don't promote htpasswd auth; auth directly
This commit is contained in:
parent
c459806ab0
commit
4367e47a46
@ -150,7 +150,7 @@ func (p *OauthProxy) getUserInfo(token string) (string, error) {
|
|||||||
|
|
||||||
func (p *OauthProxy) ClearCookie(rw http.ResponseWriter, req *http.Request) {
|
func (p *OauthProxy) ClearCookie(rw http.ResponseWriter, req *http.Request) {
|
||||||
domain := strings.Split(req.Host, ":")[0]
|
domain := strings.Split(req.Host, ":")[0]
|
||||||
if *cookieDomain != "" {
|
if *cookieDomain != "" && strings.HasSuffix(domain, *cookieDomain) {
|
||||||
domain = *cookieDomain
|
domain = *cookieDomain
|
||||||
}
|
}
|
||||||
cookie := &http.Cookie{
|
cookie := &http.Cookie{
|
||||||
@ -167,7 +167,7 @@ func (p *OauthProxy) ClearCookie(rw http.ResponseWriter, req *http.Request) {
|
|||||||
func (p *OauthProxy) SetCookie(rw http.ResponseWriter, req *http.Request, val string) {
|
func (p *OauthProxy) SetCookie(rw http.ResponseWriter, req *http.Request, val string) {
|
||||||
|
|
||||||
domain := strings.Split(req.Host, ":")[0] // strip the port (if any)
|
domain := strings.Split(req.Host, ":")[0] // strip the port (if any)
|
||||||
if *cookieDomain != "" {
|
if *cookieDomain != "" && strings.HasSuffix(domain, *cookieDomain) {
|
||||||
domain = *cookieDomain
|
domain = *cookieDomain
|
||||||
}
|
}
|
||||||
cookie := &http.Cookie{
|
cookie := &http.Cookie{
|
||||||
@ -182,7 +182,6 @@ func (p *OauthProxy) SetCookie(rw http.ResponseWriter, req *http.Request, val st
|
|||||||
http.SetCookie(rw, cookie)
|
http.SetCookie(rw, cookie)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
func (p *OauthProxy) ErrorPage(rw http.ResponseWriter, code int, title string, message string) {
|
func (p *OauthProxy) ErrorPage(rw http.ResponseWriter, code int, title string, message string) {
|
||||||
log.Printf("ErrorPage %d %s %s", code, title, message)
|
log.Printf("ErrorPage %d %s %s", code, title, message)
|
||||||
rw.WriteHeader(code)
|
rw.WriteHeader(code)
|
||||||
@ -202,14 +201,52 @@ func (p *OauthProxy) SignInPage(rw http.ResponseWriter, req *http.Request, code
|
|||||||
p.ClearCookie(rw, req)
|
p.ClearCookie(rw, req)
|
||||||
rw.WriteHeader(code)
|
rw.WriteHeader(code)
|
||||||
templates := getTemplates()
|
templates := getTemplates()
|
||||||
t := struct{ SignInMessage string }{SignInMessage: p.SignInMessage}
|
|
||||||
|
t := struct{
|
||||||
|
SignInMessage string
|
||||||
|
Htpasswd bool
|
||||||
|
}{
|
||||||
|
SignInMessage: p.SignInMessage,
|
||||||
|
Htpasswd: p.HtpasswdFile != nil,
|
||||||
|
}
|
||||||
templates.ExecuteTemplate(rw, "sign_in.html", t)
|
templates.ExecuteTemplate(rw, "sign_in.html", t)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (p *OauthProxy) ManualSignIn(rw http.ResponseWriter, req *http.Request) (string, bool){
|
||||||
|
if req.Method != "POST" || p.HtpasswdFile == nil{
|
||||||
|
return "", false
|
||||||
|
}
|
||||||
|
user := req.FormValue("username")
|
||||||
|
passwd := req.FormValue("password")
|
||||||
|
if user == "" {
|
||||||
|
return "", false
|
||||||
|
}
|
||||||
|
// check auth
|
||||||
|
if p.HtpasswdFile.Validate(user, passwd) {
|
||||||
|
log.Printf("authenticated %s via manual sign in", user)
|
||||||
|
return user, true
|
||||||
|
}
|
||||||
|
return "", false
|
||||||
|
}
|
||||||
|
|
||||||
func (p *OauthProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
|
func (p *OauthProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
|
||||||
// check if this is a redirect back at the end of oauth
|
// check if this is a redirect back at the end of oauth
|
||||||
|
remoteIP := req.Header.Get("X-Real-IP")
|
||||||
|
if remoteIP == "" {
|
||||||
|
remoteIP = req.RemoteAddr
|
||||||
|
}
|
||||||
|
log.Printf("%s %s %s", remoteIP, req.Method, req.URL.Path)
|
||||||
|
|
||||||
|
var ok bool
|
||||||
|
