go-examples/photoblog/admin/admin.go

package admin

import (
	"crypto/hmac"
	"crypto/sha256"
	"errors"
	"fmt"
	"html/template"
	"io/ioutil"
	"log"
	"net/http"
	"os"
	"path/filepath"
	"time"

	"github.com/gorilla/csrf"
	"github.com/gorilla/sessions"
)

const (
	USER      = "username"
	PWD       = "password"
	SESS_USER = "username"
	SESSION   = "photoblog.session"
)

// Application
type AuthCookie struct {
	Templates      *template.Template
	Store          *sessions.CookieStore
	DataDir        *os.File
	PasswordSecret string
	CsrfSecret     string
}

// Constructor AuthCookie
func NewAuthCookie(tpl *template.Template, sessionSecret, passwordSecret, csrfSecret string, data *os.File) *AuthCookie {
	app := &AuthCookie{
		Templates:      tpl,
		Store:          sessions.NewCookieStore([]byte(sessionSecret)),
		DataDir:        data,
		PasswordSecret: passwordSecret,
		CsrfSecret:     csrfSecret,
	}
	app.Store.Options = &sessions.Options{
		Secure:   true,
		HttpOnly: true,
		MaxAge:   int((24 * time.Hour) / time.Second),
	}
	return app
}

type LoginModel struct {
	Username      string
	UsernameError error
	PasswordError error
	CsrfToken     string
}

// Csrf handler wrapper
func (app *AuthCookie) Protect() func(http.Handler) http.Handler {
	return csrf.Protect([]byte(app.CsrfSecret), csrf.Secure(true), csrf.HttpOnly(true))
}

// Verify Username
func (app *AuthCookie) VerifyUsername(username string) error {
	if username == "" {
		return errors.New("Empty username")
	}
	return nil
}

// Verify password for user, check with file
func (app *AuthCookie) VerifyPassword(username, password string, res http.ResponseWriter, req *http.Request) error {
	if password == "" {
		return errors.New("Empty password")
	}
	if username == "" {
		return nil
	}
	// open password file
	passfile, err := os.Open(filepath.Join(app.DataDir.Name(), username, ".password"))
	if err != nil {
		log.Println("Cannot open password file", err)
		return errors.New("Authentification failed")
	}
	defer passfile.Close()

	// read password file
	expected, err := ioutil.ReadAll(passfile)
	if err != nil {
		log.Println("Cannot read password file", err)
		return errors.New("Authentification failed")
	}
	// hash password and compare
	expectedStr := string(expected)
	var expectedMAC []byte
	fmt.Sscanf(expectedStr, "%x", &expectedMAC)
	mac := hmac.New(sha256.New, []byte(app.PasswordSecret))
	mac.Write([]byte(password))
	passwordMAC := mac.Sum(nil)
	if !hmac.Equal(passwordMAC, expectedMAC) {
		log.Printf("Unmatched password for %s: %x - %x\n", username, passwordMAC, expectedMAC)
		return errors.New("Authentification failed")
	}
	log.Printf("Authentification successful (" + username + ")")
	return nil
}

// Save username in session
func (app *AuthCookie) SaveUsername(username string, res http.ResponseWriter, req *http.Request) {
	session := app.CurrentSession(res, req)
	session.Values[SESS_USER] = username
	session.Save(req, res)
}

// Test if a user is logged in
func (app *AuthCookie) IsLoggedIn(res http.ResponseWriter, req *http.Request) bool {
	session := app.CurrentSession(res, req)
	return session != nil && session.Values[SESS_USER] != ""
}

// Current username (from session cookie)
func (app *AuthCookie) Username(res http.ResponseWriter, req *http.Request) string {
	session := app.CurrentSession(res, req)
	if session == nil {
		return ""
	}
	val, _ := session.Values[SESS_USER].(string)
	return val
}

// Current session
func (app *AuthCookie) CurrentSession(res http.ResponseWriter, req *http.Request) *sessions.Session {
	session, _ := app.Store.Get(req, SESSION)
	return session
}

// Redirect to home page
func (app *AuthCookie) RedirectHome(res http.ResponseWriter, req *http.Request) {
	http.Redirect(res, req, "/", http.StatusSeeOther)
}

// ROUTES //

// login: form
func (app *AuthCookie) LoginPage(res http.ResponseWriter, req *http.Request) {
	model := LoginModel{
		CsrfToken: csrf.Token(req),
	}
	if req.Method == http.MethodPost {
		model.Username = req.FormValue(USER)
		model.UsernameError = app.VerifyUsername(model.Username)
		model.PasswordError = app.VerifyPassword(model.Username, req.FormValue(PWD), res, req)
		if model.UsernameError == nil && model.PasswordError == nil {
			app.SaveUsername(model.Username, res, req)
			app.RedirectHome(res, req)
			return
		}
	}
	app.Templates.ExecuteTemplate(res, "login.html", model)
}

