noth/surrealpatch
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Improve authentication blueprint

Browse source
This commit is contained in:
Tobie Morgan Hitchcock 2016-11-04 15:20:31 +00:00
parent b2d9873d32
commit 4452339bd1
1 changed files with 69 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

99
web/auth.go
View file

@ -15,12 +15,16 @@
package web package web
import ( import (
"fmt"
"bytes" "bytes"
"encoding/base64" "encoding/base64"
"github.com/abcum/fibre" "github.com/abcum/fibre"
"github.com/abcum/surreal/cnf" "github.com/abcum/surreal/cnf"
"github.com/abcum/surreal/sql" "github.com/abcum/surreal/sql"
"github.com/dgrijalva/jwt-go"
) )
func auth() fibre.MiddlewareFunc { func auth() fibre.MiddlewareFunc {
@ -33,18 +37,25 @@ func auth() fibre.MiddlewareFunc {
conf := map[string]string{"NS": "", "DB": ""} conf := map[string]string{"NS": "", "DB": ""}
c.Set("conf", conf) c.Set("conf", conf)
// ------------------------------ // Start off with an authentication level
// Deny authentication // which prevents running any sql queries,
// ------------------------------ // and denies access to all data.
c.Set("kind", sql.AuthNO) c.Set("kind", sql.AuthNO)
// ------------------------------ // Check whether there is an Authorization
// Root authentication // header present, and if there is check
// ------------------------------ // whether it is a Basic Auth header.
// Retrieve the HTTP Authorization header
// from the request, and continue.
head := c.Request().Header().Get("Authorization") head := c.Request().Header().Get("Authorization")
// Check whether the Authorization header
// is a Basic Auth header, and if it is then
// process this as root authentication.
if head != "" && head[:5] == "Basic" { if head != "" && head[:5] == "Basic" {
base, err := base64.StdEncoding.DecodeString(head[6:]) base, err := base64.StdEncoding.DecodeString(head[6:])
@ -56,47 +67,75 @@ func auth() fibre.MiddlewareFunc {
cred := bytes.SplitN(base, []byte(":"), 2) cred := bytes.SplitN(base, []byte(":"), 2)
if len(cred) == 2 && bytes.Equal(cred[0], user) && bytes.Equal(cred[1], pass) { if len(cred) == 2 && bytes.Equal(cred[0], user) && bytes.Equal(cred[1], pass) {
// ------------------------------
// Root authentication
// ------------------------------
c.Set("kind", sql.AuthKV) c.Set("kind", sql.AuthKV)
auth["NS"] = "*" // Anything allowed auth["NS"] = "*" // Anything allowed
conf["NS"] = "" // Must specify conf["NS"] = "" // Must specify
auth["DB"] = "*" // Anything allowed auth["DB"] = "*" // Anything allowed
conf["DB"] = "" // Must specify conf["DB"] = "" // Must specify
return h(c) return h(c)
} }
} }
} }
// ------------------------------ // Check whether the Authorization header
// Namespace authentication // is a Bearer Auth header, and if it is then
// ------------------------------ // process this as default authentication.
// c.Set("kind", sql.AuthNS) if head != "" && head[:6] == "Bearer" {
// auth["NS"] = "SPECIFIED" // Not allowed to change
// conf["NS"] = "SPECIFIED" // Not allowed to change
// auth["DB"] = "*" // Anything allowed
// conf["DB"] = "" // Must specify
// ------------------------------ token, err := jwt.Parse(head[7:], func(token *jwt.Token) (interface{}, error) {
// Database authentication if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
// ------------------------------ return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
}
return []byte(cnf.Settings.Auth.Token), nil
})
// c.Set("kind", sql.AuthDB) if err == nil && token.Valid {
// auth["NS"] = "SPECIFIED" // Not allowed to change
// conf["NS"] = "SPECIFIED" // Not allowed to change
// auth["DB"] = "SPECIFIED" // Not allowed to change
// conf["DB"] = "SPECIFIED" // Not allowed to change
// ------------------------------ // ------------------------------
// Scoped authentication // Namespace authentication
// ------------------------------ // ------------------------------
// c.Set("kind", sql.AuthTB) // c.Set("kind", sql.AuthNS)
// auth["NS"] = "SPECIFIED" // Not allowed to change // auth["NS"] = "SPECIFIED" // Not allowed to change
// conf["NS"] = "SPECIFIED" // Not allowed to change // conf["NS"] = "SPECIFIED" // Not allowed to change
// auth["DB"] = "SPECIFIED" // Not allowed to change // auth["DB"] = "*" // Anything allowed
// conf["DB"] = "SPECIFIED" // Not allowed to change // conf["DB"] = "" // Must specify
// ------------------------------
// Database authentication
// ------------------------------
// c.Set("kind", sql.AuthDB)
// auth["NS"] = "SPECIFIED" // Not allowed to change
// conf["NS"] = "SPECIFIED" // Not allowed to change
// auth["DB"] = "SPECIFIED" // Not allowed to change
// conf["DB"] = "SPECIFIED" // Not allowed to change
// ------------------------------
// Scoped authentication
// ------------------------------
// c.Set("kind", sql.AuthTB)
// auth["NS"] = "SPECIFIED" // Not allowed to change
// conf["NS"] = "SPECIFIED" // Not allowed to change
// auth["DB"] = "SPECIFIED" // Not allowed to change
// conf["DB"] = "SPECIFIED" // Not allowed to change
return h(c)
}
}
if c.Request().Header().Get("Upgrade") == "websocket" { if c.Request().Header().Get("Upgrade") == "websocket" {
return h(c) return h(c)