summaryrefslogtreecommitdiff
path: root/srv/src/api
diff options
context:
space:
mode:
authorBrian Picciano <mediocregopher@gmail.com>2022-05-19 22:44:33 -0600
committerBrian Picciano <mediocregopher@gmail.com>2022-05-19 22:44:33 -0600
commit3664286506f673737c0784b9cfd494cda1dc4618 (patch)
treeaa30b37e0d9057bf945eec0d3699404e08445b8b /srv/src/api
parent8da42184eb26bbd35618d81e47bcd23b6ce21adb (diff)
Actually use the auth middleware for assets routes
Diffstat (limited to 'srv/src/api')
-rw-r--r--srv/src/api/api.go17
-rw-r--r--srv/src/api/auth.go10
2 files changed, 20 insertions, 7 deletions
diff --git a/srv/src/api/api.go b/srv/src/api/api.go
index a5ada2d..7538662 100644
--- a/srv/src/api/api.go
+++ b/srv/src/api/api.go
@@ -54,6 +54,11 @@ type Params struct {
// reverse-proxied there.
StaticDir string
StaticProxy *url.URL
+
+ // AuthUsers keys are usernames which are allowed to edit server-side data,
+ // and the values are the password hash which accompanies those users. The
+ // password hash must have been produced by NewPasswordHash.
+ AuthUsers map[string]string
}
// SetupCfg implement the cfg.Cfger interface.
@@ -176,6 +181,8 @@ func (a *api) handler() http.Handler {
return h
}
+ auther := NewAuther(a.params.AuthUsers)
+
mux := http.NewServeMux()
mux.Handle("/", staticHandler)
@@ -208,9 +215,13 @@ func (a *api) handler() http.Handler {
v2Mux.Handle("/posts/", a.renderPostHandler())
v2Mux.Handle("/assets/", http.StripPrefix("/assets",
apiutil.MethodMux(map[string]http.Handler{
- "GET": a.getPostAssetHandler(),
- "POST": formMiddleware(a.postPostAssetHandler()),
- "DELETE": formMiddleware(a.deletePostAssetHandler()),
+ "GET": a.getPostAssetHandler(),
+ "POST": authMiddleware(auther,
+ formMiddleware(a.postPostAssetHandler()),
+ ),
+ "DELETE": authMiddleware(auther,
+ formMiddleware(a.deletePostAssetHandler()),
+ ),
}),
))
v2Mux.Handle("/", a.renderIndexHandler())
diff --git a/srv/src/api/auth.go b/srv/src/api/auth.go
index e668d7b..0d946a3 100644
--- a/srv/src/api/auth.go
+++ b/srv/src/api/auth.go
@@ -3,13 +3,14 @@ package api
import (
"net/http"
+ "github.com/mediocregopher/blog.mediocregopher.com/srv/api/apiutil"
"golang.org/x/crypto/bcrypt"
)
// NewPasswordHash returns the hash of the given plaintext password, for use
// with Auther.
func NewPasswordHash(plaintext string) string {
- hashedPassword, err := bcrypt.GenerateFromPassword([]byte(plaintext), 12)
+ hashedPassword, err := bcrypt.GenerateFromPassword([]byte(plaintext), 13)
if err != nil {
panic(err)
}
@@ -48,9 +49,10 @@ func (a *auther) Allowed(username, password string) bool {
func authMiddleware(auther Auther, h http.Handler) http.Handler {
- respondUnauthorized := func(rw http.ResponseWriter) {
+ respondUnauthorized := func(rw http.ResponseWriter, r *http.Request) {
rw.Header().Set("WWW-Authenticate", `Basic realm="NOPE"`)
rw.WriteHeader(http.StatusUnauthorized)
+ apiutil.GetRequestLogger(r).WarnString(r.Context(), "unauthorized")
}
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
@@ -58,12 +60,12 @@ func authMiddleware(auther Auther, h http.Handler) http.Handler {
username, password, ok := r.BasicAuth()
if !ok {
- respondUnauthorized(rw)
+ respondUnauthorized(rw, r)
return
}
if !auther.Allowed(username, password) {
- respondUnauthorized(rw)
+ respondUnauthorized(rw, r)
return
}