-
Notifications
You must be signed in to change notification settings - Fork 5
/
pass_auth.go
95 lines (78 loc) · 2.66 KB
/
pass_auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
package gig
type (
// PassAuthCertCheck defines a function to validate certificate fingerprint.
// Must return path on unsuccessful login.
PassAuthCertCheck func(string, Context) (string, error)
// PassAuthLogin defines a function to login user.
// It may pin certificate to user if login is successful.
// Must return path to redirect to after login.
PassAuthLogin func(username, password, sig string, c Context) (string, error)
)
// PassAuth is a middleware that implements username/password authentication
// by first requiring a certificate, checking username/password using PassAuthValidator,
// and then pinning certificate to it.
//
// For valid credentials it calls the next handler.
func PassAuth(check PassAuthCertCheck) MiddlewareFunc {
return func(next HandlerFunc) HandlerFunc {
return func(c Context) error {
// If no client certificate is sent, request it
var sig = c.CertHash()
if sig == "" {
return c.NoContent(StatusClientCertificateRequired, "Please create a certificate")
}
to, err := check(sig, c)
if err != nil {
debugPrintf("gemini: could not check certificate: %s", err)
return c.NoContent(StatusBadRequest, "Try again later")
}
if to != "" {
return c.NoContent(StatusRedirectTemporary, to)
}
return next(c)
}
}
}
// PassAuthLoginHandle sets up handlers to check username/password using PassAuthLogin.
func (g *Gig) PassAuthLoginHandle(path string, fn PassAuthLogin) {
g.Handle(path, func(c Context) error {
cert := c.Certificate()
if cert == nil {
return c.NoContent(StatusClientCertificateRequired, "Please create a certificate")
}
username, err := c.QueryString()
if err != nil {
debugPrintf("gemini: could not extract username from URL: %s", err)
return c.NoContent(StatusBadRequest, "Invalid username received")
}
if username == "" {
return c.NoContent(StatusInput, "Enter username")
}
return c.NoContent(StatusRedirectTemporary, "%s/%s", path, username)
})
g.Handle(path+"/:username", func(c Context) error {
var (
username = c.Param("username")
sig = c.CertHash()
)
if sig == "" {
return c.NoContent(StatusClientCertificateRequired, "Please create a certificate")
}
if username == "" {
return c.NoContent(StatusRedirectTemporary, path)
}
password, err := c.QueryString()
if err != nil {
debugPrintf("gemini: could not extract password from URL: %s", err)
return c.NoContent(StatusBadRequest, "Invalid password received")
}
if password == "" {
return c.NoContent(StatusSensitiveInput, "Enter password")
}
to, err := fn(username, password, sig, c)
if err != nil {
return err
}
return c.NoContent(StatusRedirectTemporary, to)
})
}