mirror of https://github.com/jlelse/GoBlog
Login form with JWT
This commit is contained in:
parent
04d2079111
commit
74d02b00bd
|
@ -0,0 +1,111 @@
|
|||
package main
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"encoding/base64"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
"time"
|
||||
|
||||
"github.com/dgrijalva/jwt-go"
|
||||
)
|
||||
|
||||
func checkCredentials(username, password string) bool {
|
||||
return username == appConfig.User.Nick && password == appConfig.User.Password
|
||||
}
|
||||
|
||||
func jwtKey() []byte {
|
||||
return []byte(appConfig.Server.JWTSecret)
|
||||
}
|
||||
|
||||
func authMiddleware(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
success := func() {
|
||||
if acceptLogin(w) {
|
||||
next.ServeHTTP(w, r)
|
||||
}
|
||||
}
|
||||
// 1. Check basic auth
|
||||
username, password, basicauth := r.BasicAuth()
|
||||
if basicauth && checkCredentials(username, password) {
|
||||
success()
|
||||
return
|
||||
}
|
||||
// 2. Check JWT
|
||||
if tokenCookie, err := r.Cookie("token"); err == nil {
|
||||
if tkn, err := jwt.Parse(tokenCookie.Value, func(t *jwt.Token) (interface{}, error) {
|
||||
return jwtKey(), nil
|
||||
}); err == nil && tkn.Valid {
|
||||
success()
|
||||
return
|
||||
}
|
||||
}
|
||||
// 3. Show login form
|
||||
w.WriteHeader(http.StatusUnauthorized)
|
||||
h, _ := json.Marshal(r.Header.Clone())
|
||||
b, _ := ioutil.ReadAll(io.LimitReader(r.Body, 2000000)) // Only allow 20 Megabyte
|
||||
_ = r.Body.Close()
|
||||
if len(b) == 0 {
|
||||
// Maybe it's a form
|
||||
_ = r.ParseForm()
|
||||
b = []byte(r.PostForm.Encode())
|
||||
}
|
||||
render(w, templateLogin, &renderData{
|
||||
Data: map[string]string{
|
||||
"loginmethod": r.Method,
|
||||
"loginheaders": base64.StdEncoding.EncodeToString(h),
|
||||
"loginbody": base64.StdEncoding.EncodeToString(b),
|
||||
},
|
||||
})
|
||||
})
|
||||
}
|
||||
|
||||
func checkIsLogin(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
||||
if !checkLogin(rw, r) {
|
||||
next.ServeHTTP(rw, r)
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
func checkLogin(w http.ResponseWriter, r *http.Request) bool {
|
||||
if r.Method == http.MethodPost &&
|
||||
r.Header.Get(contentType) == contentTypeWWWForm &&
|
||||
r.FormValue("loginaction") == "login" &&
|
||||
checkCredentials(r.FormValue("username"), r.FormValue("password")) {
|
||||
// Do original request
|
||||
loginbody, _ := base64.StdEncoding.DecodeString(r.FormValue("loginbody"))
|
||||
req, _ := http.NewRequest(r.FormValue("loginmethod"), r.RequestURI, bytes.NewReader(loginbody))
|
||||
// Copy original headers
|
||||
loginheaders, _ := base64.StdEncoding.DecodeString(r.FormValue("loginheaders"))
|
||||
var headers http.Header
|
||||
json.Unmarshal(loginheaders, &headers)
|
||||
for k, v := range headers {
|
||||
req.Header[k] = v
|
||||
}
|
||||
// Set basic auth
|
||||
req.SetBasicAuth(r.FormValue("username"), r.FormValue("password"))
|
||||
// Serve original request
|
||||
d.ServeHTTP(w, req)
|
||||
return true
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func acceptLogin(w http.ResponseWriter) bool {
