basepath fixes

src/auth/auth.go

@@ -23,30 +23,21 @@ func IsAuthenticated(req *http.Request, username, password string) bool {
 }
 
 func Authenticate(rw http.ResponseWriter, username, password, basepath string) {
-	expires := time.Now().Add(time.Hour * 24 * 7) // 1 week
+	http.SetCookie(rw, &http.Cookie{
-
-	var cookiePath string
-	if basepath != "" {
-		cookiePath = basepath
-	} else {
-		cookiePath = "/"
-	}
-	cookie := http.Cookie{
 		Name:    "auth",
 		Value:   username + ":" + secret(username, password),
-		Expires: expires,
+		Expires: time.Now().Add(time.Hour * 24 * 7), // 1 week,
-		Path:    cookiePath,
+		Path:    basepath,
-	}
+	})
-	http.SetCookie(rw, &cookie)
 }
 
-func Logout(rw http.ResponseWriter) {
+func Logout(rw http.ResponseWriter, basepath string) {
-	cookie := http.Cookie{
+	http.SetCookie(rw, &http.Cookie{
 		Name:    "auth",
 		Value:   "",
 		MaxAge:  -1,
-	}
+		Path:    basepath,
-	http.SetCookie(rw, &cookie)
+	})
 }
 
 func StringsEqual(p1, p2 string) bool {

src/server/middleware.go

@@ -16,8 +16,12 @@ type authMiddleware struct {
 	public   string
 }
 
+func unsafeMethod(method string) bool {
+	return method == "POST" || method == "PUT" || method == "DELETE"
+}
+
 func (m *authMiddleware) handler(c *router.Context) {
-	if strings.HasPrefix(c.Req.URL.Path, m.public) {
+	if strings.HasPrefix(c.Req.URL.Path, m.basepath + m.public) {
 		c.Next()
 		return
 	}
@@ -26,9 +30,14 @@ func (m *authMiddleware) handler(c *router.Context) {
 		return
 	}
 
-	if c.Req.URL.Path != m.basepath {
+	rootUrl := m.basepath + "/"
-		// TODO: check ajax
+
-		c.Out.WriteHeader(http.StatusForbidden)
+	if c.Req.URL.Path != rootUrl {
+		if unsafeMethod(c.Req.Method) && c.Req.Header.Get("X-Requested-By") != "yarr" {
+			c.Out.WriteHeader(http.StatusUnauthorized)
+			return
+		}
+		c.Redirect(rootUrl)
 		return
 	}
 
@@ -37,10 +46,9 @@ func (m *authMiddleware) handler(c *router.Context) {
 		password := c.Req.FormValue("password")
 		if auth.StringsEqual(username, m.username) && auth.StringsEqual(password, m.password) {
 			auth.Authenticate(c.Out, m.username, m.password, m.basepath)
-			c.Redirect(m.basepath)
+			c.Redirect(rootUrl)
 			return
 		} else {
-			// TODO: show error
 			c.HTML(http.StatusOK, assets.Template("login.html"), map[string]string{
 				"username": username,
 				"error": "Invalid username/password",

src/server/routes.go

@@ -21,10 +21,10 @@ func (s *Server) handler() http.Handler {
 	// TODO: auth, base, security
 	if s.Username != "" && s.Password != "" {
 		a := &authMiddleware{
+			basepath: BasePath,
 			username: s.Username,
 			password: s.Password,
-			basepath: BasePath + "/",
+			public:   "/static",
-			public: BasePath + "/static",
 		}
 		r.Use(a.handler)
 	}
@@ -401,6 +401,6 @@ func (s *Server) handlePageCrawl(c *router.Context) {
 }
 
 func (s *Server) handleLogout(c *router.Context) {
-	auth.Logout(c.Out)
+	auth.Logout(c.Out, BasePath)
 	c.Out.WriteHeader(http.StatusNoContent)
 }

src/server/server.go

@@ -54,9 +54,6 @@ func (s *Server) Start() {
 	}
 }
 
-func unsafeMethod(method string) bool {
-	return method == "POST" || method == "PUT" || method == "DELETE"
-}
 
 /*
 func (h Server) ServeHTTP(rw http.ResponseWriter, req *http.Request) {