70fbc8c7b0
I am not quite done here, I need to finish some of the packaging metadata, and I am going to maybe take a pass at permissions prior to release. Opening the pull request so you can easily track the progress. Note that Sandstorm app metadata is supposed to be less than 1 MB total, so I optimized your screenshots. I dare you to tell the difference with the naked eye. Co-authored-by: Jacob Weisz <inbox@jacobweisz.com> Reviewed-on: https://git.mills.io/prologic/tube/pulls/26 Co-authored-by: Jacob Weisz <ocdtrekkie@noreply@mills.io> Co-committed-by: Jacob Weisz <ocdtrekkie@noreply@mills.io>
65 lines
2 KiB
Go
65 lines
2 KiB
Go
package middleware
|
|
|
|
import (
|
|
"crypto/subtle"
|
|
"net/http"
|
|
"strings"
|
|
|
|
log "github.com/sirupsen/logrus"
|
|
)
|
|
|
|
// OptionallyRequireAdminAuth wraps a handler requiring HTTP basic auth
|
|
// using "uploader" as the username.
|
|
// If a password isn't set then auth is skipped.
|
|
func OptionallyRequireAdminAuth(handler http.HandlerFunc, password string) http.HandlerFunc {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
// Empty password means auth is not required.
|
|
if password == "" {
|
|
handler(w, r)
|
|
return
|
|
}
|
|
|
|
username := "uploader"
|
|
realm := "Tube uploader"
|
|
|
|
// The following line is kind of a work around.
|
|
// If you want HTTP Basic Auth + Cors it requires _explicit_ origins to be provided in the
|
|
// Access-Control-Allow-Origin header. So we just pull out the origin header and specify it.
|
|
// If we want to lock down admin APIs to not be CORS accessible for anywhere, this is where we would do that.
|
|
w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin"))
|
|
w.Header().Set("Access-Control-Allow-Credentials", "true")
|
|
w.Header().Set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization")
|
|
|
|
// For request needing CORS, send a 204.
|
|
if r.Method == "OPTIONS" {
|
|
w.WriteHeader(http.StatusNoContent)
|
|
return
|
|
}
|
|
|
|
user, pass, ok := r.BasicAuth()
|
|
|
|
// Failed
|
|
if !ok || subtle.ConstantTimeCompare([]byte(user), []byte(username)) != 1 || subtle.ConstantTimeCompare([]byte(pass), []byte(password)) != 1 {
|
|
w.Header().Set("WWW-Authenticate", `Basic realm="`+realm+`"`)
|
|
http.Error(w, "Unauthorized", http.StatusUnauthorized)
|
|
log.Debugln("Failed uploader authentication")
|
|
return
|
|
}
|
|
|
|
handler(w, r)
|
|
}
|
|
}
|
|
|
|
func RequireSandstormPermission(handler http.HandlerFunc, permissionNeeded string) http.HandlerFunc {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
// Failed
|
|
if !strings.Contains(r.Header.Get("X-Sandstorm-Permissions"), permissionNeeded) {
|
|
http.Error(w, "Unauthorized", http.StatusUnauthorized)
|
|
log.Debugln("No upload capability granted")
|
|
return
|
|
}
|
|
|
|
handler(w, r)
|
|
}
|
|
}
|