depot/web/fup/fuphttp/auth.go

package fuphttp

import (
	"crypto/subtle"
	"fmt"
	"net/http"

	"github.com/gorilla/mux"
)

func tokenFromRequest(r *http.Request) (token string, ok bool) {
	// Check for a Fup-Token header.
	v := r.Header.Get("Fup-Token")
	if v != "" {
		return v, true
	}

	// Check for basic auth.
	_, v, ok = r.BasicAuth()
	return v, ok
}

func TokenAuthMiddleware(token, realm string) mux.MiddlewareFunc {
	return func(next http.Handler) http.Handler {
		if token == "" {
			return next
		}
		tokenBytes := []byte(token)

		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
			ctx := r.Context()
			if !IsMutate(ctx) {
				// Allow all access to public pages.
				next.ServeHTTP(rw, r)
				return
			}

			requestAuth := func(s string) {
				rw.Header().Set("WWW-Authenticate", fmt.Sprintf("Basic realm=%q, charset=\"UTF-8\"", realm))
				http.Error(rw, s, http.StatusUnauthorized)
			}

			pw, ok := tokenFromRequest(r)
			switch {
			case !ok:
				requestAuth("unparsable or no credentials")
				return
			case subtle.ConstantTimeCompare([]byte(pw), tokenBytes) != 1:
				requestAuth("bad credentials")
				return
			}

			// Auth check passed, let's go.
			next.ServeHTTP(rw, r)
			return
		})
	}
}
fup: add TokenAuthMiddleware This is an example middleware which can be used as an AuthMiddleware for only allowing requests to non-view pages which are accompanied by an auth token via HTTP basic auth. 2021-03-23 00:46:33 +00:00			`package fuphttp`

			`import (`
			`"crypto/subtle"`
			`"fmt"`
			`"net/http"`

			`"github.com/gorilla/mux"`
			`)`

fup: allow Fup-Token header for carrying auth credentials 2021-03-23 00:58:06 +00:00			`func tokenFromRequest(r *http.Request) (token string, ok bool) {`
			`// Check for a Fup-Token header.`
			`v := r.Header.Get("Fup-Token")`
			`if v != "" {`
			`return v, true`
			`}`

			`// Check for basic auth.`
			`_, v, ok = r.BasicAuth()`
			`return v, ok`
			`}`

fup: add TokenAuthMiddleware This is an example middleware which can be used as an AuthMiddleware for only allowing requests to non-view pages which are accompanied by an auth token via HTTP basic auth. 2021-03-23 00:46:33 +00:00			`func TokenAuthMiddleware(token, realm string) mux.MiddlewareFunc {`
			`return func(next http.Handler) http.Handler {`
			`if token == "" {`
			`return next`
			`}`
			`tokenBytes := []byte(token)`

			`return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {`
			`ctx := r.Context()`
			`if !IsMutate(ctx) {`
			`// Allow all access to public pages.`
			`next.ServeHTTP(rw, r)`
			`return`
			`}`

			`requestAuth := func(s string) {`
			`rw.Header().Set("WWW-Authenticate", fmt.Sprintf("Basic realm=%q, charset=\"UTF-8\"", realm))`
			`http.Error(rw, s, http.StatusUnauthorized)`
			`}`

fup: allow Fup-Token header for carrying auth credentials 2021-03-23 00:58:06 +00:00			`pw, ok := tokenFromRequest(r)`
fup: add TokenAuthMiddleware This is an example middleware which can be used as an AuthMiddleware for only allowing requests to non-view pages which are accompanied by an auth token via HTTP basic auth. 2021-03-23 00:46:33 +00:00			`switch {`
			`case !ok:`
			`requestAuth("unparsable or no credentials")`
			`return`
			`case subtle.ConstantTimeCompare([]byte(pw), tokenBytes) != 1:`
			`requestAuth("bad credentials")`
			`return`
			`}`

			`// Auth check passed, let's go.`
			`next.ServeHTTP(rw, r)`
			`return`
			`})`
			`}`
			`}`