Block guest accounts from web UI login

The web UI now validates the MCIAS token after login and rejects accounts with the guest role before setting the session cookie. This is defense-in-depth alongside the env:restricted MCIAS tag. The webserver.New() constructor takes a new ValidateFunc parameter that inspects token roles post-authentication. MCIAS login does not return roles, so this requires an extra ValidateToken round-trip at login time (result is cached for 30s). Security: guest role accounts are denied web UI access Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 23:02:22 -07:00
parent 3d36c58d0d
commit 9d7043a594
7 changed files with 160 additions and 18 deletions
--- a/internal/webserver/auth.go
+++ b/internal/webserver/auth.go
@@ -8,6 +8,7 @@ import (
 	"encoding/hex"
 	"log"
 	"net/http"
+	"slices"
 	"strings"
 )

@@ -93,6 +94,31 @@ func (s *Server) handleLoginSubmit(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	// Validate the token to check roles. Guest accounts are not
+	// permitted to use the web interface.
+	roles, err := s.validateFn(token)
+	if err != nil {
+		log.Printf("login token validation failed for user %q: %v", username, err)
+		csrf := s.generateCSRFToken(w)
+		s.templates.render(w, "login", map[string]any{
+			"Error":     "Login failed. Please try again.",
+			"CSRFToken": csrf,
+			"Session":   false,
+		})
+		return
+	}
+
+	if slices.Contains(roles, "guest") {
+		log.Printf("login denied for guest user %q", username)
+		csrf := s.generateCSRFToken(w)
+		s.templates.render(w, "login", map[string]any{
+			"Error":     "Guest accounts are not permitted to access the web interface.",
+			"CSRFToken": csrf,
+			"Session":   false,
+		})
+		return
+	}
+
 	http.SetCookie(w, &http.Cookie{
 		Name:     "mcr_session",
 		Value:    token,