GoBlog/authentication.go

package main

import (
	"bytes"
	"context"
	"encoding/base64"
	"encoding/json"
	"io"
	"net/http"
	"time"

	"github.com/dgrijalva/jwt-go"
)

func checkCredentials(username, password string) bool {
	return username == appConfig.User.Nick && password == appConfig.User.Password
}

func checkUsername(username string) bool {
	return username == appConfig.User.Nick
}

func jwtKey() []byte {
	return []byte(appConfig.Server.JWTSecret)
}

func authMiddleware(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		// Check if already logged in
		if loggedIn, ok := r.Context().Value(loggedInKey).(bool); ok && loggedIn {
			next.ServeHTTP(w, r)
			return
		}
		// 1. Check BasicAuth
		if username, password, ok := r.BasicAuth(); ok && checkCredentials(username, password) {
			next.ServeHTTP(w, r)
			return
		}
		// 2. Check JWT
		if checkAuthToken(r) {
			next.ServeHTTP(w, r)
			return
		}
		// 3. Show login form
		w.WriteHeader(http.StatusUnauthorized)
		h, _ := json.Marshal(r.Header.Clone())
		b, _ := io.ReadAll(io.LimitReader(r.Body, 2000000)) // Only allow 20 Megabyte
		_ = r.Body.Close()
		if len(b) == 0 {
			// Maybe it's a form
			_ = r.ParseForm()
			b = []byte(r.PostForm.Encode())
		}
		render(w, r, templateLogin, &renderData{
			Data: map[string]string{
				"loginmethod":  r.Method,
				"loginheaders": base64.StdEncoding.EncodeToString(h),
				"loginbody":    base64.StdEncoding.EncodeToString(b),
			},
		})
	})
}

func checkAuthToken(r *http.Request) bool {
	if tokenCookie, err := r.Cookie("token"); err == nil {
		claims := &authClaims{}
		if tkn, err := jwt.ParseWithClaims(tokenCookie.Value, claims, func(t *jwt.Token) (interface{}, error) {
			return jwtKey(), nil
		}); err == nil && tkn.Valid &&
			claims.TokenType == "login" &&
			checkUsername(claims.Username) {
			return true
		}
	}
	return false
}

const loggedInKey requestContextKey = "loggedIn"

func checkLoggedIn(next http.Handler) http.Handler {
	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
		if checkAuthToken(r) {
			next.ServeHTTP(rw, r.WithContext(context.WithValue(r.Context(), loggedInKey, true)))
			return
		}
		next.ServeHTTP(rw, r)
	})
}

func checkIsLogin(next http.Handler) http.Handler {
	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
		if !checkLogin(rw, r) {
			next.ServeHTTP(rw, r)
		}
	})
}

func checkLogin(w http.ResponseWriter, r *http.Request) bool {
	if r.Method != http.MethodPost {
		return false
	}
	if r.Header.Get(contentType) != contentTypeWWWForm {
		return false
	}
	if r.FormValue("loginaction") != "login" {
		return false
	}
	// Do original request
	loginbody, _ := base64.StdEncoding.DecodeString(r.FormValue("loginbody"))
	req, _ := http.NewRequest(r.FormValue("loginmethod"), r.RequestURI, bytes.NewReader(loginbody))
	// Copy original headers
	loginheaders, _ := base64.StdEncoding.DecodeString(r.FormValue("loginheaders"))
	var headers http.Header
	_ = json.Unmarshal(loginheaders, &headers)
	for k, v := range headers {
		req.Header[k] = v
	}
	// Check credential
	if checkCredentials(r.FormValue("username"), r.FormValue("password")) {
		tokenCookie, err := createTokenCookie(r.FormValue("username"))
		if err != nil {
			serveError(w, r, err.Error(), http.StatusInternalServerError)
			return true
		}
		// Add cookie to original request
		req.AddCookie(tokenCookie)
		// Send cookie
		http.SetCookie(w, tokenCookie)
	}
	// Serve original request
	d.ServeHTTP(w, req)
	return true
}

type authClaims struct {
	*jwt.StandardClaims
	TokenType string
	Username  string
}

func createTokenCookie(username string) (*http.Cookie, error) {
	expiration := time.Now().Add(7 * 24 * time.Hour)
	tokenString, err := jwt.NewWithClaims(jwt.SigningMethodHS256, &authClaims{
		&jwt.StandardClaims{ExpiresAt: expiration.Unix()},
		"login",
		username,
	}).SignedString(jwtKey())
	if err != nil {
		return nil, err
	}
	return &http.Cookie{
		Name:     "token",
		Value:    tokenString,
		Expires:  expiration,
		Secure:   httpsConfigured(),
		HttpOnly: true,
		SameSite: http.SameSiteLaxMode,
	}, nil
}
Login form with JWT 2020-12-15 16:40:14 +00:00			`package main`

