Login form with JWT

2020-12-15 17:40:14 +01:00 · 2020-12-15 17:40:14 +01:00 · 74d02b00bd
parent 04d2079111
commit 74d02b00bd
10 changed files with 150 additions and 12 deletions
--- a/authentication.go
+++ b/authentication.go
@ -0,0 +1,111 @@
+package main
+
+import (
+	"bytes"
+	"encoding/base64"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"time"
+
+	"github.com/dgrijalva/jwt-go"
+)
+
+func checkCredentials(username, password string) bool {
+	return username == appConfig.User.Nick && password == appConfig.User.Password
+}
+
+func jwtKey() []byte {
+	return []byte(appConfig.Server.JWTSecret)
+}
+
+func authMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		success := func() {
+			if acceptLogin(w) {
+				next.ServeHTTP(w, r)
+			}
+		}
+		// 1. Check basic auth
+		username, password, basicauth := r.BasicAuth()
+		if basicauth && checkCredentials(username, password) {
+			success()
+			return
+		}
+		// 2. Check JWT
+		if tokenCookie, err := r.Cookie("token"); err == nil {
+			if tkn, err := jwt.Parse(tokenCookie.Value, func(t *jwt.Token) (interface{}, error) {
+				return jwtKey(), nil
+			}); err == nil && tkn.Valid {
+				success()
+				return
+			}
+		}
+		// 3. Show login form
+		w.WriteHeader(http.StatusUnauthorized)
+		h, _ := json.Marshal(r.Header.Clone())
+		b, _ := ioutil.ReadAll(io.LimitReader(r.Body, 2000000)) // Only allow 20 Megabyte
+		_ = r.Body.Close()
+		if len(b) == 0 {
+			// Maybe it's a form
+			_ = r.ParseForm()
+			b = []byte(r.PostForm.Encode())
+		}
+		render(w, templateLogin, &renderData{
+			Data: map[string]string{
+				"loginmethod":  r.Method,
+				"loginheaders": base64.StdEncoding.EncodeToString(h),
+				"loginbody":    base64.StdEncoding.EncodeToString(b),
+			},
+		})
+	})
+}
+
+func checkIsLogin(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+		if !checkLogin(rw, r) {
+			next.ServeHTTP(rw, r)
+		}
+	})
+}
+
+func checkLogin(w http.ResponseWriter, r *http.Request) bool {
+	if r.Method == http.MethodPost &&
+		r.Header.Get(contentType) == contentTypeWWWForm &&
+		r.FormValue("loginaction") == "login" &&
+		checkCredentials(r.FormValue("username"), r.FormValue("password")) {
+		// Do original request
+		loginbody, _ := base64.StdEncoding.DecodeString(r.FormValue("loginbody"))
+		req, _ := http.NewRequest(r.FormValue("loginmethod"), r.RequestURI, bytes.NewReader(loginbody))
+		// Copy original headers
+		loginheaders, _ := base64.StdEncoding.DecodeString(r.FormValue("loginheaders"))
+		var headers http.Header
+		json.Unmarshal(loginheaders, &headers)
+		for k, v := range headers {
+			req.Header[k] = v
+		}
+		// Set basic auth
+		req.SetBasicAuth(r.FormValue("username"), r.FormValue("password"))
+		// Serve original request
+		d.ServeHTTP(w, req)
+		return true
+	}
+	return false
+}
+
+func acceptLogin(w http.ResponseWriter) bool {
+	expiration := time.Now().Add(7 * 24 * time.Hour)
+	tokenString, err := jwt.NewWithClaims(jwt.SigningMethodHS256, &jwt.StandardClaims{ExpiresAt: expiration.Unix()}).SignedString(jwtKey())
+	if err != nil {
+		http.Error(w, "failed to sign JWT", http.StatusInternalServerError)
+		return false
+	}
+	http.SetCookie(w, &http.Cookie{
+		Name:     "token",
+		Value:    tokenString,
+		Expires:  expiration,
+		Secure:   true,
+		HttpOnly: true,
+	})
+	return true
+}
--- a/config.go
+++ b/config.go
@ -31,6 +31,7 @@ type configServer struct {
 	PublicAddress   string `mapstructure:"publicAddress"`
 	PublicHTTPS     bool   `mapstructure:"publicHttps"`
 	LetsEncryptMail string `mapstructure:"letsEncryptMail"`
+	JWTSecret       string `mapstructure:"jwtSecret"`
 }

