From 03b30cc7f4ab82225be6b6d62f99b4c699628b91 Mon Sep 17 00:00:00 2001
From: Christian Roessner <c@roessner.co>
Date: Mon, 6 May 2024 10:07:01 +0200
Subject: [PATCH] Add build tag-based conditional rendering and endpoint access

In this update, build tags have been added to enable or disable certain endpoint accesses and UI rendering based on the build environment. Specifically, the "dev" build tag determines whether the device login button is displayed on the login page, and the "register2fa" build tag configures whether the 2FA endpoints are accessible. Making these features conditional improves the flexibility of customization based on the application's deployment environment.

Signed-off-by: Christian Roessner <c@roessner.co>
---
 server/core/http.go                | 29 +++++++++++++++++------------
 server/core/hydra.go               |  5 +++++
 server/tags/dev.go                 |  5 +++++
 server/tags/disableregistration.go |  5 +++++
 server/tags/enableregistration.go  |  5 +++++
 server/tags/prod.go                |  5 +++++
 static/login.html                  |  4 ++++
 7 files changed, 46 insertions(+), 12 deletions(-)
 create mode 100644 server/tags/dev.go
 create mode 100644 server/tags/disableregistration.go
 create mode 100644 server/tags/enableregistration.go
 create mode 100644 server/tags/prod.go

diff --git a/server/core/http.go b/server/core/http.go
index e2ac6443..18a5072d 100644
--- a/server/core/http.go
+++ b/server/core/http.go
@@ -18,6 +18,7 @@ import (
 	"github.com/croessner/nauthilus/server/lualib"
 	"github.com/croessner/nauthilus/server/rediscli"
 	"github.com/croessner/nauthilus/server/stats"
+	"github.com/croessner/nauthilus/server/tags"
 	"github.com/croessner/nauthilus/server/util"
 	"github.com/gin-contrib/pprof"
 	"github.com/gin-contrib/sessions"
@@ -552,15 +553,17 @@ func setupHydraEndpoints(router *gin.Engine, store sessions.Store) {
 //
 //	setup2FAEndpoints(router, sessionStore)
 func setup2FAEndpoints(router *gin.Engine, sessionStore sessions.Store) {
-	group := router.Group(global.TwoFAv1Root)
+	if tags.Register2FA {
+		group := router.Group(global.TwoFAv1Root)
 
-	// This page handles the user login request to do a two-factor authentication
-	twoFactorGroup := routerGroup(viper.GetString("login_2fa_page"), group, sessionStore, loginGET2FAHandler, loginPOST2FAHandler)
-	twoFactorGroup.GET("/home", register2FAHomeHandler)
-	twoFactorGroup.GET("/home/:languageTag", register2FAHomeHandler)
+		// This page handles the user login request to do a two-factor authentication
+		twoFactorGroup := routerGroup(viper.GetString("login_2fa_page"), group, sessionStore, loginGET2FAHandler, loginPOST2FAHandler)
+		twoFactorGroup.GET("/home", register2FAHomeHandler)
+		twoFactorGroup.GET("/home/:languageTag", register2FAHomeHandler)
 
-	// This page handles the TOTP registration
-	routerGroup(viper.GetString("totp_page"), group, sessionStore, registerTotpGETHandler, registerTotpPOSTHandler)
+		// This page handles the TOTP registration
+		routerGroup(viper.GetString("totp_page"), group, sessionStore, registerTotpGETHandler, registerTotpPOSTHandler)
+	}
 }
 
 // setupStaticContent is a function that sets up the static content endpoints in the given Gin router.
@@ -632,12 +635,14 @@ func setupBackChannelEndpoints(router *gin.Engine) {
 // - A GET endpoint at the path "/register/begin" which is handled by the beginRegistration function.
 // - A POST endpoint at the path "/register/finish" which is handled by the finishRegistration function.
 func setupWebAuthnEndpoints(router *gin.Engine, sessionStore sessions.Store) {
-	group := router.Group(global.TwoFAv1Root)
+	if tags.IsDevelopment {
+		group := router.Group(global.TwoFAv1Root)
 