|
||||
expiration := time.Now().Add(7 * 24 * time.Hour)
|
||||
tokenString, err := jwt.NewWithClaims(jwt.SigningMethodHS256, &jwt.StandardClaims{ExpiresAt: expiration.Unix()}).SignedString(jwtKey())
|
||||
if err != nil {
|
||||
http.Error(w, "failed to sign JWT", http.StatusInternalServerError)
|
||||
return false
|
||||
}
|
||||
http.SetCookie(w, &http.Cookie{
|
||||
Name: "token",
|
||||
Value: tokenString,
|
||||
Expires: expiration,
|
||||
Secure: true,
|
||||
HttpOnly: true,
|
||||
})
|
||||
return true
|
||||
}
|
|
@ -31,6 +31,7 @@ type configServer struct {
|
|||
PublicAddress string `mapstructure:"publicAddress"`
|
||||
PublicHTTPS bool `mapstructure:"publicHttps"`
|
||||
LetsEncryptMail string `mapstructure:"letsEncryptMail"`
|
||||
JWTSecret string `mapstructure:"jwtSecret"`
|
||||
}
|
||||
|
||||
type configDb struct {
|
||||
|
@ -212,6 +213,9 @@ func initConfig() error {
|
|||
if appConfig.Server.Domain == "" {
|
||||
return errors.New("no domain configured")
|
||||
}
|
||||
if appConfig.Server.JWTSecret == "" {
|
||||
return errors.New("no JWT secret configured")
|
||||
}
|
||||
if len(appConfig.Blogs) == 0 {
|
||||
return errors.New("no blog configured")
|
||||
}
|
||||
|
|
3
go.mod
3
go.mod
|
@ -9,6 +9,7 @@ require (
|
|||
github.com/araddon/dateparse v0.0.0-20201001162425-8aadafed4dc4
|
||||
github.com/caddyserver/certmagic v0.12.0
|
||||
github.com/captncraig/cors v0.0.0-20190703115713-e80254a89df1 // indirect
|
||||
github.com/dgrijalva/jwt-go v3.2.0+incompatible
|
||||
github.com/fastly/go-utils v0.0.0-20180712184237-d95a45783239 // indirect
|
||||
github.com/go-chi/chi v4.1.2+incompatible
|
||||
github.com/go-fed/httpsig v1.0.1-0.20200711113112-812070f75b67
|
||||
|
@ -59,7 +60,7 @@ require (
|
|||
golang.org/x/mod v0.4.0 // indirect
|
||||
golang.org/x/net v0.0.0-20201209123823-ac852fbbde11 // indirect
|
||||
golang.org/x/sync v0.0.0-20201207232520-09787c993a3a
|
||||
golang.org/x/sys v0.0.0-20201214095126-aec9a390925b // indirect
|
||||
golang.org/x/sys v0.0.0-20201214210602-f9fddec55a1e // indirect
|
||||
golang.org/x/term v0.0.0-20201210144234-2321bbc49cbf // indirect
|
||||
golang.org/x/text v0.3.4 // indirect
|
||||
golang.org/x/tools v0.0.0-20201211185031-d93e913c1a58 // indirect
|
||||
|
|
4
go.sum
4
go.sum
|
@ -458,8 +458,8 @@ golang.org/x/sys v0.0.0-20200724161237-0e2f3a69832c h1:UIcGWL6/wpCfyGuJnRFJRurA+
|
|||
golang.org/x/sys v0.0.0-20200724161237-0e2f3a69832c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20201214095126-aec9a390925b h1:tv7/y4pd+sR8bcNb2D6o7BNU6zjWm0VjQLac+w7fNNM=
|
||||
golang.org/x/sys v0.0.0-20201214095126-aec9a390925b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20201214210602-f9fddec55a1e h1:AyodaIpKjppX+cBfTASF2E1US3H2JFBj920Ot3rtDjs=
|
||||
golang.org/x/sys v0.0.0-20201214210602-f9fddec55a1e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/term v0.0.0-20201117132131-f5c789dd3221 h1:/ZHdbVpdR/jk3g30/d4yUL0JU9kksj8+F/bnQUVLGDM=
|
||||
golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
|
||||
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
|
||||