 type configDb struct {
@ -212,6 +213,9 @@ func initConfig() error {
 	if appConfig.Server.Domain == "" {
 		return errors.New("no domain configured")
 	}
+	if appConfig.Server.JWTSecret == "" {
+		return errors.New("no JWT secret configured")
+	}
 	if len(appConfig.Blogs) == 0 {
 		return errors.New("no blog configured")
 	}
--- a/go.mod
+++ b/go.mod
@ -9,6 +9,7 @@ require (
 	github.com/araddon/dateparse v0.0.0-20201001162425-8aadafed4dc4
 	github.com/caddyserver/certmagic v0.12.0
 	github.com/captncraig/cors v0.0.0-20190703115713-e80254a89df1 // indirect
+	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/fastly/go-utils v0.0.0-20180712184237-d95a45783239 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible
 	github.com/go-fed/httpsig v1.0.1-0.20200711113112-812070f75b67
@ -59,7 +60,7 @@ require (
 	golang.org/x/mod v0.4.0 // indirect
 	golang.org/x/net v0.0.0-20201209123823-ac852fbbde11 // indirect
 	golang.org/x/sync v0.0.0-20201207232520-09787c993a3a
-	golang.org/x/sys v0.0.0-20201214095126-aec9a390925b // indirect
+	golang.org/x/sys v0.0.0-20201214210602-f9fddec55a1e // indirect
 	golang.org/x/term v0.0.0-20201210144234-2321bbc49cbf // indirect
 	golang.org/x/text v0.3.4 // indirect
 	golang.org/x/tools v0.0.0-20201211185031-d93e913c1a58 // indirect
--- a/go.sum
+++ b/go.sum
@ -458,8 +458,8 @@ golang.org/x/sys v0.0.0-20200724161237-0e2f3a69832c h1:UIcGWL6/wpCfyGuJnRFJRurA+
 golang.org/x/sys v0.0.0-20200724161237-0e2f3a69832c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201214095126-aec9a390925b h1:tv7/y4pd+sR8bcNb2D6o7BNU6zjWm0VjQLac+w7fNNM=
-golang.org/x/sys v0.0.0-20201214095126-aec9a390925b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201214210602-f9fddec55a1e h1:AyodaIpKjppX+cBfTASF2E1US3H2JFBj920Ot3rtDjs=
+golang.org/x/sys v0.0.0-20201214210602-f9fddec55a1e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221 h1:/ZHdbVpdR/jk3g30/d4yUL0JU9kksj8+F/bnQUVLGDM=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
--- a/http.go
+++ b/http.go
@ -33,15 +33,10 @@ const (
 )

 var (
-	d              *dynamicHandler
-	authMiddleware func(next http.Handler) http.Handler
+	d *dynamicHandler
 )

 func startServer() (err error) {
-	// Init
-	authMiddleware = middleware.BasicAuth("", map[string]string{
-		appConfig.User.Nick: appConfig.User.Password,
-	})
 	// Start
 	d = &dynamicHandler{}
 	err = reloadRouter()
@ -85,6 +80,7 @@ func buildHandler() (http.Handler, error) {
 	if !appConfig.Cache.Enable {
 		r.Use(middleware.NoCache)
 	}
+	r.Use(checkIsLogin)

 	// Profiler
 	if appConfig.Server.Debug {
--- a/render.go
+++ b/render.go
@ -31,6 +31,7 @@ const templateSearch = "search"
 const templateSummary = "summary"
 const templatePhotosSummary = "photosummary"
 const templateEditor = "editor"
+const templateLogin = "login"

 var templates map[string]*template.Template
 var templateFunctions template.FuncMap
--- a/templates/assets/css/styles.css
+++ b/templates/assets/css/styles.css
@ -127,7 +127,7 @@ footer * {
  display: none;
 }

-.fw, .fw-form, .fw-form input:not([type]), .fw-form input[type=text], .fw-form input[type=email], .fw-form input[type=url], .fw-form textarea {
+.fw, .fw-form, .fw-form input:not([type]), .fw-form input[type=text], .fw-form input[type=email], .fw-form input[type=url], .fw-form input[type=password], .fw-form textarea {
  width: 100%;
 }

--- a/templates/assets/css/styles.scss
+++ b/templates/assets/css/styles.scss
@ -92,7 +92,7 @@ form input, form textarea {
 .fw-form {
  @extend .fw;

-  input:not([type]), input[type="text"], input[type="email"], input[type="url"], textarea {
+  input:not([type]), input[type="text"], input[type="email"], input[type="url"], input[type="password"], textarea {
    @extend .fw;
  }
 }
--- a/templates/login.gohtml
+++ b/templates/login.gohtml
@ -0,0 +1,22 @@
+{{ define "title" }}
+  <title>{{ string .Blog.Lang "editor" }} - {{ .Blog.Title }}</title>
+{{ end }}
+
+{{ define "main" }}
+  <main>
+    <h1>{{ string .Blog.Lang "login" }}</h1>
+    <form class="fw-form p" method="post">
+      <input type="hidden" name="loginaction" value="login">
+      <input type="hidden" name="loginmethod" value="{{ .Data.loginmethod }}">
+      <input type="hidden" name="loginheaders" value="{{ .Data.loginheaders }}">
+      <input type="hidden" name="loginbody" value="{{ .Data.loginbody }}">
+      <input type="text" name="username" placeholder="{{ string .Blog.Lang "username" }}">
+      <input type="password" name="password" placeholder="{{ string .Blog.Lang "password" }}">
+      <input class="fw" type="submit" value="{{ string .Blog.Lang "login" }}">
+    </form>
+  </main>
+{{ end }}
+
+{{ define "login" }}
+    {{ template "base" . }}
+{{ end }}
--- a/templates/strings/default.yaml
+++ b/templates/strings/default.yaml
@ -26,4 +26,7 @@ search: "Search"
 editor: "Editor"
 create: "Create"
 update: "Update"
-upload: "Upload"
+upload: "Upload"
+login: "Login"
+username: "Username"
+password: "Password"