// logout: delete session and redirect to home
func (app *AuthCookie) LogoutPage(res http.ResponseWriter, req *http.Request) {
	app.SaveUsername("", res, req)
	app.RedirectHome(res, req)
}
Photoblog 1: auth from authcookie exercise 2017-07-29 09:22:34 +00:00			`package admin`

			`import (`
Style, auth with file 2017-07-29 14:51:12 +00:00			`"crypto/hmac"`
			`"crypto/sha256"`
			`"errors"`
			`"fmt"`
Photoblog 1: auth from authcookie exercise 2017-07-29 09:22:34 +00:00			`"html/template"`
Style, auth with file 2017-07-29 14:51:12 +00:00			`"io/ioutil"`
			`"log"`
Photoblog 1: auth from authcookie exercise 2017-07-29 09:22:34 +00:00			`"net/http"`
Style, auth with file 2017-07-29 14:51:12 +00:00			`"os"`
			`"path/filepath"`
Secure session cookie 2017-07-30 08:01:23 +00:00			`"time"`
Photoblog 1: auth from authcookie exercise 2017-07-29 09:22:34 +00:00
Photoblog: CSRF protection 2017-07-30 09:05:20 +00:00			`"github.com/gorilla/csrf"`
Photoblog 1: auth from authcookie exercise 2017-07-29 09:22:34 +00:00			`"github.com/gorilla/sessions"`
			`)`

Photoblog: Refactoring 2017-07-29 17:22:11 +00:00			`const (`
			`USER = "username"`
			`PWD = "password"`
			`SESS_USER = "username"`
			`SESSION = "photoblog.session"`
			`)`

			`// Application`
Photoblog 1: auth from authcookie exercise 2017-07-29 09:22:34 +00:00			`type AuthCookie struct {`
Style, auth with file 2017-07-29 14:51:12 +00:00			`Templates *template.Template`
			`Store *sessions.CookieStore`
			`DataDir *os.File`
			`PasswordSecret string`
Photoblog: CSRF protection 2017-07-30 09:05:20 +00:00			`CsrfSecret string`
Photoblog 1: auth from authcookie exercise 2017-07-29 09:22:34 +00:00			`}`

Secure session cookie 2017-07-30 08:01:23 +00:00			`// Constructor AuthCookie`
Photoblog: CSRF protection 2017-07-30 09:05:20 +00:00			`func NewAuthCookie(tpl template.Template, sessionSecret, passwordSecret, csrfSecret string, data os.File) *AuthCookie {`
Secure session cookie 2017-07-30 08:01:23 +00:00			`app := &AuthCookie{`
			`Templates: tpl,`
			`Store: sessions.NewCookieStore([]byte(sessionSecret)),`
			`DataDir: data,`
			`PasswordSecret: passwordSecret,`
Photoblog: CSRF protection 2017-07-30 09:05:20 +00:00			`CsrfSecret: csrfSecret,`
Secure session cookie 2017-07-30 08:01:23 +00:00			`}`
			`app.Store.Options = &sessions.Options{`
			`Secure: true,`
			`HttpOnly: true,`
			`MaxAge: int((24 * time.Hour) / time.Second),`
			`}`
			`return app`
			`}`

Photoblog: CSRF protection 2017-07-30 09:05:20 +00:00			`type LoginModel struct {`
			`Username string`
			`UsernameError error`
			`PasswordError error`
			`CsrfToken string`
			`}`

			`// Csrf handler wrapper`
			`func (app *AuthCookie) Protect() func(http.Handler) http.Handler {`
			`return csrf.Protect([]byte(app.CsrfSecret), csrf.Secure(true), csrf.HttpOnly(true))`
			`}`

Photoblog: Refactoring 2017-07-29 17:22:11 +00:00			`// Verify Username`
Style, auth with file 2017-07-29 14:51:12 +00:00			`func (app *AuthCookie) VerifyUsername(username string) error {`
			`if username == "" {`
			`return errors.New("Empty username")`
			`}`
			`return nil`
			`}`
Photoblog: Refactoring 2017-07-29 17:22:11 +00:00
			`// Verify password for user, check with file`
Style, auth with file 2017-07-29 14:51:12 +00:00			`func (app AuthCookie) VerifyPassword(username, password string, res http.ResponseWriter, req http.Request) error {`
			`if password == "" {`
			`return errors.New("Empty password")`
			`}`
Photoblog: Refactoring 2017-07-29 17:22:11 +00:00			`if username == "" {`
			`return nil`
			`}`
			`// open password file`
Style, auth with file 2017-07-29 14:51:12 +00:00			`passfile, err := os.Open(filepath.Join(app.DataDir.Name(), username, ".password"))`
			`if err != nil {`
			`log.Println("Cannot open password file", err)`
			`return errors.New("Authentification failed")`
			`}`
			`defer passfile.Close()`

