package main import ( "bytes" "context" "encoding/base64" "encoding/json" "io" "net/http" "github.com/pquerna/otp/totp" ) func checkCredentials(username, password, totpPasscode string) bool { return username == appConfig.User.Nick && password == appConfig.User.Password && (appConfig.User.TOTP == "" || totp.Validate(totpPasscode, appConfig.User.TOTP)) } func checkAppPasswords(username, password string) bool { for _, apw := range appConfig.User.AppPasswords { if apw.Username == username && apw.Password == password { return true } } return false } func jwtKey() []byte { return []byte(appConfig.Server.JWTSecret) } func authMiddleware(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { // 1. Check if already logged in if loggedIn, ok := r.Context().Value(loggedInKey).(bool); ok && loggedIn { next.ServeHTTP(w, r) return } // 2. Check BasicAuth (just for app passwords) if username, password, ok := r.BasicAuth(); ok && checkAppPasswords(username, password) { next.ServeHTTP(w, r) return } // 3. Check login cookie if checkLoginCookie(r) { next.ServeHTTP(w, r.WithContext(context.WithValue(r.Context(), loggedInKey, true))) return } // 4. Show login form w.Header().Set("Cache-Control", "no-store,max-age=0") h, _ := json.Marshal(r.Header.Clone()) b, _ := io.ReadAll(io.LimitReader(r.Body, 2000000)) // Only allow 20 Megabyte _ = r.Body.Close() if len(b) == 0 { // Maybe it's a form _ = r.ParseForm() b = []byte(r.PostForm.Encode()) } render(w, r, templateLogin, &renderData{ Data: map[string]interface{}{ "loginmethod": r.Method, "loginheaders": base64.StdEncoding.EncodeToString(h), "loginbody": base64.StdEncoding.EncodeToString(b), "totp": appConfig.User.TOTP != "", }, }) }) } const loggedInKey requestContextKey = "loggedIn" func checkLoggedIn(next http.Handler) http.Handler { return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { if checkLoginCookie(r) { next.ServeHTTP(rw, r.WithContext(context.WithValue(r.Context(), loggedInKey, true))) return } next.ServeHTTP(rw, r) }) } func checkLoginCookie(r *http.Request) bool { ses, err := loginSessionsStore.Get(r, "l") if err == nil && ses != nil { if login, ok := ses.Values["login"]; ok && login.(bool) { return true } } return false } func checkIsLogin(next http.Handler) http.Handler { return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { if !checkLogin(rw, r) { next.ServeHTTP(rw, r) } }) } func checkLogin(w http.ResponseWriter, r *http.Request) bool { if r.Method != http.MethodPost { return false } if r.Header.Get(contentType) != contentTypeWWWForm { return false } if r.FormValue("loginaction") != "login" { return false } // Check credential if !checkCredentials(r.FormValue("username"), r.FormValue("password"), r.FormValue("token")) { serveError(w, r, "Incorrect credentials", http.StatusUnauthorized) return true } // Prepare original request loginbody, _ := base64.StdEncoding.DecodeString(r.FormValue("loginbody")) req, _ := http.NewRequest(r.FormValue("loginmethod"), r.RequestURI, bytes.NewReader(loginbody)) // Copy original headers loginheaders, _ := base64.StdEncoding.DecodeString(r.FormValue("loginheaders")) var headers http.Header _ = json.Unmarshal(loginheaders, &headers) for k, v := range headers { req.Header[k] = v } // Cookie ses, err := loginSessionsStore.Get(r, "l") if err != nil { serveError(w, r, err.Error(), http.StatusInternalServerError) return true } ses.Values["login"] = true cookie, err := loginSessionsStore.SaveGetCookie(r, w, ses) if err != nil { serveError(w, r, err.Error(), http.StatusInternalServerError) return true } req.AddCookie(cookie) // Serve original request d.ServeHTTP(w, req) return true } // Need to set auth middleware! func serveLogin(w http.ResponseWriter, r *http.Request) { http.Redirect(w, r, "/", http.StatusFound) } func serveLogout(w http.ResponseWriter, r *http.Request) { if ses, err := loginSessionsStore.Get(r, "l"); err == nil && ses != nil { _ = loginSessionsStore.Delete(r, w, ses) } http.Redirect(w, r, "/", http.StatusFound) }