summaryrefslogtreecommitdiff
path: root/srv
diff options
context:
space:
mode:
authorBrian Picciano <mediocregopher@gmail.com>2022-05-19 22:44:33 -0600
committerBrian Picciano <mediocregopher@gmail.com>2022-05-19 22:44:33 -0600
commit3664286506f673737c0784b9cfd494cda1dc4618 (patch)
treeaa30b37e0d9057bf945eec0d3699404e08445b8b /srv
parent8da42184eb26bbd35618d81e47bcd23b6ce21adb (diff)
Actually use the auth middleware for assets routes
Diffstat (limited to 'srv')
-rw-r--r--srv/default.nix3
-rw-r--r--srv/src/api/api.go17
-rw-r--r--srv/src/api/auth.go10
-rw-r--r--srv/src/cmd/hash-password/main.go23
-rw-r--r--srv/src/cmd/mediocre-blog/main.go9
5 files changed, 55 insertions, 7 deletions
diff --git a/srv/default.nix b/srv/default.nix
index 7067e1e..e7286b6 100644
--- a/srv/default.nix
+++ b/srv/default.nix
@@ -32,6 +32,9 @@
# listening
export MEDIOCRE_BLOG_LISTEN_PROTO="${config.listenProto}"
export MEDIOCRE_BLOG_LISTEN_ADDR="${config.listenAddr}"
+
+ # api
+ export MEDIOCRE_BLOG_API_AUTH_USERS='${builtins.toJSON config.apiAuthUsers}'
'';
build = buildGoModule {
diff --git a/srv/src/api/api.go b/srv/src/api/api.go
index a5ada2d..7538662 100644
--- a/srv/src/api/api.go
+++ b/srv/src/api/api.go
@@ -54,6 +54,11 @@ type Params struct {
// reverse-proxied there.
StaticDir string
StaticProxy *url.URL
+
+ // AuthUsers keys are usernames which are allowed to edit server-side data,
+ // and the values are the password hash which accompanies those users. The
+ // password hash must have been produced by NewPasswordHash.
+ AuthUsers map[string]string
}
// SetupCfg implement the cfg.Cfger interface.
@@ -176,6 +181,8 @@ func (a *api) handler() http.Handler {
return h
}
+ auther := NewAuther(a.params.AuthUsers)
+
mux := http.NewServeMux()
mux.Handle("/", staticHandler)
@@ -208,9 +215,13 @@ func (a *api) handler() http.Handler {
v2Mux.Handle("/posts/", a.renderPostHandler())
v2Mux.Handle("/assets/", http.StripPrefix("/assets",
apiutil.MethodMux(map[string]http.Handler{
- "GET": a.getPostAssetHandler(),
- "POST": formMiddleware(a.postPostAssetHandler()),
- "DELETE": formMiddleware(a.deletePostAssetHandler()),
+ "GET": a.getPostAssetHandler(),
+ "POST": authMiddleware(auther,
+ formMiddleware(a.postPostAssetHandler()),
+ ),
+ "DELETE": authMiddleware(auther,
+ formMiddleware(a.deletePostAssetHandler()),
+ ),
}),
))
v2Mux.Handle("/", a.renderIndexHandler())
diff --git a/srv/src/api/auth.go b/srv/src/api/auth.go
index e668d7b..0d946a3 100644
--- a/srv/src/api/auth.go
+++ b/srv/src/api/auth.go
@@ -3,13 +3,14 @@ package api
import (
"net/http"
+ "github.com/mediocregopher/blog.mediocregopher.com/srv/api/apiutil"
"golang.org/x/crypto/bcrypt"
)
// NewPasswordHash returns the hash of the given plaintext password, for use
// with Auther.
func NewPasswordHash(plaintext string) string {
- hashedPassword, err := bcrypt.GenerateFromPassword([]byte(plaintext), 12)
+ hashedPassword, err := bcrypt.GenerateFromPassword([]byte(plaintext), 13)
if err != nil {
panic(err)
}
@@ -48,9 +49,10 @@ func (a *auther) Allowed(username, password string) bool {
func authMiddleware(auther Auther, h http.Handler) http.Handler {
- respondUnauthorized := func(rw http.ResponseWriter) {
+ respondUnauthorized := func(rw http.ResponseWriter, r *http.Request) {
rw.Header().Set("WWW-Authenticate", `Basic realm="NOPE"`)
rw.WriteHeader(http.StatusUnauthorized)
+ apiutil.GetRequestLogger(r).WarnString(r.Context(), "unauthorized")
}
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
@@ -58,12 +60,12 @@ func authMiddleware(auther Auther, h http.Handler) http.Handler {
username, password, ok := r.BasicAuth()
if !ok {
- respondUnauthorized(rw)
+ respondUnauthorized(rw, r)
return
}
if !auther.Allowed(username, password) {
- respondUnauthorized(rw)
+ respondUnauthorized(rw, r)
return
}
diff --git a/srv/src/cmd/hash-password/main.go b/srv/src/cmd/hash-password/main.go
new file mode 100644
index 0000000..b787a4d
--- /dev/null
+++ b/srv/src/cmd/hash-password/main.go
@@ -0,0 +1,23 @@
+package main
+
+import (
+ "bufio"
+ "fmt"
+ "os"
+ "strings"
+
+ "github.com/mediocregopher/blog.mediocregopher.com/srv/api"
+)
+
+func main() {
+
+ fmt.Fprint(os.Stderr, "Password: ")
+
+ line, err := bufio.NewReader(os.Stdin).ReadString('\n')
+
+ if err != nil {
+ panic(err)
+ }
+
+ fmt.Println(api.NewPasswordHash(strings.TrimSpace(line)))
+}
diff --git a/srv/src/cmd/mediocre-blog/main.go b/srv/src/cmd/mediocre-blog/main.go
index 092c4da..5cb4d5f 100644
--- a/srv/src/cmd/mediocre-blog/main.go
+++ b/srv/src/cmd/mediocre-blog/main.go
@@ -2,6 +2,7 @@ package main
import (
"context"
+ "encoding/json"
"os"
"os/signal"
"syscall"
@@ -55,6 +56,8 @@ func main() {
pathPrefix := cfg.String("path-prefix", "", "Prefix which is optionally applied to all URL paths rendered by the blog")
+ apiAuthUsersStr := cfg.String("api-auth-users", "{}", "JSON object with usernames as values and password hashes (produced by the hash-password binary) as values. Denotes users which are able to edit server-side data")
+
// initialization
err := cfg.Init(ctx)
@@ -128,6 +131,11 @@ func main() {
postStore := post.NewStore(postSQLDB)
postAssetStore := post.NewAssetStore(postSQLDB)
+ var apiAuthUsers map[string]string
+ if err := json.Unmarshal([]byte(*apiAuthUsersStr), &apiAuthUsers); err != nil {
+ logger.Fatal(ctx, "unmarshaling -api-auth-users", err)
+ }
+
apiParams.Logger = logger.WithNamespace("api")
apiParams.PowManager = powMgr
apiParams.PathPrefix = *pathPrefix
@@ -136,6 +144,7 @@ func main() {
apiParams.MailingList = ml
apiParams.GlobalRoom = chatGlobalRoom
apiParams.UserIDCalculator = chatUserIDCalc
+ apiParams.AuthUsers = apiAuthUsers
logger.Info(ctx, "listening")
a, err := api.New(apiParams)