mirror of
https://github.com/caddyserver/caddy.git
synced 2024-12-23 22:27:38 -05:00
102 lines
2.4 KiB
Go
102 lines
2.4 KiB
Go
|
package basicauth
|
||
|
|
||
|
import (
|
||
|
"net/http"
|
||
|
|
||
|
"github.com/mholt/caddy/middleware"
|
||
|
)
|
||
|
|
||
|
// New constructs a new BasicAuth middleware instance.
|
||
|
func New(c middleware.Controller) (middleware.Middleware, error) {
|
||
|
rules, err := parse(c)
|
||
|
if err != nil {
|
||
|
return nil, err
|
||
|
}
|
||
|
|
||
|
basic := BasicAuth{
|
||
|
Rules: rules,
|
||
|
}
|
||
|
|
||
|
return func(next middleware.Handler) middleware.Handler {
|
||
|
basic.Next = next
|
||
|
return basic
|
||
|
}, nil
|
||
|
}
|
||
|
|
||
|
// ServeHTTP implements the middleware.Handler interface.
|
||
|
func (a BasicAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
|
||
|
for _, rule := range a.Rules {
|
||
|
for _, res := range rule.Resources {
|
||
|
if !middleware.Path(r.URL.Path).Matches(res) {
|
||
|
continue
|
||
|
}
|
||
|
|
||
|
// Path matches; parse auth header
|
||
|
username, password, ok := r.BasicAuth()
|
||
|
|
||
|
// Check credentials
|
||
|
if !ok || username != rule.Username || password != rule.Password {
|
||
|
w.Header().Set("WWW-Authenticate", "Basic")
|
||
|
return http.StatusUnauthorized, nil
|
||
|
}
|
||
|
|
||
|
// "It's an older code, sir, but it checks out. I was about to clear them."
|
||
|
return a.Next.ServeHTTP(w, r)
|
||
|
}
|
||
|
}
|
||
|
|
||
|
// Pass-thru when no paths match
|
||
|
return a.Next.ServeHTTP(w, r)
|
||
|
}
|
||
|
|
||
|
func parse(c middleware.Controller) ([]Rule, error) {
|
||
|
var rules []Rule
|
||
|
|
||
|
for c.Next() {
|
||
|
var rule Rule
|
||
|
|
||
|
args := c.RemainingArgs()
|
||
|
|
||
|
switch len(args) {
|
||
|
case 2:
|
||
|
rule.Username = args[0]
|
||
|
rule.Password = args[1]
|
||
|
for c.NextBlock() {
|
||
|
rule.Resources = append(rule.Resources, c.Val())
|
||
|
if c.NextArg() {
|
||
|
return rules, c.Err("Expecting only one resource per line (extra '" + c.Val() + "')")
|
||
|
}
|
||
|
}
|
||
|
case 3:
|
||
|
rule.Resources = append(rule.Resources, args[0])
|
||
|
rule.Username = args[1]
|
||
|
rule.Password = args[2]
|
||
|
default:
|
||
|
return rules, c.ArgErr()
|
||
|
}
|
||
|
|
||
|
rules = append(rules, rule)
|
||
|
}
|
||
|
|
||
|
return rules, nil
|
||
|
}
|
||
|
|
||
|
// BasicAuth is middleware to protect resources with a username and password.
|
||
|
// Note that HTTP Basic Authentication is not secure by itself and should
|
||
|
// not be used to protect important assets without HTTPS. Even then, the
|
||
|
// security of HTTP Basic Auth is disputed. Use discretion when deciding
|
||
|
// what to protect with BasicAuth.
|
||
|
type BasicAuth struct {
|
||
|
Next middleware.Handler
|
||
|
Rules []Rule
|
||
|
}
|
||
|
|
||
|
// Rule represents a BasicAuth rule. A username and password
|
||
|
// combination protect the associated resources, which are
|
||
|
// file or directory paths.
|
||
|
type Rule struct {
|
||
|
Username string
|
||
|
Password string
|
||
|
Resources []string
|
||
|
}
|