-
Notifications
You must be signed in to change notification settings - Fork 0
/
auth.go
94 lines (83 loc) · 2.51 KB
/
auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
package server
import (
"github.com/1f349/lavender/database"
"github.com/julienschmidt/httprouter"
"net/http"
"net/url"
"strings"
)
type UserHandler func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, auth UserAuth)
type UserAuth struct {
Subject string
DisplayName string
UserInfo UserInfoFields
}
func (u UserAuth) IsGuest() bool { return u.Subject == "" }
func (h *HttpServer) RequireAdminAuthentication(next UserHandler) httprouter.Handle {
return h.RequireAuthentication(func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, auth UserAuth) {
var roles string
if h.DbTx(rw, func(tx *database.Tx) (err error) {
roles, err = tx.GetUserRoles(auth.Subject)
return
}) {
return
}
if !HasRole(roles, "lavender:admin") {
http.Error(rw, "403 Forbidden", http.StatusForbidden)
return
}
next(rw, req, params, auth)
})
}
func (h *HttpServer) RequireAuthentication(next UserHandler) httprouter.Handle {
return h.OptionalAuthentication(func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, auth UserAuth) {
if auth.IsGuest() {
redirectUrl := PrepareRedirectUrl("/login", req.URL)
http.Redirect(rw, req, redirectUrl.String(), http.StatusFound)
return
}
next(rw, req, params, auth)
})
}
func (h *HttpServer) OptionalAuthentication(next UserHandler) httprouter.Handle {
return func(rw http.ResponseWriter, req *http.Request, params httprouter.Params) {
authUser, err := h.internalAuthenticationHandler(req)
if err != nil {
http.Error(rw, err.Error(), http.StatusInternalServerError)
return
}
next(rw, req, params, authUser)
}
}
func (h *HttpServer) internalAuthenticationHandler(req *http.Request) (UserAuth, error) {
var u UserAuth
err := h.readLoginDataCookie(req, &u)
if err != nil {
// not logged in
return UserAuth{}, nil
}
return u, nil
}
func PrepareRedirectUrl(targetPath string, origin *url.URL) *url.URL {
// find start of query parameters in target path
n := strings.IndexByte(targetPath, '?')
v := url.Values{}
// parse existing query parameters
if n != -1 {
q, err := url.ParseQuery(targetPath[n+1:])
if err != nil {
panic("PrepareRedirectUrl: invalid hardcoded target path query parameters")
}
v = q
targetPath = targetPath[:n]
}
// add path of origin as a new query parameter
orig := origin.Path
if origin.RawQuery != "" || origin.ForceQuery {
orig += "?" + origin.RawQuery
}
if orig != "" {
v.Set("redirect", orig)
}
return &url.URL{Path: targetPath, RawQuery: v.Encode()}
}