mirror of https://github.com/jlelse/GoBlog
Login form with JWT
This commit is contained in:
parent
04d2079111
commit
74d02b00bd
|
@ -0,0 +1,111 @@
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"encoding/base64"
|
||||||
|
"io"
|
||||||
|
"io/ioutil"
|
||||||
|
"net/http"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/dgrijalva/jwt-go"
|
||||||
|
)
|
||||||
|
|
||||||
|
func checkCredentials(username, password string) bool {
|
||||||
|
return username == appConfig.User.Nick && password == appConfig.User.Password
|
||||||
|
}
|
||||||
|
|
||||||
|
func jwtKey() []byte {
|
||||||
|
return []byte(appConfig.Server.JWTSecret)
|
||||||
|
}
|
||||||
|
|
||||||
|
func authMiddleware(next http.Handler) http.Handler {
|
||||||
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
success := func() {
|
||||||
|
if acceptLogin(w) {
|
||||||
|
next.ServeHTTP(w, r)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
// 1. Check basic auth
|
||||||
|
username, password, basicauth := r.BasicAuth()
|
||||||
|
if basicauth && checkCredentials(username, password) {
|
||||||
|
success()
|
||||||
|
return
|
||||||
|
}
|
||||||
|
// 2. Check JWT
|
||||||
|
if tokenCookie, err := r.Cookie("token"); err == nil {
|
||||||
|
if tkn, err := jwt.Parse(tokenCookie.Value, func(t *jwt.Token) (interface{}, error) {
|
||||||
|
return jwtKey(), nil
|
||||||
|
}); err == nil && tkn.Valid {
|
||||||
|
success()
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
// 3. Show login form
|
||||||
|
w.WriteHeader(http.StatusUnauthorized)
|
||||||
|
h, _ := json.Marshal(r.Header.Clone())
|
||||||
|
b, _ := ioutil.ReadAll(io.LimitReader(r.Body, 2000000)) // Only allow 20 Megabyte
|
||||||
|
_ = r.Body.Close()
|
||||||
|
if len(b) == 0 {
|
||||||
|
// Maybe it's a form
|
||||||
|
_ = r.ParseForm()
|
||||||
|
b = []byte(r.PostForm.Encode())
|
||||||
|
}
|
||||||
|
render(w, templateLogin, &renderData{
|
||||||
|
Data: map[string]string{
|
||||||
|
"loginmethod": r.Method,
|
||||||
|
"loginheaders": base64.StdEncoding.EncodeToString(h),
|
||||||
|
"loginbody": base64.StdEncoding.EncodeToString(b),
|
||||||
|
},
|
||||||
|
})
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
func checkIsLogin(next http.Handler) http.Handler {
|
||||||
|
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
||||||
|
if !checkLogin(rw, r) {
|
||||||
|
next.ServeHTTP(rw, r)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
func checkLogin(w http.ResponseWriter, r *http.Request) bool {
|
||||||
|
if r.Method == http.MethodPost &&
|
||||||
|
r.Header.Get(contentType) == contentTypeWWWForm &&
|
||||||
|
r.FormValue("loginaction") == "login" &&
|
||||||
|
checkCredentials(r.FormValue("username"), r.FormValue("password")) {
|
||||||
|
// Do original request
|
||||||
|
loginbody, _ := base64.StdEncoding.DecodeString(r.FormValue("loginbody"))
|
||||||
|
req, _ := http.NewRequest(r.FormValue("loginmethod"), r.RequestURI, bytes.NewReader(loginbody))
|
||||||
|
// Copy original headers
|
||||||
|
loginheaders, _ := base64.StdEncoding.DecodeString(r.FormValue("loginheaders"))
|
||||||
|
var headers http.Header
|
||||||
|
json.Unmarshal(loginheaders, &headers)
|
||||||
|
for k, v := range headers {
|
||||||
|
req.Header[k] = v
|
||||||
|
}
|
||||||
|
// Set basic auth
|
||||||
|
req.SetBasicAuth(r.FormValue("username"), r.FormValue("password"))
|
||||||
|
// Serve original request
|
||||||
|
d.ServeHTTP(w, req)
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
func acceptLogin(w http.ResponseWriter) bool {
|
||||||
|
expiration := time.Now().Add(7 * 24 * time.Hour)
|
||||||
|
tokenString, err := jwt.NewWithClaims(jwt.SigningMethodHS256, &jwt.StandardClaims{ExpiresAt: expiration.Unix()}).SignedString(jwtKey())
|
||||||
|
if err != nil {
|
||||||
|
http.Error(w, "failed to sign JWT", http.StatusInternalServerError)
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
http.SetCookie(w, &http.Cookie{
|
||||||
|
Name: "token",
|
||||||
|
Value: tokenString,
|
||||||
|
Expires: expiration,
|
||||||
|
Secure: true,
|
