refactor: use cookie-based login

feat: add login page
2023-08-10 21:12:56 +03:00 · 2020-05-24 13:41:19 +02:00
parent d3ab54f6dc
commit 9697bb5fd5
19 changed files with 449 additions and 219 deletions
--- a/middlewares/authenticate.go
+++ b/middlewares/authenticate.go
@ -2,12 +2,9 @@ package middlewares

 import (
 	"context"
-	"crypto/md5"
-	"encoding/base64"
-	"encoding/hex"
 	"errors"
+	"github.com/muety/wakapi/utils"
 	"net/http"
-	"regexp"
 	"strings"
 	"time"

@ -18,25 +15,23 @@ import (
 )

 type AuthenticateMiddleware struct {
-	UserSrvc       *services.UserService
-	Cache          *cache.Cache
-	WhitelistPaths []string
-	Initialized    bool
+	config         *models.Config
+	userSrvc       *services.UserService
+	cache          *cache.Cache
+	whitelistPaths []string
 }

-func (m *AuthenticateMiddleware) Init() {
-	if m.Cache == nil {
-		m.Cache = cache.New(1*time.Hour, 2*time.Hour)
+func NewAuthenticateMiddleware(config *models.Config, userService *services.UserService, whitelistPaths []string) *AuthenticateMiddleware {
+	return &AuthenticateMiddleware{
+		config:         config,
+		userSrvc:       userService,
+		cache:          cache.New(1*time.Hour, 2*time.Hour),
+		whitelistPaths: whitelistPaths,
 	}
-	m.Initialized = true
 }

 func (m *AuthenticateMiddleware) Handle(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
-	if !m.Initialized {
-		m.Init()
-	}
-
-	for _, p := range m.WhitelistPaths {
+	for _, p := range m.whitelistPaths {
 		if strings.HasPrefix(r.URL.Path, p) || r.URL.Path == p {
 			next(w, r)
 			return
@ -44,81 +39,66 @@ func (m *AuthenticateMiddleware) Handle(w http.ResponseWriter, r *http.Request,
 	}

 	var user *models.User
-	var userKey string
-	user, userKey, err := m.tryGetUserByPassword(r)
+	user, err := m.tryGetUserByCookie(r)

 	if err != nil {
-		user, userKey, err = m.tryGetUserByApiKey(r)
+		user, err = m.tryGetUserByApiKey(r)
 	}

 	if err != nil {
-		w.WriteHeader(http.StatusUnauthorized)
+		if strings.HasPrefix(r.URL.Path, "/api") {
+			w.WriteHeader(http.StatusUnauthorized)
+		} else {
+			utils.ClearCookie(w, models.AuthCookieKey)
+			http.Redirect(w, r, "/?error=unauthorized", http.StatusFound)
+		}
 		return
 	}

-	m.Cache.Set(userKey, user, cache.DefaultExpiration)
+	m.cache.Set(user.ID, user, cache.DefaultExpiration)

 	ctx := context.WithValue(r.Context(), models.UserKey, user)
 	next(w, r.WithContext(ctx))
 }

-func (m *AuthenticateMiddleware) tryGetUserByApiKey(r *http.Request) (*models.User, string, error) {
-	authHeader := strings.Split(r.Header.Get("Authorization"), " ")
-	if len(authHeader) != 2 || authHeader[0] != "Basic" {
-		return nil, "", errors.New("failed to extract API key")
-	}
-
-	key, err := base64.StdEncoding.DecodeString(authHeader[1])
+func (m *AuthenticateMiddleware) tryGetUserByApiKey(r *http.Request) (*models.User, error) {
+	key, err := utils.ExtractBearerAuth(r)
 	if err != nil {
-		return nil, "", err
+		return nil, err
 	}

 	var user *models.User
-	userKey := strings.TrimSpace(string(key))
-	cachedUser, ok := m.Cache.Get(userKey)
+	userKey := strings.TrimSpace(key)
+	cachedUser, ok := m.cache.Get(userKey)
 	if !ok {
-		user, err = m.UserSrvc.GetUserByKey(userKey)
+		user, err = m.userSrvc.GetUserByKey(userKey)
 		if err != nil {
-			return nil, "", err
+			return nil, err
 		}
 	} else {
 		user = cachedUser.(*models.User)
 	}
-	return user, userKey, nil
+	return user, nil
 }

-func (m *AuthenticateMiddleware) tryGetUserByPassword(r *http.Request) (*models.User, string, error) {
-	authHeader := strings.Split(r.Header.Get("Authorization"), " ")
-	if len(authHeader) != 2 || authHeader[0] != "Basic" {
-		return nil, "", errors.New("failed to extract API key")
-	}
-
-	hash, err := base64.StdEncoding.DecodeString(authHeader[1])
-	userKey := strings.TrimSpace(string(hash))
+func (m *AuthenticateMiddleware) tryGetUserByCookie(r *http.Request) (*models.User, error) {
+	login, err := utils.ExtractCookieAuth(r, m.config)
 	if err != nil {
-		return nil, "", err
+		return nil, err
 	}

 	var user *models.User
-	cachedUser, ok := m.Cache.Get(userKey)
+	cachedUser, ok := m.cache.Get(login.Username)
 	if !ok {
-		re := regexp.MustCompile(`^(.+):(.+)$`)
-		groups := re.FindAllStringSubmatch(userKey, -1)
-		if len(groups) == 0 || len(groups[0]) != 3 {
-			return nil, "", errors.New("failed to parse user agent string")
-		}
-		userId, password := groups[0][1], groups[0][2]
-		user, err = m.UserSrvc.GetUserById(userId)
+		user, err = m.userSrvc.GetUserById(login.Username)
 		if err != nil {
-			return nil, "", err
+			return nil, err
 		}
-		passwordHash := md5.Sum([]byte(password))
-		passwordHashString := hex.EncodeToString(passwordHash[:])
-		if passwordHashString != user.Password {
-			return nil, "", errors.New("invalid password")
+		if !utils.CheckPassword(user, login.Password) {
+			return nil, errors.New("invalid password")
 		}
 	} else {
 		user = cachedUser.(*models.User)
 	}
-	return user, userKey, nil
+	return user, nil
 }
--- a/middlewares/basicauth.go
+++ b/middlewares/basicauth.go
@ -1,14 +0,0 @@
-package middlewares
-
-import (
-	"net/http"
-)
-
-type RequireBasicAuthMiddleware struct{}
-
-func (m *RequireBasicAuthMiddleware) Init() {}
-
-func (m *RequireBasicAuthMiddleware) Handle(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
-	w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
-	next(w, r)
-}