Compare commits

..

3 commits

Author SHA1 Message Date
deba20f503 fix: remove base32 padding for Addy API token encoding/decoding
All checks were successful
continuous-integration/drone/push Build is passing
2026-03-08 13:52:13 +07:00
fe4b3cf671 feat: add alias creation UI with domain selector on profile page
All checks were successful
continuous-integration/drone/push Build is passing
Users can now generate a random disposable alias by selecting an
allowed domain from a dropdown and clicking "Generate alias", without
specifying a custom local part.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-08 13:07:05 +07:00
ad16084d47 docs: add README and dex custom theme
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-08 13:03:29 +07:00
2 changed files with 39 additions and 36 deletions

View file

@ -37,7 +37,7 @@ chldapasswd [flags] generate-lost-password-link <uid>
| `-bind` | `127.0.0.1:8080` | Listen address | | `-bind` | `127.0.0.1:8080` | Listen address |
| `-baseurl` | `/` | URL prefix (for reverse-proxy subpath deployment) | | `-baseurl` | `/` | URL prefix (for reverse-proxy subpath deployment) |
| `-config` | _(none)_ | Path to a JSON config file for LDAP settings | | `-config` | _(none)_ | Path to a JSON config file for LDAP settings |
| `-public-url` | _(none)_ | Base URL used in password reset emails | | `-public-url` | `https://ldap.nemunai.re` | Base URL used in password reset emails |
| `-brand-name` | `chldapasswd` | Brand name shown in the UI | | `-brand-name` | `chldapasswd` | Brand name shown in the UI |
| `-brand-logo` | _(none)_ | URL of a logo image shown in the UI | | `-brand-logo` | _(none)_ | URL of a logo image shown in the UI |
| `-addy-api-secret` | _(none)_ | HMAC secret for the alias API | | `-addy-api-secret` | _(none)_ | HMAC secret for the alias API |
@ -76,7 +76,7 @@ The `-config` flag accepts a JSON file whose fields map directly to the `LDAP` s
```json ```json
{ {
"Host": "auth.example.com", "Host": "ldap.example.com",
"Port": 636, "Port": 636,
"Ssl": true, "Ssl": true,
"BaseDN": "dc=example,dc=com", "BaseDN": "dc=example,dc=com",
@ -109,13 +109,13 @@ The alias API is compatible with the addy.io API format. Tokens are HMAC-SHA224
```sh ```sh
# Create alias # Create alias
curl -X POST https://auth.example.com/api/v1/aliases \ curl -X POST https://ldap.example.com/api/v1/aliases \
-H "Authorization: Bearer <token>" \ -H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
-d '{"domain": "example.com"}' -d '{"domain": "example.com"}'
# Delete alias # Delete alias
curl -X DELETE https://auth.example.com/api/v1/aliases/abc123%40example.com \ curl -X DELETE https://ldap.example.com/api/v1/aliases/abc123%40example.com \
-H "Authorization: Bearer <token>" -H "Authorization: Bearer <token>"
``` ```
@ -133,7 +133,7 @@ The `dextpl/` directory contains a matching theme for [Dex](https://dexidp.io/)
```sh ```sh
docker run -d \ docker run -d \
-e LDAP_HOST=auth.example.com \ -e LDAP_HOST=ldap.example.com \
-e LDAP_PORT=636 \ -e LDAP_PORT=636 \
-e LDAP_SSL=true \ -e LDAP_SSL=true \
-e LDAP_BASEDN=dc=example,dc=com \ -e LDAP_BASEDN=dc=example,dc=com \
@ -142,7 +142,7 @@ docker run -d \
-e SMTP_HOST=smtp.example.com \ -e SMTP_HOST=smtp.example.com \
-e SMTP_PORT=587 \ -e SMTP_PORT=587 \
-e SMTP_FROM=noreply@example.com \ -e SMTP_FROM=noreply@example.com \
-e PUBLIC_URL=https://auth.example.com \ -e PUBLIC_URL=https://ldap.example.com \
-p 8080:8080 \ -p 8080:8080 \
nemunaire/chldapasswd nemunaire/chldapasswd
``` ```

63
main.go
View file

@ -17,7 +17,7 @@ import (
"syscall" "syscall"
) )
var myPublicURL = "" var myPublicURL = "https://ldap.nemunai.re"
var devMode bool var devMode bool
var brandName = "chldapasswd" var brandName = "chldapasswd"
var brandLogo = "" var brandLogo = ""
@ -35,7 +35,7 @@ var myLDAP = LDAP{
Port: 389, Port: 389,
BaseDN: "dc=example,dc=com", BaseDN: "dc=example,dc=com",
MailPort: 587, MailPort: 587,
MailFrom: "noreply@example.com", MailFrom: "noreply@nemunai.re",
} }
type ResponseWriterPrefix struct { type ResponseWriterPrefix struct {
@ -79,34 +79,37 @@ func StripPrefix(prefix string, h http.Handler) http.Handler {
} }
func main() { func main() {
baseURL := "/" var bind = flag.String("bind", "127.0.0.1:8080", "Bind port/socket")
bind := "127.0.0.1:8080" var baseURL = flag.String("baseurl", "/", "URL prepended to each URL")