|
|
8
http.go
8
http.go
|
@ -33,15 +33,10 @@ const (
|
|||
)
|
||||
|
||||
var (
|
||||
d *dynamicHandler
|
||||
authMiddleware func(next http.Handler) http.Handler
|
||||
d *dynamicHandler
|
||||
)
|
||||
|
||||
func startServer() (err error) {
|
||||
// Init
|
||||
authMiddleware = middleware.BasicAuth("", map[string]string{
|
||||
appConfig.User.Nick: appConfig.User.Password,
|
||||
})
|
||||
// Start
|
||||
d = &dynamicHandler{}
|
||||
err = reloadRouter()
|
||||
|
@ -85,6 +80,7 @@ func buildHandler() (http.Handler, error) {
|
|||
if !appConfig.Cache.Enable {
|
||||
r.Use(middleware.NoCache)
|
||||
}
|
||||
r.Use(checkIsLogin)
|
||||
|
||||
// Profiler
|
||||
if appConfig.Server.Debug {
|
||||
|
|
|
@ -31,6 +31,7 @@ const templateSearch = "search"
|
|||
const templateSummary = "summary"
|
||||
const templatePhotosSummary = "photosummary"
|
||||
const templateEditor = "editor"
|
||||
const templateLogin = "login"
|
||||
|
||||
var templates map[string]*template.Template
|
||||
var templateFunctions template.FuncMap
|
||||
|
|
|
@ -127,7 +127,7 @@ footer * {
|
|||
display: none;
|
||||
}
|
||||
|
||||
.fw, .fw-form, .fw-form input:not([type]), .fw-form input[type=text], .fw-form input[type=email], .fw-form input[type=url], .fw-form textarea {
|
||||
.fw, .fw-form, .fw-form input:not([type]), .fw-form input[type=text], .fw-form input[type=email], .fw-form input[type=url], .fw-form input[type=password], .fw-form textarea {
|
||||
width: 100%;
|
||||
}
|
||||
|
||||
|
|
|
@ -92,7 +92,7 @@ form input, form textarea {
|
|||
.fw-form {
|
||||
@extend .fw;
|
||||
|
||||
input:not([type]), input[type="text"], input[type="email"], input[type="url"], textarea {
|
||||
input:not([type]), input[type="text"], input[type="email"], input[type="url"], input[type="password"], textarea {
|
||||
@extend .fw;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,22 @@
|
|||
{{ define "title" }}
|
||||
<title>{{ string .Blog.Lang "editor" }} - {{ .Blog.Title }}</title>
|
||||
{{ end }}
|
||||
|
||||
{{ define "main" }}
|
||||
<main>
|
||||
<h1>{{ string .Blog.Lang "login" }}</h1>
|
||||
<form class="fw-form p" method="post">
|
||||
<input type="hidden" name="loginaction" value="login">
|
||||
<input type="hidden" name="loginmethod" value="{{ .Data.loginmethod }}">
|
||||
<input type="hidden" name="loginheaders" value="{{ .Data.loginheaders }}">
|
||||
<input type="hidden" name="loginbody" value="{{ .Data.loginbody }}">
|
||||
<input type="text" name="username" placeholder="{{ string .Blog.Lang "username" }}">
|
||||
<input type="password" name="password" placeholder="{{ string .Blog.Lang "password" }}">
|
||||
<input class="fw" type="submit" value="{{ string .Blog.Lang "login" }}">
|
||||
</form>
|
||||
</main>
|
||||
{{ end }}
|
||||
|
||||
{{ define "login" }}
|
||||
{{ template "base" . }}
|
||||
{{ end }}
|
|
@ -26,4 +26,7 @@ search: "Search"
|
|||
editor: "Editor"
|
||||
create: "Create"
|
||||
update: "Update"
|
||||
upload: "Upload"
|
||||
upload: "Upload"
|
||||
login: "Login"
|
||||
username: "Username"
|
||||
password: "Password"
|
Loading…
Reference in New Issue