||||||
|
HttpOnly: true,
|
||||||
|
})
|
||||||
|
return true
|
||||||
|
}
|
|
@ -31,6 +31,7 @@ type configServer struct {
|
||||||
PublicAddress string `mapstructure:"publicAddress"`
|
PublicAddress string `mapstructure:"publicAddress"`
|
||||||
PublicHTTPS bool `mapstructure:"publicHttps"`
|
PublicHTTPS bool `mapstructure:"publicHttps"`
|
||||||
LetsEncryptMail string `mapstructure:"letsEncryptMail"`
|
LetsEncryptMail string `mapstructure:"letsEncryptMail"`
|
||||||
|
JWTSecret string `mapstructure:"jwtSecret"`
|
||||||
}
|
}
|
||||||
|
|
||||||
type configDb struct {
|
type configDb struct {
|
||||||
|
@ -212,6 +213,9 @@ func initConfig() error {
|
||||||
if appConfig.Server.Domain == "" {
|
if appConfig.Server.Domain == "" {
|
||||||
return errors.New("no domain configured")
|
return errors.New("no domain configured")
|
||||||
}
|
}
|
||||||
|
if appConfig.Server.JWTSecret == "" {
|
||||||
|
return errors.New("no JWT secret configured")
|
||||||
|
}
|
||||||
if len(appConfig.Blogs) == 0 {
|
if len(appConfig.Blogs) == 0 {
|
||||||
return errors.New("no blog configured")
|
return errors.New("no blog configured")
|
||||||
}
|
}
|
||||||
|
|
3
go.mod
3
go.mod
|
@ -9,6 +9,7 @@ require (
|
||||||
github.com/araddon/dateparse v0.0.0-20201001162425-8aadafed4dc4
|
github.com/araddon/dateparse v0.0.0-20201001162425-8aadafed4dc4
|
||||||
github.com/caddyserver/certmagic v0.12.0
|
github.com/caddyserver/certmagic v0.12.0
|
||||||
github.com/captncraig/cors v0.0.0-20190703115713-e80254a89df1 // indirect
|
github.com/captncraig/cors v0.0.0-20190703115713-e80254a89df1 // indirect
|
||||||
|
github.com/dgrijalva/jwt-go v3.2.0+incompatible
|
||||||
github.com/fastly/go-utils v0.0.0-20180712184237-d95a45783239 // indirect
|
github.com/fastly/go-utils v0.0.0-20180712184237-d95a45783239 // indirect
|
||||||
github.com/go-chi/chi v4.1.2+incompatible
|
github.com/go-chi/chi v4.1.2+incompatible
|
||||||
github.com/go-fed/httpsig v1.0.1-0.20200711113112-812070f75b67
|
github.com/go-fed/httpsig v1.0.1-0.20200711113112-812070f75b67
|
||||||
|
@ -59,7 +60,7 @@ require (
|
||||||
golang.org/x/mod v0.4.0 // indirect
|
golang.org/x/mod v0.4.0 // indirect
|
||||||
golang.org/x/net v0.0.0-20201209123823-ac852fbbde11 // indirect
|
golang.org/x/net v0.0.0-20201209123823-ac852fbbde11 // indirect
|
||||||
golang.org/x/sync v0.0.0-20201207232520-09787c993a3a
|
golang.org/x/sync v0.0.0-20201207232520-09787c993a3a
|
||||||
golang.org/x/sys v0.0.0-20201214095126-aec9a390925b // indirect
|
golang.org/x/sys v0.0.0-20201214210602-f9fddec55a1e // indirect
|
||||||
golang.org/x/term v0.0.0-20201210144234-2321bbc49cbf // indirect
|
golang.org/x/term v0.0.0-20201210144234-2321bbc49cbf // indirect
|
||||||
golang.org/x/text v0.3.4 // indirect
|
golang.org/x/text v0.3.4 // indirect
|
||||||
golang.org/x/tools v0.0.0-20201211185031-d93e913c1a58 // indirect
|
golang.org/x/tools v0.0.0-20201211185031-d93e913c1a58 // indirect
|
||||||
|
|
4
go.sum
4
go.sum
|
@ -458,8 +458,8 @@ golang.org/x/sys v0.0.0-20200724161237-0e2f3a69832c h1:UIcGWL6/wpCfyGuJnRFJRurA+
|
||||||
golang.org/x/sys v0.0.0-20200724161237-0e2f3a69832c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
golang.org/x/sys v0.0.0-20200724161237-0e2f3a69832c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
golang.org/x/sys v0.0.0-20201214095126-aec9a390925b h1:tv7/y4pd+sR8bcNb2D6o7BNU6zjWm0VjQLac+w7fNNM=
|
golang.org/x/sys v0.0.0-20201214210602-f9fddec55a1e h1:AyodaIpKjppX+cBfTASF2E1US3H2JFBj920Ot3rtDjs=
|
||||||
golang.org/x/sys v0.0.0-20201214095126-aec9a390925b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
golang.org/x/sys v0.0.0-20201214210602-f9fddec55a1e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||||
golang.org/x/term v0.0.0-20201117132131-f5c789dd3221 h1:/ZHdbVpdR/jk3g30/d4yUL0JU9kksj8+F/bnQUVLGDM=
|
golang.org/x/term v0.0.0-20201117132131-f5c789dd3221 h1:/ZHdbVpdR/jk3g30/d4yUL0JU9kksj8+F/bnQUVLGDM=
|
||||||
golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
|
golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
