123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300 |
- package auth
- import (
- "crypto/rand"
- "fmt"
- "io"
- "net/http"
- "net/url"
- "devt.de/krotik/common/datautil"
- "devt.de/krotik/common/errorutil"
- "devt.de/krotik/common/httputil/user"
- )
- const cookieNameAuth = "~aid"
- var CookieMaxLifetime = 3600
- var TestCookieAuthDisabled = false
- type CookieAuthHandleFuncWrapper struct {
- origHandleFunc func(pattern string, handler func(http.ResponseWriter, *http.Request))
- authFunc func(user, pass string) bool
- accessFunc func(http.ResponseWriter, *http.Request, string) bool
- tokenMap *datautil.MapCache
- expiry int
- publicURL map[string]func(http.ResponseWriter, *http.Request)
-
- CallbackSessionExpired func(w http.ResponseWriter, r *http.Request)
- CallbackUnauthorized func(w http.ResponseWriter, r *http.Request)
- }
- func NewCookieAuthHandleFuncWrapper(origHandleFunc func(pattern string,
- handler func(http.ResponseWriter, *http.Request))) *CookieAuthHandleFuncWrapper {
- return &CookieAuthHandleFuncWrapper{
- origHandleFunc,
- nil,
- nil,
- datautil.NewMapCache(0, int64(CookieMaxLifetime)),
- CookieMaxLifetime,
- make(map[string]func(http.ResponseWriter, *http.Request)),
-
- func(w http.ResponseWriter, r *http.Request) {
- w.WriteHeader(http.StatusUnauthorized)
- w.Write([]byte("Session expired\n"))
- },
- func(w http.ResponseWriter, r *http.Request) {
- w.WriteHeader(http.StatusUnauthorized)
- w.Write([]byte("Unauthorized\n"))
- },
- }
- }
- func (cw *CookieAuthHandleFuncWrapper) AddPublicPage(url string, handler func(http.ResponseWriter, *http.Request)) {
- cw.publicURL[url] = handler
- }
- func (cw *CookieAuthHandleFuncWrapper) Expiry() int {
- return cw.expiry
- }
- func (cw *CookieAuthHandleFuncWrapper) SetExpiry(secs int) {
- cw.expiry = secs
- cw.tokenMap = datautil.NewMapCache(0, int64(secs))
- }
- func (cw *CookieAuthHandleFuncWrapper) SetAuthFunc(authFunc func(user, pass string) bool) {
- cw.authFunc = authFunc
- }
- func (cw *CookieAuthHandleFuncWrapper) SetAccessFunc(accessFunc func(http.ResponseWriter, *http.Request, string) bool) {
- cw.accessFunc = accessFunc
- }
- func (cw *CookieAuthHandleFuncWrapper) AuthUser(user, pass string, testOnly bool) string {
- if cw.authFunc != nil && cw.authFunc(user, pass) {
- if !testOnly {
-
- aid := cw.newAuthID()
- cw.tokenMap.Put(aid, user)
- return aid
- }
- return "ok"
- }
- return ""
- }
- func (cw *CookieAuthHandleFuncWrapper) CheckAuth(r *http.Request) (string, bool) {
- var name string
- var ok bool
- cookie, _ := r.Cookie(cookieNameAuth)
- if cookie != nil && cookie.Value != "" {
- var user interface{}
- if user, ok = cw.tokenMap.Get(cookie.Value); ok {
- name = fmt.Sprint(user)
- }
- }
- return name, ok
- }
- func (cw *CookieAuthHandleFuncWrapper) SetAuthCookie(yaid string, w http.ResponseWriter) {
- if yaid == "" {
-
- return
- }
- cookie := http.Cookie{
- Name: cookieNameAuth,
- Value: url.QueryEscape(yaid),
- Path: "/",
- HttpOnly: true,
- MaxAge: cw.expiry,
- }
- http.SetCookie(w, &cookie)
- }
- func (cw *CookieAuthHandleFuncWrapper) RemoveAuthCookie(w http.ResponseWriter) {
- cookie := http.Cookie{
- Name: cookieNameAuth,
- Value: "",
- Path: "/",
- HttpOnly: true,
- MaxAge: -1,
- }
- http.SetCookie(w, &cookie)
- }
- func (cw *CookieAuthHandleFuncWrapper) InvalidateAuthCookie(r *http.Request) {
- cookie, _ := r.Cookie(cookieNameAuth)
- if cookie != nil && cookie.Value != "" {
- cw.tokenMap.Remove(cookie.Value)
- }
- }
- func (cw *CookieAuthHandleFuncWrapper) newAuthID() string {
- b := make([]byte, 32)
- _, err := io.ReadFull(rand.Reader, b)
- errorutil.AssertOk(err)
- return fmt.Sprintf("A-%x", b)
- }
- func (cw *CookieAuthHandleFuncWrapper) HandleFunc(pattern string, handler func(http.ResponseWriter, *http.Request)) {
- cw.origHandleFunc(pattern, func(w http.ResponseWriter, r *http.Request) {
-
- if chandler, ok := cw.publicURL[r.URL.Path]; ok {
- chandler(w, r)
- return
- }
-
- if TestCookieAuthDisabled {
- handler(w, r)
- return
- }
-
- cookie, _ := r.Cookie(cookieNameAuth)
- if cookie != nil && cookie.Value != "" {
-
- if name, ok := cw.tokenMap.Get(cookie.Value); ok {
- nameString := fmt.Sprint(name)
-
-
-
-
- session, err := user.UserSessionManager.GetSession(nameString, w, r, true)
- if session != nil && err == nil && session.User() == nameString {
-
- cw.SetAuthCookie(cookie.Value, w)
-
- if cw.accessFunc == nil || cw.accessFunc(w, r, nameString) {
-
- handler(w, r)
- }
- return
- }
-
- defer cw.tokenMap.Remove(cookie.Value)
- cw.CallbackSessionExpired(w, r)
- return
- }
- }
- cw.CallbackUnauthorized(w, r)
- })
- }
|