"authenticate":{"username":"str","password":"str"},"recover":{"email":"str"},"reset_password":{"token":"str","password":"str"}}
 EOFM
 }

@ -183,6 +313,9 @@ case "$1" in
 			add) add_user ;;
 			delete) delete_user ;;
 			passwd) update_password ;;
+			authenticate) authenticate ;;
+			recover) recover ;;
+			reset_password) reset_password ;;
 			*) echo '{"error":"Unknown method"}' ;;
 		esac
 		;;