|
||||||
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
|
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
|
||||||
|
|
8
http.go
8
http.go
|
@ -33,15 +33,10 @@ const (
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
d *dynamicHandler
|
d *dynamicHandler
|
||||||
authMiddleware func(next http.Handler) http.Handler
|
|
||||||
)
|
)
|
||||||
|
|
||||||
func startServer() (err error) {
|
func startServer() (err error) {
|
||||||
// Init
|
|
||||||
authMiddleware = middleware.BasicAuth("", map[string]string{
|
|
||||||
appConfig.User.Nick: appConfig.User.Password,
|
|
||||||
})
|
|
||||||
// Start
|
// Start
|
||||||
d = &dynamicHandler{}
|
d = &dynamicHandler{}
|
||||||
err = reloadRouter()
|
err = reloadRouter()
|
||||||
|
@ -85,6 +80,7 @@ func buildHandler() (http.Handler, error) {
|
||||||
if !appConfig.Cache.Enable {
|
if !appConfig.Cache.Enable {
|
||||||
r.Use(middleware.NoCache)
|
r.Use(middleware.NoCache)
|
||||||
}
|
}
|
||||||
|
r.Use(checkIsLogin)
|
||||||
|
|
||||||
// Profiler
|
// Profiler
|
||||||
if appConfig.Server.Debug {
|
if appConfig.Server.Debug {
|
||||||
|
|
|
@ -31,6 +31,7 @@ const templateSearch = "search"
|
||||||
const templateSummary = "summary"
|
const templateSummary = "summary"
|
||||||
const templatePhotosSummary = "photosummary"
|
const templatePhotosSummary = "photosummary"
|
||||||
const templateEditor = "editor"
|
const templateEditor = "editor"
|
||||||
|
const templateLogin = "login"
|
||||||
|
|
||||||
var templates map[string]*template.Template
|
var templates map[string]*template.Template
|
||||||
var templateFunctions template.FuncMap
|
var templateFunctions template.FuncMap
|
||||||
|
|
|
@ -127,7 +127,7 @@ footer * {
|
||||||
display: none;
|
display: none;
|
||||||
}
|
}
|
||||||
|
|
||||||
.fw, .fw-form, .fw-form input:not([type]), .fw-form input[type=text], .fw-form input[type=email], .fw-form input[type=url], .fw-form textarea {
|
.fw, .fw-form, .fw-form input:not([type]), .fw-form input[type=text], .fw-form input[type=email], .fw-form input[type=url], .fw-form input[type=password], .fw-form textarea {
|
||||||
width: 100%;
|
width: 100%;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -92,7 +92,7 @@ form input, form textarea {
|
||||||
.fw-form {
|
.fw-form {
|
||||||
@extend .fw;
|
@extend .fw;
|
||||||
|
|
||||||
input:not([type]), input[type="text"], input[type="email"], input[type="url"], textarea {
|
input:not([type]), input[type="text"], input[type="email"], input[type="url"], input[type="password"], textarea {
|
||||||
@extend .fw;
|
@extend .fw;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,22 @@
|
||||||
|
{{ define "title" }}
|
||||||
|
<title>{{ string .Blog.Lang "editor" }} - {{ .Blog.Title }}</title>
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{ define "main" }}
|
||||||
|
<main>
|
||||||
|
<h1>{{ string .Blog.Lang "login" }}</h1>
|
||||||
|
<form class="fw-form p" method="post">
|
||||||
|
<input type="hidden" name="loginaction" value="login">
|
||||||
|
<input type="hidden" name="loginmethod" value="{{ .Data.loginmethod }}">
|
||||||
|
<input type="hidden" name="loginheaders" value="{{ .Data.loginheaders }}">
|
||||||
|
<input type="hidden" name="loginbody" value="{{ .Data.loginbody }}">
|
||||||
|
<input type="text" name="username" placeholder="{{ string .Blog.Lang "username" }}">
|
||||||
|
<input type="password" name="password" placeholder="{{ string .Blog.Lang "password" }}">
|
||||||
|
<input class="fw" type="submit" value="{{ string .Blog.Lang "login" }}">
|
||||||
|
</form>
|
||||||
|
</main>
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{ define "login" }}
|
||||||
|
{{ template "base" . }}
|
||||||
|
{{ end }}
|
|
@ -26,4 +26,7 @@ search: "Search"
|
||||||
editor: "Editor"
|
editor: "Editor"
|
||||||
create: "Create"
|
create: "Create"
|
||||||
update: "Update"
|
update: "Update"
|
||||||
upload: "Upload"
|
upload: "Upload"
|
||||||
|
login: "Login"
|
||||||
|
username: "Username"
|
||||||
|
password: "Password"
|
Loading…
Reference in New Issue