-	regGroup := group.Group(viper.GetString("webauthn_page"))
-	regGroup.Use(sessions.Sessions(global.SessionName, sessionStore))
-	regGroup.GET("/register/begin", beginRegistration)
-	regGroup.POST("/register/finish", finishRegistration)
+		regGroup := group.Group(viper.GetString("webauthn_page"))
+		regGroup.Use(sessions.Sessions(global.SessionName, sessionStore))
+		regGroup.GET("/register/begin", beginRegistration)
+		regGroup.POST("/register/finish", finishRegistration)
+	}
 }
 
 // waitForShutdown is a function that waits for the context to be done, then shuts down the provided http.Server.
diff --git a/server/core/hydra.go b/server/core/hydra.go
index eea1945a..5809d8a2 100644
--- a/server/core/hydra.go
+++ b/server/core/hydra.go
@@ -16,6 +16,7 @@ import (
 	errors2 "github.com/croessner/nauthilus/server/errors"
 	"github.com/croessner/nauthilus/server/global"
 	"github.com/croessner/nauthilus/server/logging"
+	"github.com/croessner/nauthilus/server/tags"
 	"github.com/croessner/nauthilus/server/util"
 	"github.com/gin-contrib/sessions"
 	"github.com/gin-gonic/gin"
@@ -53,6 +54,9 @@ type Language struct {
 }
 
 type LoginPageData struct {
+	// InDevelopment is a flag that is true, if the build-tag dev is used.
+	InDevelopment bool
+
 	// Determines if the Welcome message should be displayed
 	WantWelcome bool
 
@@ -1051,6 +1055,7 @@ func (a *ApiConfig) handleLoginNoSkip() {
 		LanguagePassive:     languagePassive,
 		CSRFToken:           a.csrfToken,
 		LoginChallenge:      a.challenge,
+		InDevelopment:       tags.IsDevelopment,
 	}
 
 	a.ctx.HTML(http.StatusOK, "login.html", loginData)
diff --git a/server/tags/dev.go b/server/tags/dev.go
new file mode 100644
index 00000000..0a57f7dc
--- /dev/null
+++ b/server/tags/dev.go
@@ -0,0 +1,5 @@
+//go:build dev
+
+package tags
+
+const IsDevelopment = true
diff --git a/server/tags/disableregistration.go b/server/tags/disableregistration.go
new file mode 100644
index 00000000..a4da0d9b
--- /dev/null
+++ b/server/tags/disableregistration.go
@@ -0,0 +1,5 @@
+//go:build !register2fa
+
+package tags
+
+const Register2FA = false
diff --git a/server/tags/enableregistration.go b/server/tags/enableregistration.go
new file mode 100644
index 00000000..36308354
--- /dev/null
+++ b/server/tags/enableregistration.go
@@ -0,0 +1,5 @@
+//go:build register2fa
+
+package tags
+
+const Register2FA = true
diff --git a/server/tags/prod.go b/server/tags/prod.go
new file mode 100644
index 00000000..8e43f696
--- /dev/null
+++ b/server/tags/prod.go
@@ -0,0 +1,5 @@
+//go:build !dev
+
+package tags
+
+const IsDevelopment = false
diff --git a/static/login.html b/static/login.html
index 466269aa..0df0e236 100644
--- a/static/login.html
+++ b/static/login.html
@@ -49,11 +49,15 @@ <h2 class="center">{{ .ApplicationName }}</h2>
                     <button type="submit" id="submit" name="submit" value="{{ .Submit }}" data-loginurl="{{ .PostLoginEndpoint }}/post">
                         {{ .Submit }}
                     </button>
+                    {{ if .InDevelopment }}
                     <p class="text center vs-5">{{ .Or }}</p>
                     <div class="vs-15"></div>
                     <button class="device" type="submit" id="device" name="device" value="{{ .Device }}" data-deviceurl="{{ .DeviceLoginEndpoint }}">
                         {{ .Device }}
                     </button>
+                    {{ else }}
+                    <div id="device" style="display: none;"></div>
+                    {{ end }}
                     <div class="vs-5"></div>
                     <input type="checkbox" id="remember" name="remember" value="on"/>
                     <label for="remember">{{ .Remember }}</label>