jwed/dashboard-unifi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e59f193ffc14efac4a5fbc548feb399963558e4d
dashboard-unifi/src/Http/Controllers/PortalController.php
jwed 0802ef35f3 feat: password rotation, PPSK management, VLAN/AP groups 
- Add password rotation: RotatePasswords console command + migration + service updates
- Add PPSK management: UnifiPpsk model, migration, SyncPpskSchedules console
- Add VLAN groups and AP groups: VlanGroupController, ApGroupController, model, migration
- Add RebootAllAps console command
- Add in_alert column to device states
- Wire new features through service provider, routes, and existing controllers/services

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-19 17:54:24 -04:00

205 lines
8.2 KiB
PHP
Raw Blame History

<?php
namespace Dashboard\Unifi\Http\Controllers;
use Dashboard\Unifi\Models\KnownMac;
use Dashboard\Unifi\Models\PortalSession;
use Dashboard\Unifi\Models\VlanGroup;
use Dashboard\Unifi\Models\VlanMapping;
use Dashboard\Unifi\Services\UnifiApiClient;
use Illuminate\Http\Request;
use Illuminate\Routing\Controller;
use Inertia\Inertia;
class PortalController extends Controller
{
// ── Settings page (VLAN mappings + known MACs) ────────────────────────────
public function settings()
{
return Inertia::render('Unifi/Portal', [
'vlanGroups' => VlanGroup::orderBy('sort_order')->get(),
'vlanMappings' => VlanMapping::orderBy('sort_order')->get(),
'knownMacs' => KnownMac::orderBy('device_name')->paginate(50),
'activeSessions' => PortalSession::where('is_active', true)
->with('user:id,name,email')
->latest('authorized_at')
->get(),
]);
}
public function storeMapping(Request $request)
{
$data = $request->validate([
'group_name' => 'required|string|max:255',
'match_type' => 'required|in:ou,group,email_domain,default',
'match_value' => 'required|string|max:255',
'vlan_id' => 'required|integer|min:1|max:4094',
'max_devices' => 'required|integer|min:1|max:50',
'session_minutes' => 'required|integer|min:1',
]);
$data['sort_order'] = VlanMapping::max('sort_order') + 1;
VlanMapping::create($data);
return back()->with('success', 'VLAN mapping created.');
}
public function updateMapping(Request $request, VlanMapping $mapping)
{
$data = $request->validate([
'group_name' => 'required|string|max:255',
'match_type' => 'required|in:ou,group,email_domain,default',
'match_value' => 'required|string|max:255',
'vlan_id' => 'required|integer|min:1|max:4094',
'max_devices' => 'required|integer|min:1|max:50',
'session_minutes' => 'required|integer|min:1',
]);
$mapping->update($data);
return back()->with('success', 'Mapping updated.');
}
public function destroyMapping(VlanMapping $mapping)
{
$mapping->delete();
return back()->with('success', 'Mapping deleted.');
}
// ── Known MACs ────────────────────────────────────────────────────────────
public function storeMac(Request $request)
{
$data = $request->validate([
'mac_address' => 'required|string|regex:/^([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/|unique:unifi_known_macs,mac_address',
'device_name' => 'nullable|string|max:255',
'device_type' => 'nullable|string|max:100',
'owner' => 'nullable|string|max:255',
'vlan_id' => 'required|integer|min:1|max:4094',
'notes' => 'nullable|string|max:1000',
]);
KnownMac::create($data);
return back()->with('success', 'MAC address added.');
}
public function destroyMac(KnownMac $mac)
{
$mac->delete();
return back()->with('success', 'MAC address removed.');
}
// ── Captive portal callback (called by UniFi external portal redirect) ───
public function captiveCallback(Request $request, UnifiApiClient $unifi)
{
// UniFi redirects guest to this URL with ?id=<ap_mac>&ap=<ap_mac>&t=<timestamp>&url=<original_url>&ssid=<ssid>
// At this point the user has already authenticated via Google OAuth (handled by the shell's auth system)
$user = $request->user();
if (! $user) {
return redirect()->route('login');
}
$clientMac = strtolower($request->input('mac', $request->input('id', '')));
$ssid = $request->input('ssid', '');
$apMac = $request->input('ap', '');
if (! $clientMac) {
return response('Missing MAC address', 400);
}
// Find the VLAN mapping for this user's group/OU
$mapping = $this->resolveMapping($user);
if (! $mapping) {
return Inertia::render('Unifi/PortalDenied', ['reason' => 'No WiFi access configured for your account.']);
}
// Check device limit
$activeSessions = PortalSession::where('user_id', $user->id)
->where('is_active', true)
->get();
foreach ($activeSessions as $session) {
if ($session->mac_address === $clientMac) {
// Same device reconnecting — refresh
$session->update(['is_active' => false]);
continue;
}
// Check if other device is still actually connected
if (! $unifi->isClientConnected($session->mac_address)) {
$session->update(['is_active' => false]); // stale session
}
}
$activeCount = PortalSession::where('user_id', $user->id)->where('is_active', true)->count();
if ($activeCount >= $mapping->max_devices) {
return Inertia::render('Unifi/PortalDenied', [
'reason' => "You already have {$activeCount} device(s) connected (limit: {$mapping->max_devices}).",
'sessions' => $activeSessions->map(fn ($s) => [
'id' => $s->id,
'mac' => $s->mac_address,
'hostname' => $s->device_hostname,
'os' => $s->device_os,
'since' => $s->authorized_at->toISOString(),
]),
'can_disconnect' => true,
]);
}
// Authorize the guest
$minutes = $mapping->session_minutes;
$unifi->authorizeGuest($clientMac, $minutes);
// Record the session
PortalSession::create([
'user_id' => $user->id,
'mac_address' => $clientMac,
'device_hostname' => $request->input('hostname'),
'device_os' => $request->input('os'),
'device_type' => $request->input('dev_cat'),
'ssid' => $ssid,
'vlan_id' => $mapping->vlan_id,
'ap_mac' => $apMac,
'is_active' => true,
'authorized_at' => now(),
'expires_at' => now()->addMinutes($minutes),
]);
// Redirect to the original URL the user was trying to reach
$redirectUrl = $request->input('url', '/');
return redirect($redirectUrl);
}
public function disconnectSession(Request $request, PortalSession $session, UnifiApiClient $unifi)
{
// Allow users to disconnect their own sessions
abort_if($session->user_id !== auth()->id() && ! auth()->user()->can('unifi.auth'), 403);
try {
$unifi->kickClient($session->mac_address);
$unifi->unauthorizeGuest($session->mac_address);
} catch (\Throwable) {}
$session->update(['is_active' => false]);
return back()->with('success', 'Device disconnected.');
}
// ── Private helpers ───────────────────────────────────────────────────────
private function resolveMapping($user): ?VlanMapping
{
$mappings = VlanMapping::orderBy('sort_order')->get();
// Try to match by email domain, group, OU, etc.
foreach ($mappings as $mapping) {
$matched = match ($mapping->match_type) {
'email_domain' => str_ends_with($user->email ?? '', '@' . $mapping->match_value),
'group' => $user->groups?->contains('name', $mapping->match_value) ?? false,
'ou' => str_contains($user->ou ?? '', $mapping->match_value),
'default' => true,
default => false,
};
if ($matched) return $mapping;
}
return null;
}
}
Reference in New Issue View Git Blame Copy Permalink