From f3c55ba5f24a1adb9d19cef4f165757fd735d141 Mon Sep 17 00:00:00 2001 From: Nazar Kanaev Date: Wed, 17 Mar 2021 16:25:16 +0000 Subject: [PATCH] basepath fixes --- src/auth/auth.go | 25 ++++++++----------------- src/server/middleware.go | 20 ++++++++++++++------ src/server/routes.go | 6 +++--- src/server/server.go | 3 --- 4 files changed, 25 insertions(+), 29 deletions(-) diff --git a/src/auth/auth.go b/src/auth/auth.go index fddc9c0..1a8978f 100644 --- a/src/auth/auth.go +++ b/src/auth/auth.go @@ -23,30 +23,21 @@ func IsAuthenticated(req *http.Request, username, password string) bool { } func Authenticate(rw http.ResponseWriter, username, password, basepath string) { - expires := time.Now().Add(time.Hour * 24 * 7) // 1 week - - var cookiePath string - if basepath != "" { - cookiePath = basepath - } else { - cookiePath = "/" - } - cookie := http.Cookie{ + http.SetCookie(rw, &http.Cookie{ Name: "auth", Value: username + ":" + secret(username, password), - Expires: expires, - Path: cookiePath, - } - http.SetCookie(rw, &cookie) + Expires: time.Now().Add(time.Hour * 24 * 7), // 1 week, + Path: basepath, + }) } -func Logout(rw http.ResponseWriter) { - cookie := http.Cookie{ +func Logout(rw http.ResponseWriter, basepath string) { + http.SetCookie(rw, &http.Cookie{ Name: "auth", Value: "", MaxAge: -1, - } - http.SetCookie(rw, &cookie) + Path: basepath, + }) } func StringsEqual(p1, p2 string) bool { diff --git a/src/server/middleware.go b/src/server/middleware.go index acb9094..cf49cf4 100644 --- a/src/server/middleware.go +++ b/src/server/middleware.go @@ -16,8 +16,12 @@ type authMiddleware struct { public string } +func unsafeMethod(method string) bool { + return method == "POST" || method == "PUT" || method == "DELETE" +} + func (m *authMiddleware) handler(c *router.Context) { - if strings.HasPrefix(c.Req.URL.Path, m.public) { + if strings.HasPrefix(c.Req.URL.Path, m.basepath + m.public) { c.Next() return } @@ -26,9 +30,14 @@ func (m *authMiddleware) handler(c *router.Context) { return } - if c.Req.URL.Path != m.basepath { - // TODO: check ajax - c.Out.WriteHeader(http.StatusForbidden) + rootUrl := m.basepath + "/" + + if c.Req.URL.Path != rootUrl { + if unsafeMethod(c.Req.Method) && c.Req.Header.Get("X-Requested-By") != "yarr" { + c.Out.WriteHeader(http.StatusUnauthorized) + return + } + c.Redirect(rootUrl) return } @@ -37,10 +46,9 @@ func (m *authMiddleware) handler(c *router.Context) { password := c.Req.FormValue("password") if auth.StringsEqual(username, m.username) && auth.StringsEqual(password, m.password) { auth.Authenticate(c.Out, m.username, m.password, m.basepath) - c.Redirect(m.basepath) + c.Redirect(rootUrl) return } else { - // TODO: show error c.HTML(http.StatusOK, assets.Template("login.html"), map[string]string{ "username": username, "error": "Invalid username/password", diff --git a/src/server/routes.go b/src/server/routes.go index 34b83ef..c76bfbe 100644 --- a/src/server/routes.go +++ b/src/server/routes.go @@ -21,10 +21,10 @@ func (s *Server) handler() http.Handler { // TODO: auth, base, security if s.Username != "" && s.Password != "" { a := &authMiddleware{ + basepath: BasePath, username: s.Username, password: s.Password, - basepath: BasePath + "/", - public: BasePath + "/static", + public: "/static", } r.Use(a.handler) } @@ -401,6 +401,6 @@ func (s *Server) handlePageCrawl(c *router.Context) { } func (s *Server) handleLogout(c *router.Context) { - auth.Logout(c.Out) + auth.Logout(c.Out, BasePath) c.Out.WriteHeader(http.StatusNoContent) } diff --git a/src/server/server.go b/src/server/server.go index 1fed691..809e8f5 100644 --- a/src/server/server.go +++ b/src/server/server.go @@ -54,9 +54,6 @@ func (s *Server) Start() { } } -func unsafeMethod(method string) bool { - return method == "POST" || method == "PUT" || method == "DELETE" -} /* func (h Server) ServeHTTP(rw http.ResponseWriter, req *http.Request) {