-
Notifications
You must be signed in to change notification settings - Fork 5
/
nanoauth.go
124 lines (104 loc) · 3.48 KB
/
nanoauth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
// Package nanoauth provides a uniform means of serving HTTP/S for golang
// projects securely. It allows the specification of a certificate (or
// generates one) as well as an auth token which is checked before the request
// is processed.
package nanoauth
import (
"crypto/subtle"
"crypto/tls"
"errors"
"net"
"net/http"
)
// Auth is a structure containing listener information
type Auth struct {
child http.Handler // child is the http handler passed in
Header string // Header is the authentication token's header name
Certificate *tls.Certificate // Certificate is the tls.Certificate to serve requests with
ExcludedPaths []string // ExcludedPaths is a list of paths to be excluded from being authenticated
Token string // Token is the security/authentication string to validate by
}
var (
// DefaultAuth is the default Auth object
DefaultAuth = &Auth{}
)
func init() {
DefaultAuth.Header = "X-NANOBOX-TOKEN"
DefaultAuth.Certificate, _ = Generate("nanobox.io")
}
// ServeHTTP is to implement the http.Handler interface. Also let clients know
// when I have no matching route listeners
func (self *Auth) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
reqPath := req.URL.Path
skipOnce := false
for _, path := range self.ExcludedPaths {
if path == reqPath {
skipOnce = true
break
}
}
// open up for the CORS "secure" pre-flight check (browser doesn't allow devs to set headers in OPTIONS request)
if req.Method == "OPTIONS" {
// todo: actually check origin header to better implement CORS
skipOnce = true
}
if !skipOnce {
auth := ""
if auth = req.Header.Get(self.Header); auth == "" {
// check form value (case sensitive) if header not set
auth = req.FormValue(self.Header)
}
if subtle.ConstantTimeCompare([]byte(auth), []byte(self.Token)) == 0 {
rw.WriteHeader(http.StatusUnauthorized)
return
}
}
self.child.ServeHTTP(rw, req)
}
// ListenAndServeTLS starts a TLS listener and handles serving https
func (self *Auth) ListenAndServeTLS(addr, token string, h http.Handler, excludedPaths ...string) error {
if token == "" {
return errors.New("nanoauth: token missing")
}
config := &tls.Config{
Certificates: []tls.Certificate{*self.Certificate},
}
config.BuildNameToCertificate()
tlsListener, err := tls.Listen("tcp", addr, config)
if err != nil {
return err
}
self.ExcludedPaths = excludedPaths
self.Token = token
if h == nil {
h = http.DefaultServeMux
}
self.child = h
return http.Serve(tlsListener, self)
}
// ListenAndServe starts a normal tcp listener and handles serving http while
// still validating the auth token.
func (self *Auth) ListenAndServe(addr, token string, h http.Handler, excludedPaths ...string) error {
if token == "" {
return errors.New("nanoauth: token missing")
}
httpListener, err := net.Listen("tcp", addr)
if err != nil {
return err
}
self.ExcludedPaths = excludedPaths
self.Token = token
if h == nil {
h = http.DefaultServeMux
}
self.child = h
return http.Serve(httpListener, self)
}
// ListenAndServeTLS is a shortcut function which uses the default one
func ListenAndServeTLS(addr, token string, h http.Handler, excludedPaths ...string) error {
return DefaultAuth.ListenAndServeTLS(addr, token, h, excludedPaths...)
}
// ListenAndServe is a shortcut function which uses the default one
func ListenAndServe(addr, token string, h http.Handler, excludedPaths ...string) error {
return DefaultAuth.ListenAndServe(addr, token, h, excludedPaths...)
}