Optionally require auth for the /upload endpoint (#23)

Reviewed-on: https://git.mills.io/prologic/tube/pulls/23 Co-authored-by: gabek <gabek@noreply@mills.io> Co-committed-by: gabek <gabek@noreply@mills.io>
2022-08-25 23:17:24 +00:00 · 2022-08-25 23:17:24 +00:00 · 1791533e0e
commit 1791533e0e
parent ed8964ee7a
2 changed files with 55 additions and 1 deletions
--- a/app/app.go
+++ b/app/app.go
@ -14,9 +14,11 @@ import (
 	"sort"
 	"strings"

+	"git.mills.io/prologic/tube/app/middleware"
 	"git.mills.io/prologic/tube/importers"
 	"git.mills.io/prologic/tube/media"
 	"git.mills.io/prologic/tube/utils"
+
 	rice "github.com/GeertJohan/go.rice"
 	"github.com/dustin/go-humanize"
 	"github.com/fsnotify/fsnotify"
@ -95,9 +97,11 @@ func NewApp(cfg *Config) (*App, error) {
 	a.Templates.Add("import", importTemplate)

 	// Setup Router
+	authPassword := os.Getenv("auth_password")
+
 	r := mux.NewRouter().StrictSlash(true)
 	r.HandleFunc("/", a.indexHandler).Methods("GET", "OPTIONS")
-	r.HandleFunc("/upload", a.uploadHandler).Methods("GET", "OPTIONS", "POST")
+	r.HandleFunc("/upload", middleware.OptionallyRequireAdminAuth(a.uploadHandler, authPassword)).Methods("GET", "OPTIONS", "POST")
 	r.HandleFunc("/import", a.importHandler).Methods("GET", "OPTIONS", "POST")
 	r.HandleFunc("/v/{id}.mp4", a.videoHandler).Methods("GET")
 	r.HandleFunc("/v/{prefix}/{id}.mp4", a.videoHandler).Methods("GET")
--- a/app/middleware/auth.go
+++ b/app/middleware/auth.go
@ -0,0 +1,50 @@
+package middleware
+
+import (
+	"crypto/subtle"
+	"net/http"
+
+	log "github.com/sirupsen/logrus"
+)
+
+// OptionallyRequireAdminAuth wraps a handler requiring HTTP basic auth
+// using "uploader" as the username.
+// If a password isn't set then auth is skipped.
+func OptionallyRequireAdminAuth(handler http.HandlerFunc, password string) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		// Empty password means auth is not required.
+		if password == "" {
+			handler(w, r)
+			return
+		}
+
+		username := "uploader"
+		realm := "Tube uploader"
+
+		// The following line is kind of a work around.
+		// If you want HTTP Basic Auth + Cors it requires _explicit_ origins to be provided in the
+		// Access-Control-Allow-Origin header.  So we just pull out the origin header and specify it.
+		// If we want to lock down admin APIs to not be CORS accessible for anywhere, this is where we would do that.
+		w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin"))
+		w.Header().Set("Access-Control-Allow-Credentials", "true")
+		w.Header().Set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization")
+
+		// For request needing CORS, send a 204.
+		if r.Method == "OPTIONS" {
+			w.WriteHeader(http.StatusNoContent)
+			return
+		}
+
+		user, pass, ok := r.BasicAuth()
+
+		// Failed
+		if !ok || subtle.ConstantTimeCompare([]byte(user), []byte(username)) != 1 || subtle.ConstantTimeCompare([]byte(pass), []byte(password)) != 1 {
+			w.Header().Set("WWW-Authenticate", `Basic realm="`+realm+`"`)
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
+			log.Debugln("Failed uploader authentication")
+			return
+		}
+
+		handler(w, r)
+	}
+}