Improve authentication blueprint
This commit is contained in:
Tobie Morgan Hitchcock
parent
b2d9873d32
commit
4452339bd1
1 changed files with 69 additions and 30 deletions
99
web/auth.go
99
web/auth.go
|
|
@ -15,12 +15,16 @@
|
|||
package web
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
"bytes"
|
||||
"encoding/base64"
|
||||
|
||||
"github.com/abcum/fibre"
|
||||
"github.com/abcum/surreal/cnf"
|
||||
"github.com/abcum/surreal/sql"
|
||||
|
||||
"github.com/dgrijalva/jwt-go"
|
||||
)
|
||||
|
||||
func auth() fibre.MiddlewareFunc {
|
||||
|
|
@ -33,18 +37,25 @@ func auth() fibre.MiddlewareFunc {
|
|||
conf := map[string]string{"NS": "", "DB": ""}
|
||||
c.Set("conf", conf)
|
||||
|
||||
// ------------------------------
|
||||
// Deny authentication
|
||||
// ------------------------------
|
||||
// Start off with an authentication level
|
||||
// which prevents running any sql queries,
|
||||
// and denies access to all data.
|
||||
|
||||
c.Set("kind", sql.AuthNO)
|
||||
|
||||
// ------------------------------
|
||||
// Root authentication
|
||||
// ------------------------------
|
||||
// Check whether there is an Authorization
|
||||
// header present, and if there is check
|
||||
// whether it is a Basic Auth header.
|
||||
|
||||
// Retrieve the HTTP Authorization header
|
||||
// from the request, and continue.
|
||||
|
||||
head := c.Request().Header().Get("Authorization")
|
||||
|
||||
// Check whether the Authorization header
|
||||
// is a Basic Auth header, and if it is then
|
||||
// process this as root authentication.
|
||||
|
||||
if head != "" && head[:5] == "Basic" {
|
||||
|
||||
base, err := base64.StdEncoding.DecodeString(head[6:])
|
||||
|
|
@ -56,47 +67,75 @@ func auth() fibre.MiddlewareFunc {
|
|||
cred := bytes.SplitN(base, []byte(":"), 2)
|
||||
|
||||
if len(cred) == 2 && bytes.Equal(cred[0], user) && bytes.Equal(cred[1], pass) {
|
||||
|
||||
// ------------------------------
|
||||
// Root authentication
|
||||
// ------------------------------
|
||||
|
||||
c.Set("kind", sql.AuthKV)
|
||||
auth["NS"] = "*" // Anything allowed
|
||||
conf["NS"] = "" // Must specify
|
||||
auth["DB"] = "*" // Anything allowed
|
||||
conf["DB"] = "" // Must specify
|
||||
|
||||
return h(c)
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// ------------------------------
|
||||
// Namespace authentication
|
||||
// ------------------------------
|
||||
// Check whether the Authorization header
|
||||
// is a Bearer Auth header, and if it is then
|
||||
// process this as default authentication.
|
||||
|
||||
// c.Set("kind", sql.AuthNS)
|
||||
// auth["NS"] = "SPECIFIED" // Not allowed to change
|
||||
// conf["NS"] = "SPECIFIED" // Not allowed to change
|
||||
// auth["DB"] = "*" // Anything allowed
|
||||
// conf["DB"] = "" // Must specify
|
||||
if head != "" && head[:6] == "Bearer" {
|
||||
|
||||
// ------------------------------
|
||||
// Database authentication
|
||||
// ------------------------------
|
||||
token, err := jwt.Parse(head[7:], func(token *jwt.Token) (interface{}, error) {
|
||||
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
|
||||
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
|
||||
}
|
||||
return []byte(cnf.Settings.Auth.Token), nil
|
||||
})
|
||||
|
||||
// c.Set("kind", sql.AuthDB)
|
||||
// auth["NS"] = "SPECIFIED" // Not allowed to change
|
||||
// conf["NS"] = "SPECIFIED" // Not allowed to change
|
||||
// auth["DB"] = "SPECIFIED" // Not allowed to change
|
||||
// conf["DB"] = "SPECIFIED" // Not allowed to change
|
||||
if err == nil && token.Valid {
|
||||
|
||||
// ------------------------------
|
||||
// Scoped authentication
|
||||
// ------------------------------
|
||||
// ------------------------------
|
||||
// Namespace authentication
|
||||
// ------------------------------
|
||||
|
||||
// c.Set("kind", sql.AuthTB)
|
||||
// auth["NS"] = "SPECIFIED" // Not allowed to change
|
||||
// conf["NS"] = "SPECIFIED" // Not allowed to change
|
||||
// auth["DB"] = "SPECIFIED" // Not allowed to change
|
||||
// conf["DB"] = "SPECIFIED" // Not allowed to change
|
||||
// c.Set("kind", sql.AuthNS)
|
||||
// auth["NS"] = "SPECIFIED" // Not allowed to change
|
||||
// conf["NS"] = "SPECIFIED" // Not allowed to change
|
||||
// auth["DB"] = "*" // Anything allowed
|
||||
// conf["DB"] = "" // Must specify
|
||||
|
||||
// ------------------------------
|
||||
// Database authentication
|
||||
// ------------------------------
|
||||
|
||||
// c.Set("kind", sql.AuthDB)
|
||||
// auth["NS"] = "SPECIFIED" // Not allowed to change
|
||||
// conf["NS"] = "SPECIFIED" // Not allowed to change
|
||||
// auth["DB"] = "SPECIFIED" // Not allowed to change
|
||||
// conf["DB"] = "SPECIFIED" // Not allowed to change
|
||||
|
||||
// ------------------------------
|
||||
// Scoped authentication
|
||||
// ------------------------------
|
||||
|
||||
// c.Set("kind", sql.AuthTB)
|
||||
// auth["NS"] = "SPECIFIED" // Not allowed to change
|
||||
// conf["NS"] = "SPECIFIED" // Not allowed to change
|
||||
// auth["DB"] = "SPECIFIED" // Not allowed to change
|
||||
// conf["DB"] = "SPECIFIED" // Not allowed to change
|
||||
|
||||
return h(c)
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
if c.Request().Header().Get("Upgrade") == "websocket" {
|
||||
return h(c)
|
||||
|
|
|
|||
Loading…
Reference in a new issue