From 1791533e0eae20edcec453d319a9ec0d8db063e8 Mon Sep 17 00:00:00 2001 From: gabek Date: Thu, 25 Aug 2022 23:17:24 +0000 Subject: [PATCH] Optionally require auth for the /upload endpoint (#23) Reviewed-on: https://git.mills.io/prologic/tube/pulls/23 Co-authored-by: gabek Co-committed-by: gabek --- app/app.go | 6 ++++- app/middleware/auth.go | 50 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 app/middleware/auth.go diff --git a/app/app.go b/app/app.go index aed83c6..f726e83 100644 --- a/app/app.go +++ b/app/app.go @@ -14,9 +14,11 @@ import ( "sort" "strings" + "git.mills.io/prologic/tube/app/middleware" "git.mills.io/prologic/tube/importers" "git.mills.io/prologic/tube/media" "git.mills.io/prologic/tube/utils" + rice "github.com/GeertJohan/go.rice" "github.com/dustin/go-humanize" "github.com/fsnotify/fsnotify" @@ -95,9 +97,11 @@ func NewApp(cfg *Config) (*App, error) { a.Templates.Add("import", importTemplate) // Setup Router + authPassword := os.Getenv("auth_password") + r := mux.NewRouter().StrictSlash(true) r.HandleFunc("/", a.indexHandler).Methods("GET", "OPTIONS") - r.HandleFunc("/upload", a.uploadHandler).Methods("GET", "OPTIONS", "POST") + r.HandleFunc("/upload", middleware.OptionallyRequireAdminAuth(a.uploadHandler, authPassword)).Methods("GET", "OPTIONS", "POST") r.HandleFunc("/import", a.importHandler).Methods("GET", "OPTIONS", "POST") r.HandleFunc("/v/{id}.mp4", a.videoHandler).Methods("GET") r.HandleFunc("/v/{prefix}/{id}.mp4", a.videoHandler).Methods("GET") diff --git a/app/middleware/auth.go b/app/middleware/auth.go new file mode 100644 index 0000000..61a58e3 --- /dev/null +++ b/app/middleware/auth.go @@ -0,0 +1,50 @@ +package middleware + +import ( + "crypto/subtle" + "net/http" + + log "github.com/sirupsen/logrus" +) + +// OptionallyRequireAdminAuth wraps a handler requiring HTTP basic auth +// using "uploader" as the username. +// If a password isn't set then auth is skipped. +func OptionallyRequireAdminAuth(handler http.HandlerFunc, password string) http.HandlerFunc { + return func(w http.ResponseWriter, r *http.Request) { + // Empty password means auth is not required. + if password == "" { + handler(w, r) + return + } + + username := "uploader" + realm := "Tube uploader" + + // The following line is kind of a work around. + // If you want HTTP Basic Auth + Cors it requires _explicit_ origins to be provided in the + // Access-Control-Allow-Origin header. So we just pull out the origin header and specify it. + // If we want to lock down admin APIs to not be CORS accessible for anywhere, this is where we would do that. + w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin")) + w.Header().Set("Access-Control-Allow-Credentials", "true") + w.Header().Set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization") + + // For request needing CORS, send a 204. + if r.Method == "OPTIONS" { + w.WriteHeader(http.StatusNoContent) + return + } + + user, pass, ok := r.BasicAuth() + + // Failed + if !ok || subtle.ConstantTimeCompare([]byte(user), []byte(username)) != 1 || subtle.ConstantTimeCompare([]byte(pass), []byte(password)) != 1 { + w.Header().Set("WWW-Authenticate", `Basic realm="`+realm+`"`) + http.Error(w, "Unauthorized", http.StatusUnauthorized) + log.Debugln("Failed uploader authentication") + return + } + + handler(w, r) + } +}