			`import (`
			`"bytes"`
Show admin links when logged in 2021-02-20 22:35:16 +00:00			`"context"`
Login form with JWT 2020-12-15 16:40:14 +00:00			`"encoding/base64"`
Update + get rid of a few dependencies 2021-01-21 16:59:47 +00:00			`"encoding/json"`
Login form with JWT 2020-12-15 16:40:14 +00:00			`"io"`
			`"net/http"`
			`"time"`

			`"github.com/dgrijalva/jwt-go"`
			`)`

			`func checkCredentials(username, password string) bool {`
			`return username == appConfig.User.Nick && password == appConfig.User.Password`
			`}`

Make authentication and captcha more secure 2021-02-06 21:53:56 +00:00			`func checkUsername(username string) bool {`
			`return username == appConfig.User.Nick`
			`}`

Login form with JWT 2020-12-15 16:40:14 +00:00			`func jwtKey() []byte {`
			`return []byte(appConfig.Server.JWTSecret)`
			`}`

			`func authMiddleware(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
Show admin links when logged in 2021-02-20 22:35:16 +00:00			`// Check if already logged in`
			`if loggedIn, ok := r.Context().Value(loggedInKey).(bool); ok && loggedIn {`
			`next.ServeHTTP(w, r)`
			`return`
			`}`
Make authentication and captcha more secure 2021-02-06 21:53:56 +00:00			`// 1. Check BasicAuth`
			`if username, password, ok := r.BasicAuth(); ok && checkCredentials(username, password) {`
			`next.ServeHTTP(w, r)`
			`return`
			`}`
			`// 2. Check JWT`
Show admin links when logged in 2021-02-20 22:35:16 +00:00			`if checkAuthToken(r) {`
			`next.ServeHTTP(w, r)`
			`return`
Login form with JWT 2020-12-15 16:40:14 +00:00			`}`
Make authentication and captcha more secure 2021-02-06 21:53:56 +00:00			`// 3. Show login form`
Login form with JWT 2020-12-15 16:40:14 +00:00			`w.WriteHeader(http.StatusUnauthorized)`
			`h, _ := json.Marshal(r.Header.Clone())`
Go 1.16 2021-02-17 07:23:03 +00:00			`b, _ := io.ReadAll(io.LimitReader(r.Body, 2000000)) // Only allow 20 Megabyte`
Login form with JWT 2020-12-15 16:40:14 +00:00			`_ = r.Body.Close()`
			`if len(b) == 0 {`
			`// Maybe it's a form`
			`_ = r.ParseForm()`
			`b = []byte(r.PostForm.Encode())`
			`}`
Show admin links when logged in 2021-02-20 22:35:16 +00:00			`render(w, r, templateLogin, &renderData{`
Login form with JWT 2020-12-15 16:40:14 +00:00			`Data: map[string]string{`
			`"loginmethod": r.Method,`
			`"loginheaders": base64.StdEncoding.EncodeToString(h),`
			`"loginbody": base64.StdEncoding.EncodeToString(b),`
			`},`
			`})`
			`})`
			`}`

Show admin links when logged in 2021-02-20 22:35:16 +00:00			`func checkAuthToken(r *http.Request) bool {`
			`if tokenCookie, err := r.Cookie("token"); err == nil {`
			`claims := &authClaims{}`
			`if tkn, err := jwt.ParseWithClaims(tokenCookie.Value, claims, func(t *jwt.Token) (interface{}, error) {`
			`return jwtKey(), nil`
			`}); err == nil && tkn.Valid &&`
			`claims.TokenType == "login" &&`
			`checkUsername(claims.Username) {`
			`return true`
			`}`
			`}`
			`return false`
			`}`

