package app import ( "context" "fmt" "github.com/pkg/errors" log "github.com/sirupsen/logrus" "golang.org/x/crypto/bcrypt" "net/http" ) type contextKey int var authInfoKey contextKey // AuthInfo holds the username and authentication status type AuthInfo struct { Username string Authenticated bool } // authWebdavHandlerFunc is a type definition which holds a context and application reference to // match the AuthWebdavHandler interface. type authWebdavHandlerFunc func(c context.Context, w http.ResponseWriter, r *http.Request, a *App) // ServeHTTP simply calls the AuthWebdavHandlerFunc with given parameters func (f authWebdavHandlerFunc) ServeHTTP(c context.Context, w http.ResponseWriter, r *http.Request, a *App) { f(c, w, r, a) } // NewBasicAuthWebdavHandler creates a new http handler with basic auth features. // The handler will use the application config for user and password lookups. func NewBasicAuthWebdavHandler(a *App) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { ctx := context.Background() handlerFunc := authWebdavHandlerFunc(handle) handlerFunc.ServeHTTP(ctx, w, r, a) }) } func authenticate(config *Config, username, password string) (*AuthInfo, error) { if !config.AuthenticationNeeded() { return &AuthInfo{Username: "", Authenticated: true}, nil } if username == "" || password == "" { return &AuthInfo{Username: username, Authenticated: false}, errors.New("username not found or password empty") } user := config.Users[username] if user == nil { return &AuthInfo{Username: username, Authenticated: false}, errors.New("user not found") } err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password)) if err != nil { return &AuthInfo{Username: username, Authenticated: false}, errors.New("Password doesn't match") } return &AuthInfo{Username: username, Authenticated: true}, nil } // AuthFromContext returns information about the authentication state of the current user. func AuthFromContext(ctx context.Context) *AuthInfo { info, ok := ctx.Value(authInfoKey).(*AuthInfo) if !ok { return nil } return info } func handle(ctx context.Context, w http.ResponseWriter, r *http.Request, a *App) { // if there are no users, we don't need authentication here if (!a.Config.AuthenticationNeeded()) { a.Handler.ServeHTTP(w, r.WithContext(ctx)) return } username, password, ok := httpAuth(r, a.Config) if !ok { writeUnauthorized(w, a.Config.Realm) return } authInfo, err := authenticate(a.Config, username, password) if err != nil { log.WithField("user", username).Warn(err.Error()) } if !authInfo.Authenticated { writeUnauthorized(w, a.Config.Realm) return } ctx = context.WithValue(ctx, authInfoKey, authInfo) a.Handler.ServeHTTP(w, r.WithContext(ctx)) } func httpAuth(r *http.Request, config *Config) (string, string, bool) { if config.AuthenticationNeeded() { username, password, ok := r.BasicAuth() return username, password, ok } return "", "", true } func writeUnauthorized(w http.ResponseWriter, realm string) { w.Header().Set("WWW-Authenticate", "Basic realm="+realm) w.WriteHeader(http.StatusUnauthorized) w.Write([]byte(fmt.Sprintf("%d %s", http.StatusUnauthorized, "Unauthorized"))) } // GenHash generates a bcrypt hashed password string func GenHash(password []byte) string { pw, err := bcrypt.GenerateFromPassword(password, 10) if err != nil { log.Fatal(err) } return string(pw) }