Rename auth header to Linx-Api-Key and remove
b64encoding requirement for uploading with keys
This commit is contained in:
parent
6987edc0d8
commit
68653372ff
20
auth.go
20
auth.go
@ -6,13 +6,11 @@ import (
|
|||||||
"log"
|
"log"
|
||||||
"net/http"
|
"net/http"
|
||||||
"os"
|
"os"
|
||||||
"strings"
|
|
||||||
|
|
||||||
"golang.org/x/crypto/scrypt"
|
"golang.org/x/crypto/scrypt"
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
authPrefix = "Linx "
|
|
||||||
scryptSalt = "linx-server"
|
scryptSalt = "linx-server"
|
||||||
scryptN = 16384
|
scryptN = 16384
|
||||||
scryptr = 8
|
scryptr = 8
|
||||||
@ -54,8 +52,8 @@ func readAuthKeys(authFile string) []string {
|
|||||||
return authKeys
|
return authKeys
|
||||||
}
|
}
|
||||||
|
|
||||||
func checkAuth(authKeys []string, decodedAuth []byte) (result bool, err error) {
|
func checkAuth(authKeys []string, key string) (result bool, err error) {
|
||||||
checkKey, err := scrypt.Key([]byte(decodedAuth), []byte(scryptSalt), scryptN, scryptr, scryptp, scryptKeyLen)
|
checkKey, err := scrypt.Key([]byte(key), []byte(scryptSalt), scryptN, scryptr, scryptp, scryptKeyLen)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@ -79,19 +77,9 @@ func (a auth) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
authHeader := r.Header.Get("Authorization")
|
key := r.Header.Get("Linx-Api-Key")
|
||||||
if !strings.HasPrefix(authHeader, authPrefix) {
|
|
||||||
a.failureHandler.ServeHTTP(w, r)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
decodedAuth, err := base64.StdEncoding.DecodeString(authHeader[len(authPrefix):])
|
result, err := checkAuth(a.authKeys, key)
|
||||||
if err != nil {
|
|
||||||
a.failureHandler.ServeHTTP(w, r)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
result, err := checkAuth(a.authKeys, decodedAuth)
|
|
||||||
if err != nil || !result {
|
if err != nil || !result {
|
||||||
a.failureHandler.ServeHTTP(w, r)
|
a.failureHandler.ServeHTTP(w, r)
|
||||||
return
|
return
|
||||||
|
@ -10,15 +10,15 @@ func TestCheckAuth(t *testing.T) {
|
|||||||
"vFpNprT9wbHgwAubpvRxYCCpA2FQMAK6hFqPvAGrdZo=",
|
"vFpNprT9wbHgwAubpvRxYCCpA2FQMAK6hFqPvAGrdZo=",
|
||||||
}
|
}
|
||||||
|
|
||||||
if r, err := checkAuth(authKeys, []byte("")); err != nil && r {
|
if r, err := checkAuth(authKeys, ""); err != nil && r {
|
||||||
t.Fatal("Authorization passed for empty key")
|
t.Fatal("Authorization passed for empty key")
|
||||||
}
|
}
|
||||||
|
|
||||||
if r, err := checkAuth(authKeys, []byte("thisisnotvalid")); err != nil && r {
|
if r, err := checkAuth(authKeys, "thisisnotvalid"); err != nil && r {
|
||||||
t.Fatal("Authorization passed for invalid key")
|
t.Fatal("Authorization passed for invalid key")
|
||||||
}
|
}
|
||||||
|
|
||||||
if r, err := checkAuth(authKeys, []byte("haPVipRnGJ0QovA9nyqK")); err != nil && !r {
|
if r, err := checkAuth(authKeys, "haPVipRnGJ0QovA9nyqK"); err != nil && !r {
|
||||||
t.Fatal("Authorization failed for valid key")
|
t.Fatal("Authorization failed for valid key")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -139,6 +139,7 @@ func setup() *web.Mux {
|
|||||||
mux.Post("/upload/", uploadPostHandler)
|
mux.Post("/upload/", uploadPostHandler)
|
||||||
mux.Put("/upload", uploadPutHandler)
|
mux.Put("/upload", uploadPutHandler)
|
||||||
mux.Put("/upload/:name", uploadPutHandler)
|
mux.Put("/upload/:name", uploadPutHandler)
|
||||||
|
|
||||||
mux.Delete("/:name", deleteHandler)
|
mux.Delete("/:name", deleteHandler)
|
||||||
|
|
||||||
mux.Get("/static/*", staticHandler)
|
mux.Get("/static/*", staticHandler)
|
||||||
|
@ -139,9 +139,10 @@ func uploadPutHandler(c web.C, w http.ResponseWriter, r *http.Request) {
|
|||||||
|
|
||||||
func uploadRemote(c web.C, w http.ResponseWriter, r *http.Request) {
|
func uploadRemote(c web.C, w http.ResponseWriter, r *http.Request) {
|
||||||
if Config.remoteAuthFile != "" {
|
if Config.remoteAuthFile != "" {
|
||||||
result, err := checkAuth(remoteAuthKeys, []byte(r.FormValue("key")))
|
result, err := checkAuth(remoteAuthKeys, r.FormValue("key"))
|
||||||
if err != nil || !result {
|
if err != nil || !result {
|
||||||
unauthorizedHandler(c, w, r)
|
unauthorizedHandler(c, w, r)
|
||||||
|
return
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
// strict referrer checking is mandatory without remote auth keys
|
// strict referrer checking is mandatory without remote auth keys
|
||||||
|
Loading…
Reference in New Issue
Block a user