var user string
|
||||||
if req.URL.Path == signInPath {
|
if req.URL.Path == signInPath {
|
||||||
|
user, ok = p.ManualSignIn(rw, req)
|
||||||
|
if ok {
|
||||||
|
p.SetCookie(rw, req, user)
|
||||||
|
http.Redirect(rw, req, "/", 302)
|
||||||
|
} else {
|
||||||
p.SignInPage(rw, req, 200)
|
p.SignInPage(rw, req, 200)
|
||||||
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
if req.URL.Path == oauthStartPath {
|
if req.URL.Path == oauthStartPath {
|
||||||
@ -260,20 +297,22 @@ func (p *OauthProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if !ok {
|
||||||
cookie, err := req.Cookie(p.CookieKey)
|
cookie, err := req.Cookie(p.CookieKey)
|
||||||
var ok bool
|
|
||||||
var email string
|
|
||||||
var user string
|
|
||||||
if err == nil {
|
if err == nil {
|
||||||
|
var email string
|
||||||
email, ok = validateCookie(cookie, p.CookieSeed)
|
email, ok = validateCookie(cookie, p.CookieSeed)
|
||||||
user = strings.Split(email, "@")[0]
|
user = strings.Split(email, "@")[0]
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if !ok {
|
if !ok {
|
||||||
user, ok = p.CheckBasicAuth(req)
|
user, ok = p.CheckBasicAuth(req)
|
||||||
if ok {
|
// if we want to promote basic auth requests to cookie'd requests, we could do that here
|
||||||
p.SetCookie(rw, req, user)
|
// not sure that would be ideal in all circumstances though
|
||||||
}
|
// if ok {
|
||||||
|
// p.SetCookie(rw, req, user)
|
||||||
|
// }
|
||||||
}
|
}
|
||||||
|
|
||||||
if !ok {
|
if !ok {
|
||||||
@ -308,6 +347,7 @@ func (p *OauthProxy) CheckBasicAuth(req *http.Request) (string, bool) {
|
|||||||
return "", false
|
return "", false
|
||||||
}
|
}
|
||||||
if p.HtpasswdFile.Validate(pair[0], pair[1]) {
|
if p.HtpasswdFile.Validate(pair[0], pair[1]) {
|
||||||
|
log.Printf("authenticated %s via basic auth", pair[0])
|
||||||
return pair[0], true
|
return pair[0], true
|
||||||
}
|
}
|
||||||
return "", false
|
return "", false
|
||||||
|
20
templates.go
20
templates.go
@ -7,20 +7,34 @@ import (
|
|||||||
|
|
||||||
func getTemplates() *template.Template {
|
func getTemplates() *template.Template {
|
||||||
t, err := template.New("foo").Parse(`{{define "sign_in.html"}}
|
t, err := template.New("foo").Parse(`{{define "sign_in.html"}}
|
||||||
<html><head><title>Sign In</title></head>
|
<!DOCTYPE html>
|
||||||
|
<html lang="en" charset="utf-8">
|
||||||
|
<head><title>Sign In</title></head>
|
||||||
<body>
|
<body>
|
||||||
<form method="GET" action="/oauth2/start">
|
<form method="GET" action="/oauth2/start">
|
||||||
<button type="submit">Sign In w/ Google</button>
|
<button type="submit">Sign In w/ Google</button>
|
||||||
{{.SignInMessage}}
|
{{.SignInMessage}}
|
||||||
</form>
|
</form>
|
||||||
</body></html>
|
{{ if .Htpasswd }}
|
||||||
|
<fieldset>
|
||||||
|
<form method="POST" action="/oauth2/sign_in">
|
||||||
|
<label>Username: <input type="text" name="username" size="10"></label><br/>
|
||||||
|
<label>Password: <input type="password" name="password" size="10"></label><br/>
|
||||||
|
<button type="submit">Sign In</button>
|
||||||
|
</form>
|
||||||
|
</fieldset>
|
||||||
|
{{ end }}
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
{{end}}`)
|
{{end}}`)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Fatalf("failed parsing template %s", err.Error())
|
log.Fatalf("failed parsing template %s", err.Error())
|
||||||
}
|
}
|
||||||
|
|
||||||
t, err = t.Parse(`{{define "error.html"}}
|
t, err = t.Parse(`{{define "error.html"}}
|
||||||
<html><head><title>{{.Title}}</title></head>
|
<!DOCTYPE html>
|
||||||
|
<html lang="en" charset="utf-8">
|
||||||
|
<head><title>{{.Title}}</title></head>
|
||||||
<body>
|
<body>
|
||||||
<h2>{{.Title}}</h2>
|
<h2>{{.Title}}</h2>
|
||||||
<p>{{.Message}}</p>
|
<p>{{.Message}}</p>
|
||||||
|
Loading…
Reference in New Issue
Block a user