-
-
Notifications
You must be signed in to change notification settings - Fork 811
/
auth.go
149 lines (124 loc) · 4.75 KB
/
auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
package middleware
import (
"crypto/subtle"
"net/http"
"strings"
"github.com/owncast/owncast/core/data"
"github.com/owncast/owncast/core/user"
"github.com/owncast/owncast/utils"
log "github.com/sirupsen/logrus"
)
// ExternalAccessTokenHandlerFunc is a function that is called after validing access.
type ExternalAccessTokenHandlerFunc func(user.ExternalAPIUser, http.ResponseWriter, *http.Request)
// UserAccessTokenHandlerFunc is a function that is called after validing user access.
type UserAccessTokenHandlerFunc func(user.User, http.ResponseWriter, *http.Request)
// RequireAdminAuth wraps a handler requiring HTTP basic auth for it using the given
// the stream key as the password and and a hardcoded "admin" for username.
func RequireAdminAuth(handler http.HandlerFunc) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
username := "admin"
password := data.GetAdminPassword()
realm := "Owncast Authenticated Request"
// Alow CORS only for localhost:3000 to support Owncast development.
validAdminHost := "http://localhost:3000"
w.Header().Set("Access-Control-Allow-Origin", validAdminHost)
w.Header().Set("Access-Control-Allow-Credentials", "true")
w.Header().Set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization")
// For request needing CORS, send a 204.
if r.Method == "OPTIONS" {
w.WriteHeader(http.StatusNoContent)
return
}
user, pass, ok := r.BasicAuth()
// Failed
if !ok || subtle.ConstantTimeCompare([]byte(user), []byte(username)) != 1 || subtle.ConstantTimeCompare([]byte(pass), []byte(password)) != 1 {
w.Header().Set("WWW-Authenticate", `Basic realm="`+realm+`"`)
http.Error(w, "Unauthorized", http.StatusUnauthorized)
log.Debugln("Failed admin authentication")
return
}
handler(w, r)
}
}
func accessDenied(w http.ResponseWriter) {
w.WriteHeader(http.StatusUnauthorized) //nolint
w.Write([]byte("unauthorized")) //nolint
}
// RequireExternalAPIAccessToken will validate a 3rd party access token.
func RequireExternalAPIAccessToken(scope string, handler ExternalAccessTokenHandlerFunc) http.HandlerFunc {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// We should accept 3rd party preflight OPTIONS requests.
if r.Method == "OPTIONS" {
// All OPTIONS requests should have a wildcard CORS header.
w.Header().Set("Access-Control-Allow-Origin", "*")
w.WriteHeader(http.StatusNoContent)
return
}
authHeader := r.Header.Get("Authorization")
token := ""
if strings.HasPrefix(strings.ToLower(authHeader), "bearer ") {
token = authHeader[len("bearer "):]
}
if token == "" {
log.Warnln("invalid access token")
accessDenied(w)
return
}
integration, err := user.GetExternalAPIUserForAccessTokenAndScope(token, scope)
if integration == nil || err != nil {
accessDenied(w)
return
}
// All auth'ed 3rd party requests should have a wildcard CORS header.
w.Header().Set("Access-Control-Allow-Origin", "*")
handler(*integration, w, r)
if err := user.SetExternalAPIUserAccessTokenAsUsed(token); err != nil {
log.Debugln("token not found when updating last_used timestamp")
}
})
}
// RequireUserAccessToken will validate a provided user's access token and make sure the associated user is enabled.
// Not to be used for validating 3rd party access.
func RequireUserAccessToken(handler UserAccessTokenHandlerFunc) http.HandlerFunc {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
accessToken := r.URL.Query().Get("accessToken")
if accessToken == "" {
accessDenied(w)
return
}
ipAddress := utils.GetIPAddressFromRequest(r)
// Check if this client's IP address is banned.
if blocked, err := data.IsIPAddressBanned(ipAddress); blocked {
log.Debugln("Client ip address has been blocked. Rejecting.")
accessDenied(w)
return
} else if err != nil {
log.Errorln("error determining if IP address is blocked: ", err)
}
// A user is required to use the websocket
user := user.GetUserByToken(accessToken)
if user == nil || !user.IsEnabled() {
accessDenied(w)
return
}
handler(*user, w, r)
})
}
// RequireUserModerationScopeAccesstoken will validate a provided user's access token and make sure the associated user is enabled
// and has "MODERATOR" scope assigned to the user.
func RequireUserModerationScopeAccesstoken(handler http.HandlerFunc) http.HandlerFunc {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
accessToken := r.URL.Query().Get("accessToken")
if accessToken == "" {
accessDenied(w)
return
}
// A user is required to use the websocket
user := user.GetUserByToken(accessToken)
if user == nil || !user.IsEnabled() || !user.IsModerator() {
accessDenied(w)
return
}
handler(w, r)
})
}