98 lines
2.6 KiB
Go
98 lines
2.6 KiB
Go
package main
|
|
|
|
import (
|
|
"crypto/hmac"
|
|
"crypto/rand"
|
|
"crypto/sha256"
|
|
"encoding/base64"
|
|
"net/http"
|
|
"os"
|
|
"path/filepath"
|
|
"strconv"
|
|
"strings"
|
|
"time"
|
|
)
|
|
|
|
const (
|
|
authCookieName = "datascape_auth"
|
|
authCookieMaxAge = 10 * 365 * 24 * 3600
|
|
)
|
|
|
|
// loadOrCreateAuthKey returns a stable 32-byte HMAC key persisted in the wiki
|
|
// root as `.auth-key`. A stable key means sessions survive restarts.
|
|
func loadOrCreateAuthKey(wikiDir string) ([]byte, error) {
|
|
p := filepath.Join(wikiDir, ".auth-key")
|
|
if data, err := os.ReadFile(p); err == nil && len(data) >= 32 {
|
|
return data, nil
|
|
}
|
|
key := make([]byte, 32)
|
|
if _, err := rand.Read(key); err != nil {
|
|
return nil, err
|
|
}
|
|
if err := os.WriteFile(p, key, 0600); err != nil {
|
|
return nil, err
|
|
}
|
|
return key, nil
|
|
}
|
|
|
|
func signAuth(key []byte) string {
|
|
payload := strconv.FormatInt(time.Now().Unix(), 10)
|
|
mac := hmac.New(sha256.New, key)
|
|
mac.Write([]byte(payload))
|
|
sig := base64.RawURLEncoding.EncodeToString(mac.Sum(nil))
|
|
return payload + "." + sig
|
|
}
|
|
|
|
func verifyAuth(key []byte, value string) bool {
|
|
i := strings.IndexByte(value, '.')
|
|
if i <= 0 {
|
|
return false
|
|
}
|
|
payload, sig := value[:i], value[i+1:]
|
|
mac := hmac.New(sha256.New, key)
|
|
mac.Write([]byte(payload))
|
|
expected := base64.RawURLEncoding.EncodeToString(mac.Sum(nil))
|
|
return hmac.Equal([]byte(sig), []byte(expected))
|
|
}
|
|
|
|
// checkAuth returns true if the request is authenticated. It accepts either a
|
|
// valid signed cookie or HTTP Basic credentials; on successful basic auth it
|
|
// issues a long-lived cookie so the browser stops re-prompting.
|
|
func (h *handler) checkAuth(w http.ResponseWriter, r *http.Request) bool {
|
|
if h.user == "" {
|
|
return true
|
|
}
|
|
if c, err := r.Cookie(authCookieName); err == nil && verifyAuth(h.authKey, c.Value) {
|
|
return true
|
|
}
|
|
u, p, ok := r.BasicAuth()
|
|
if !ok || u != h.user || p != h.pass {
|
|
w.Header().Set("WWW-Authenticate", `Basic realm="datascape"`)
|
|
http.Error(w, "Unauthorized", http.StatusUnauthorized)
|
|
return false
|
|
}
|
|
http.SetCookie(w, &http.Cookie{
|
|
Name: authCookieName,
|
|
Value: signAuth(h.authKey),
|
|
Path: "/",
|
|
MaxAge: authCookieMaxAge,
|
|
HttpOnly: true,
|
|
SameSite: http.SameSiteLaxMode,
|
|
})
|
|
return true
|
|
}
|
|
|
|
// handleLogout clears the session cookie and forces a fresh basic-auth prompt.
|
|
func (h *handler) handleLogout(w http.ResponseWriter, r *http.Request) {
|
|
http.SetCookie(w, &http.Cookie{
|
|
Name: authCookieName,
|
|
Value: "",
|
|
Path: "/",
|
|
MaxAge: -1,
|
|
HttpOnly: true,
|
|
SameSite: http.SameSiteLaxMode,
|
|
})
|
|
w.Header().Set("WWW-Authenticate", `Basic realm="datascape"`)
|
|
http.Error(w, "Logged out", http.StatusUnauthorized)
|
|
}
|