Photoblog: Refactoring 2017-07-29 17:22:11 +00:00			`// read password file`
Style, auth with file 2017-07-29 14:51:12 +00:00			`expected, err := ioutil.ReadAll(passfile)`
			`if err != nil {`
			`log.Println("Cannot read password file", err)`
			`return errors.New("Authentification failed")`
			`}`
Photoblog: Refactoring 2017-07-29 17:22:11 +00:00			`// hash password and compare`
Style, auth with file 2017-07-29 14:51:12 +00:00			`expectedStr := string(expected)`
			`var expectedMAC []byte`
			`fmt.Sscanf(expectedStr, "%x", &expectedMAC)`
			`mac := hmac.New(sha256.New, []byte(app.PasswordSecret))`
			`mac.Write([]byte(password))`
			`passwordMAC := mac.Sum(nil)`
			`if !hmac.Equal(passwordMAC, expectedMAC) {`
			`log.Printf("Unmatched password for %s: %x - %x\n", username, passwordMAC, expectedMAC)`
			`return errors.New("Authentification failed")`
			`}`
Photoblog: Refactoring 2017-07-29 17:22:11 +00:00			`log.Printf("Authentification successful (" + username + ")")`
Style, auth with file 2017-07-29 14:51:12 +00:00			`return nil`
			`}`
Photoblog: Refactoring 2017-07-29 17:22:11 +00:00
			`// Save username in session`
Photoblog 1: auth from authcookie exercise 2017-07-29 09:22:34 +00:00			`func (app AuthCookie) SaveUsername(username string, res http.ResponseWriter, req http.Request) {`
			`session := app.CurrentSession(res, req)`
Photoblog: Refactoring 2017-07-29 17:22:11 +00:00			`session.Values[SESS_USER] = username`
Photoblog 1: auth from authcookie exercise 2017-07-29 09:22:34 +00:00			`session.Save(req, res)`
			`}`
Photoblog: Refactoring 2017-07-29 17:22:11 +00:00
			`// Test if a user is logged in`
Photo blog 2: unstyled, no auth 2017-07-29 11:54:23 +00:00			`func (app AuthCookie) IsLoggedIn(res http.ResponseWriter, req http.Request) bool {`
			`session := app.CurrentSession(res, req)`
Photoblog: Refactoring 2017-07-29 17:22:11 +00:00			`return session != nil && session.Values[SESS_USER] != ""`
Photo blog 2: unstyled, no auth 2017-07-29 11:54:23 +00:00			`}`
Photoblog: Refactoring 2017-07-29 17:22:11 +00:00
			`// Current username (from session cookie)`
Photo blog 2: unstyled, no auth 2017-07-29 11:54:23 +00:00			`func (app AuthCookie) Username(res http.ResponseWriter, req http.Request) string {`
			`session := app.CurrentSession(res, req)`
			`if session == nil {`
			`return ""`
			`}`
Photoblog: fix cast nil session value 2017-07-29 17:30:32 +00:00			`val, _ := session.Values[SESS_USER].(string)`
			`return val`
Photo blog 2: unstyled, no auth 2017-07-29 11:54:23 +00:00			`}`
Photoblog: Refactoring 2017-07-29 17:22:11 +00:00
			`// Current session`
			`func (app AuthCookie) CurrentSession(res http.ResponseWriter, req http.Request) *sessions.Session {`
			`session, _ := app.Store.Get(req, SESSION)`
			`return session`
			`}`

			`// Redirect to home page`
			`func (app AuthCookie) RedirectHome(res http.ResponseWriter, req http.Request) {`
Photoblog 1: auth from authcookie exercise 2017-07-29 09:22:34 +00:00			`http.Redirect(res, req, "/", http.StatusSeeOther)`
			`}`
Photoblog: Refactoring 2017-07-29 17:22:11 +00:00
			`// ROUTES //`

			`// login: form`
			`func (app AuthCookie) LoginPage(res http.ResponseWriter, req http.Request) {`
Photoblog: CSRF protection 2017-07-30 09:05:20 +00:00			`model := LoginModel{`
			`CsrfToken: csrf.Token(req),`
			`}`
Photoblog: Refactoring 2017-07-29 17:22:11 +00:00			`if req.Method == http.MethodPost {`
Photoblog: CSRF protection 2017-07-30 09:05:20 +00:00			`model.Username = req.FormValue(USER)`
			`model.UsernameError = app.VerifyUsername(model.Username)`
			`model.PasswordError = app.VerifyPassword(model.Username, req.FormValue(PWD), res, req)`
			`if model.UsernameError == nil && model.PasswordError == nil {`
			`app.SaveUsername(model.Username, res, req)`
Photoblog: Refactoring 2017-07-29 17:22:11 +00:00			`app.RedirectHome(res, req)`
			`return`
			`}`
			`}`
Photoblog: CSRF protection 2017-07-30 09:05:20 +00:00			`app.Templates.ExecuteTemplate(res, "login.html", model)`
Photoblog: Refactoring 2017-07-29 17:22:11 +00:00			`}`

			`// logout: delete session and redirect to home`
			`func (app AuthCookie) LogoutPage(res http.ResponseWriter, req http.Request) {`
			`app.SaveUsername("", res, req)`
			`app.RedirectHome(res, req)`
			`}`