|
|
package main
import ( "bufio" "encoding/base64" "net/http" "os" "strings"
"golang.org/x/crypto/scrypt")
const ( authPrefix = "Linx " scryptSalt = "linx-server" scryptN = 16384 scryptr = 8 scryptp = 1 scryptKeyLen = 32)
type AuthOptions struct { AuthFile string UnauthMethods []string}
type auth struct { successHandler http.Handler failureHandler http.Handler o AuthOptions}
func checkAuth(authFile string, decodedAuth []byte) (result bool, err error) { f, err := os.Open(authFile) if err != nil { return }
checkKey, err := scrypt.Key([]byte(decodedAuth), []byte(scryptSalt), scryptN, scryptr, scryptp, scryptKeyLen) if err != nil { return }
encodedKey := base64.StdEncoding.EncodeToString(checkKey)
scanner := bufio.NewScanner(bufio.NewReader(f)) for scanner.Scan() { if encodedKey == scanner.Text() { result = true return } }
result = false err = scanner.Err() return}
func (a auth) ServeHTTP(w http.ResponseWriter, r *http.Request) { if sliceContains(a.o.UnauthMethods, r.Method) { // allow unauthenticated methods
a.successHandler.ServeHTTP(w, r) return }
authHeader := r.Header.Get("Authorization") if !strings.HasPrefix(authHeader, authPrefix) { a.failureHandler.ServeHTTP(w, r) return }
decodedAuth, err := base64.StdEncoding.DecodeString(authHeader[len(authPrefix):]) if err != nil { a.failureHandler.ServeHTTP(w, r) return }
result, err := checkAuth(a.o.AuthFile, decodedAuth) if err != nil || !result { a.failureHandler.ServeHTTP(w, r) return }
a.successHandler.ServeHTTP(w, r)}
func UploadAuth(o AuthOptions) func(http.Handler) http.Handler { fn := func(h http.Handler) http.Handler { return auth{ successHandler: h, failureHandler: http.HandlerFunc(badAuthorizationHandler), o: o, } } return fn}
func badAuthorizationHandler(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusUnauthorized) http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)}
func sliceContains(slice []string, s string) bool { for _, v := range slice { if s == v { return true } }
return false}
|