			`const loggedInKey requestContextKey = "loggedIn"`

			`func checkLoggedIn(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {`
			`if checkAuthToken(r) {`
			`next.ServeHTTP(rw, r.WithContext(context.WithValue(r.Context(), loggedInKey, true)))`
			`return`
			`}`
			`next.ServeHTTP(rw, r)`
			`})`
			`}`

Login form with JWT 2020-12-15 16:40:14 +00:00			`func checkIsLogin(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {`
			`if !checkLogin(rw, r) {`
			`next.ServeHTTP(rw, r)`
			`}`
			`})`
			`}`

			`func checkLogin(w http.ResponseWriter, r *http.Request) bool {`
Small things 2021-02-24 12:16:33 +00:00			`if r.Method != http.MethodPost {`
			`return false`
			`}`
			`if r.Header.Get(contentType) != contentTypeWWWForm {`
			`return false`
			`}`
			`if r.FormValue("loginaction") != "login" {`
			`return false`
			`}`
			`// Do original request`
			`loginbody, _ := base64.StdEncoding.DecodeString(r.FormValue("loginbody"))`
			`req, _ := http.NewRequest(r.FormValue("loginmethod"), r.RequestURI, bytes.NewReader(loginbody))`
			`// Copy original headers`
			`loginheaders, _ := base64.StdEncoding.DecodeString(r.FormValue("loginheaders"))`
			`var headers http.Header`
			`_ = json.Unmarshal(loginheaders, &headers)`
			`for k, v := range headers {`
			`req.Header[k] = v`
			`}`
			`// Check credential`
			`if checkCredentials(r.FormValue("username"), r.FormValue("password")) {`
			`tokenCookie, err := createTokenCookie(r.FormValue("username"))`
			`if err != nil {`
			`serveError(w, r, err.Error(), http.StatusInternalServerError)`
			`return true`
Add comment functionality 2021-01-23 16:24:47 +00:00			`}`
Small things 2021-02-24 12:16:33 +00:00			`// Add cookie to original request`
			`req.AddCookie(tokenCookie)`
			`// Send cookie`
			`http.SetCookie(w, tokenCookie)`
Login form with JWT 2020-12-15 16:40:14 +00:00			`}`
Small things 2021-02-24 12:16:33 +00:00			`// Serve original request`
			`d.ServeHTTP(w, req)`
			`return true`
Login form with JWT 2020-12-15 16:40:14 +00:00			`}`

Make authentication and captcha more secure 2021-02-06 21:53:56 +00:00			`type authClaims struct {`
			`*jwt.StandardClaims`
			`TokenType string`
			`Username string`
			`}`

			`func createTokenCookie(username string) (*http.Cookie, error) {`
Login form with JWT 2020-12-15 16:40:14 +00:00			`expiration := time.Now().Add(7 * 24 * time.Hour)`
Make authentication and captcha more secure 2021-02-06 21:53:56 +00:00			`tokenString, err := jwt.NewWithClaims(jwt.SigningMethodHS256, &authClaims{`
			`&jwt.StandardClaims{ExpiresAt: expiration.Unix()},`
			`"login",`
			`username,`
			`}).SignedString(jwtKey())`
Login form with JWT 2020-12-15 16:40:14 +00:00			`if err != nil {`
Add comment functionality 2021-01-23 16:24:47 +00:00			`return nil, err`
Login form with JWT 2020-12-15 16:40:14 +00:00			`}`
Add comment functionality 2021-01-23 16:24:47 +00:00			`return &http.Cookie{`
Login form with JWT 2020-12-15 16:40:14 +00:00			`Name: "token",`
			`Value: tokenString,`
			`Expires: expiration,`
Fix cookies for auth and captcha 2021-02-20 21:45:38 +00:00			`Secure: httpsConfigured(),`
Login form with JWT 2020-12-15 16:40:14 +00:00			`HttpOnly: true,`
Fix cookies for auth and captcha 2021-02-20 21:45:38 +00:00			`SameSite: http.SameSiteLaxMode,`
Add comment functionality 2021-01-23 16:24:47 +00:00			`}, nil`
Login form with JWT 2020-12-15 16:40:14 +00:00			`}`