2015-04-27 11:56:57 -05:00
|
|
|
// Package basicauth implements HTTP Basic Authentication.
|
2015-04-23 15:57:07 -05:00
|
|
|
package basicauth
|
|
|
|
|
|
|
|
import (
|
2015-05-30 00:08:01 -05:00
|
|
|
"crypto/subtle"
|
2015-04-23 15:57:07 -05:00
|
|
|
"net/http"
|
|
|
|
|
|
|
|
"github.com/mholt/caddy/middleware"
|
|
|
|
)
|
|
|
|
|
2015-05-04 07:53:54 -05:00
|
|
|
// BasicAuth is middleware to protect resources with a username and password.
|
|
|
|
// Note that HTTP Basic Authentication is not secure by itself and should
|
|
|
|
// not be used to protect important assets without HTTPS. Even then, the
|
|
|
|
// security of HTTP Basic Auth is disputed. Use discretion when deciding
|
|
|
|
// what to protect with BasicAuth.
|
|
|
|
type BasicAuth struct {
|
|
|
|
Next middleware.Handler
|
|
|
|
Rules []Rule
|
2015-04-23 15:57:07 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
// ServeHTTP implements the middleware.Handler interface.
|
|
|
|
func (a BasicAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
|
2015-05-10 01:20:58 -05:00
|
|
|
|
|
|
|
var hasAuth bool
|
|
|
|
var isAuthenticated bool
|
|
|
|
|
2015-04-23 15:57:07 -05:00
|
|
|
for _, rule := range a.Rules {
|
|
|
|
for _, res := range rule.Resources {
|
|
|
|
if !middleware.Path(r.URL.Path).Matches(res) {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
// Path matches; parse auth header
|
|
|
|
username, password, ok := r.BasicAuth()
|
2015-05-10 01:20:58 -05:00
|
|
|
hasAuth = true
|
2015-04-23 15:57:07 -05:00
|
|
|
|
|
|
|
// Check credentials
|
2015-05-30 00:08:01 -05:00
|
|
|
if !ok ||
|
|
|
|
username != rule.Username ||
|
|
|
|
subtle.ConstantTimeCompare([]byte(password), []byte(rule.Password)) != 1 {
|
2015-05-10 01:20:58 -05:00
|
|
|
continue
|
2015-04-23 15:57:07 -05:00
|
|
|
}
|
2015-05-30 00:08:01 -05:00
|
|
|
|
|
|
|
// Flag set only on successful authentication
|
2015-05-10 01:20:58 -05:00
|
|
|
isAuthenticated = true
|
|
|
|
}
|
|
|
|
}
|
2015-05-24 21:52:34 -05:00
|
|
|
|
2015-05-10 01:20:58 -05:00
|
|
|
if hasAuth {
|
|
|
|
if !isAuthenticated {
|
|
|
|
w.Header().Set("WWW-Authenticate", "Basic")
|
|
|
|
return http.StatusUnauthorized, nil
|
2015-04-23 15:57:07 -05:00
|
|
|
}
|
2015-05-24 21:52:34 -05:00
|
|
|
// "It's an older code, sir, but it checks out. I was about to clear them."
|
|
|
|
return a.Next.ServeHTTP(w, r)
|
2015-04-23 15:57:07 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
// Pass-thru when no paths match
|
|
|
|
return a.Next.ServeHTTP(w, r)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Rule represents a BasicAuth rule. A username and password
|
|
|
|
// combination protect the associated resources, which are
|
|
|
|
// file or directory paths.
|
|
|
|
type Rule struct {
|
|
|
|
Username string
|
|
|
|
Password string
|
|
|
|
Resources []string
|
|
|
|
}
|