summaryrefslogtreecommitdiff
path: root/src/http/auth.go
blob: 3ad026a8001ad4dac14ba45d563f871fa8bfa060 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94

package http

import (
	"context"
	"net/http"
	"time"

	"github.com/mediocregopher/blog.mediocregopher.com/srv/http/apiutil"
	"golang.org/x/crypto/bcrypt"
)

// NewPasswordHash returns the hash of the given plaintext password, for use
// with Auther.
func NewPasswordHash(plaintext string) string {
	hashedPassword, err := bcrypt.GenerateFromPassword([]byte(plaintext), 13)
	if err != nil {
		panic(err)
	}
	return string(hashedPassword)
}

// Auther determines who can do what.
type Auther interface {
	Allowed(ctx context.Context, username, password string) bool
	Close() error
}

type auther struct {
	users  map[string]string
	ticker *time.Ticker
}

// NewAuther initializes and returns an Auther will which allow the given
// username and password hash combinations. Password hashes must have been
// created using NewPasswordHash.
func NewAuther(users map[string]string, ratelimit time.Duration) Auther {
	return &auther{
		users:  users,
		ticker: time.NewTicker(ratelimit),
	}
}

func (a *auther) Close() error {
	a.ticker.Stop()
	return nil
}

func (a *auther) Allowed(ctx context.Context, username, password string) bool {

	select {
	case <-ctx.Done():
		return false
	case <-a.ticker.C:
	}

	hashedPassword, ok := a.users[username]
	if !ok {
		return false
	}

	err := bcrypt.CompareHashAndPassword(
		[]byte(hashedPassword), []byte(password),
	)

	return err == nil
}

func authMiddleware(auther Auther) middleware {

	respondUnauthorized := func(rw http.ResponseWriter, r *http.Request) {
		rw.Header().Set("WWW-Authenticate", `Basic realm="NOPE"`)
		rw.WriteHeader(http.StatusUnauthorized)
		apiutil.GetRequestLogger(r).WarnString(r.Context(), "unauthorized")
	}

	return func(h http.Handler) http.Handler {
		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {

			username, password, ok := r.BasicAuth()

			if !ok {
				respondUnauthorized(rw, r)
				return
			}

			if !auther.Allowed(r.Context(), username, password) {
				respondUnauthorized(rw, r)
				return
			}

			h.ServeHTTP(rw, r)
		})
	}
}

Please direct all issues, questions, and patches to me@mediocregopher.com.

Check mediocregopher.com for periodic updates about projects I'm working on.