var configfile = flag.String("config", "", "path to the configuration file")
var publicURL = flag.String("public-url", myPublicURL, "Public base URL used in password reset emails")
var dev = flag.Bool("dev", false, "Development mode: disables HSTS and cookie Secure flag for local HTTP testing")
var bname = flag.String("brand-name", "chldapasswd", "Brand name displayed in the UI")
var blogo = flag.String("brand-logo", "", "URL of brand logo displayed in the UI (added to CSP img-src)")
flag.Parse()
myPublicURL = *publicURL
devMode = *dev
brandName = *bname
brandLogo = *blogo
if val, ok := os.LookupEnv("BRAND_NAME"); ok { if val, ok := os.LookupEnv("BRAND_NAME"); ok {
brandName = val brandName = val
} }
if val, ok := os.LookupEnv("BRAND_LOGO"); ok { if val, ok := os.LookupEnv("BRAND_LOGO"); ok {
brandLogo = val brandLogo = val
} }
var configfile = flag.String("config", "", "path to the configuration file")
flag.StringVar(&baseURL, "baseurl", baseURL, "URL prepended to each URL")
flag.StringVar(&bind, "bind", bind, "Bind port/socket")
flag.StringVar(&brandName, "brand-name", brandName, "Brand name displayed in the UI")
flag.StringVar(&brandLogo, "brand-logo", brandLogo, "URL of brand logo displayed in the UI (added to CSP img-src)")
flag.BoolVar(&devMode, "dev", devMode, "Development mode: disables HSTS and cookie Secure flag for local HTTP testing")
flag.StringVar(&myPublicURL, "public-url", myPublicURL, "Public base URL used in password reset emails")
flag.Parse()
if devMode { if devMode {
log.Println("WARNING: running in development mode — security features relaxed, do not use in production") log.Println("WARNING: running in development mode — security features relaxed, do not use in production")
} }
// Sanitize options // Sanitize options
if baseURL != "/" { log.Println("Checking paths...")
baseURL = path.Clean(baseURL) if *baseURL != "/" {
tmp := path.Clean(*baseURL)
baseURL = &tmp
} else { } else {
baseURL = "" tmp := ""
baseURL = &tmp
} }
// Load config file // Load config file
@ -228,20 +231,20 @@ func main() {
signal.Notify(interrupt, os.Interrupt, syscall.SIGTERM) signal.Notify(interrupt, os.Interrupt, syscall.SIGTERM)
// Register handlers // Register handlers
http.HandleFunc(fmt.Sprintf("GET %s/altcha.min.js", baseURL), serveAltchaJS) http.HandleFunc(fmt.Sprintf("GET %s/altcha.min.js", *baseURL), serveAltchaJS)
http.HandleFunc(fmt.Sprintf("GET %s/style.css", baseURL), serveStyleCSS) http.HandleFunc(fmt.Sprintf("GET %s/style.css", *baseURL), serveStyleCSS)
http.HandleFunc(fmt.Sprintf("GET %s/altcha-challenge", baseURL), serveAltchaChallenge) http.HandleFunc(fmt.Sprintf("GET %s/altcha-challenge", *baseURL), serveAltchaChallenge)
http.HandleFunc(fmt.Sprintf("%s/{$}", baseURL), changePassword) http.HandleFunc(fmt.Sprintf("%s/{$}", *baseURL), changePassword)
http.HandleFunc(fmt.Sprintf("POST %s/api/v1/aliases", baseURL), addyAliasAPI) http.HandleFunc(fmt.Sprintf("POST %s/api/v1/aliases", *baseURL), addyAliasAPI)
http.HandleFunc(fmt.Sprintf("DELETE %s/api/v1/aliases/{alias}", baseURL), addyAliasAPIDelete) http.HandleFunc(fmt.Sprintf("DELETE %s/api/v1/aliases/{alias}", *baseURL), addyAliasAPIDelete)
http.HandleFunc(fmt.Sprintf("%s/auth", baseURL), httpBasicAuth) http.HandleFunc(fmt.Sprintf("%s/auth", *baseURL), httpBasicAuth)
http.HandleFunc(fmt.Sprintf("%s/login", baseURL), tryLogin) http.HandleFunc(fmt.Sprintf("%s/login", *baseURL), tryLogin)
http.HandleFunc(fmt.Sprintf("%s/change", baseURL), changePassword) http.HandleFunc(fmt.Sprintf("%s/change", *baseURL), changePassword)
http.HandleFunc(fmt.Sprintf("%s/reset", baseURL), resetPassword) http.HandleFunc(fmt.Sprintf("%s/reset", *baseURL), resetPassword)
http.HandleFunc(fmt.Sprintf("%s/lost", baseURL), lostPassword) http.HandleFunc(fmt.Sprintf("%s/lost", *baseURL), lostPassword)
srv := &http.Server{ srv := &http.Server{
Addr: bind, Addr: *bind,
Handler: securityHeaders(http.DefaultServeMux), Handler: securityHeaders(http.DefaultServeMux),
} }
@ -250,7 +253,7 @@ func main() {
log.Fatal(srv.ListenAndServe()) log.Fatal(srv.ListenAndServe())
}() }()
log.Printf("Using LDAP server at %s:%d (baseDN: %s)", myLDAP.Host, myLDAP.Port, myLDAP.BaseDN) log.Printf("Using LDAP server at %s:%d (baseDN: %s)", myLDAP.Host, myLDAP.Port, myLDAP.BaseDN)
log.Printf("Ready, listening on %s", bind) log.Printf("Ready, listening on %s", *bind)
// Wait shutdown signal // Wait shutdown signal
<-interrupt <-interrupt