package http import ( "context" "net/http" "time" "code.betamike.com/mediocregopher/mediocre-blog/src/http/apiutil" "golang.org/x/crypto/bcrypt" ) // NewPasswordHash returns the hash of the given plaintext password, for use // with Auther. func NewPasswordHash(plaintext string) string { hashedPassword, err := bcrypt.GenerateFromPassword([]byte(plaintext), 13) if err != nil { panic(err) } return string(hashedPassword) } // Auther determines who can do what. type Auther interface { Allowed(ctx context.Context, username, password string) bool Close() error } type auther struct { users map[string]string ticker *time.Ticker } // NewAuther initializes and returns an Auther will which allow the given // username and password hash combinations. Password hashes must have been // created using NewPasswordHash. func NewAuther(users map[string]string, ratelimit time.Duration) Auther { return &auther{ users: users, ticker: time.NewTicker(ratelimit), } } func (a *auther) Close() error { a.ticker.Stop() return nil } func (a *auther) Allowed(ctx context.Context, username, password string) bool { select { case <-ctx.Done(): return false case <-a.ticker.C: } hashedPassword, ok := a.users[username] if !ok { return false } err := bcrypt.CompareHashAndPassword( []byte(hashedPassword), []byte(password), ) return err == nil } func authMiddleware(auther Auther) middleware { respondUnauthorized := func(rw http.ResponseWriter, r *http.Request) { rw.Header().Set("WWW-Authenticate", `Basic realm="NOPE"`) rw.WriteHeader(http.StatusUnauthorized) apiutil.GetRequestLogger(r).WarnString(r.Context(), "unauthorized") } return func(h http.Handler) http.Handler { return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { username, password, ok := r.BasicAuth() if !ok { respondUnauthorized(rw, r) return } if !auther.Allowed(r.Context(), username, password) { respondUnauthorized(rw, r) return } h.ServeHTTP(rw, r) }) } }