basepath fixes

2025-05-24 00:33:14 +00:00 · 2021-03-17 16:25:16 +00:00 · 2021-03-17 16:25:16 +00:00 · f3c55ba5f2
commit f3c55ba5f2
parent 5e453e3227
4 changed files with 25 additions and 29 deletions
--- a/src/auth/auth.go
+++ b/src/auth/auth.go
@ -23,30 +23,21 @@ func IsAuthenticated(req *http.Request, username, password string) bool {
 }

 func Authenticate(rw http.ResponseWriter, username, password, basepath string) {
-	expires := time.Now().Add(time.Hour * 24 * 7) // 1 week
-
-	var cookiePath string
-	if basepath != "" {
-		cookiePath = basepath
-	} else {
-		cookiePath = "/"
-	}
-	cookie := http.Cookie{
+	http.SetCookie(rw, &http.Cookie{
 		Name:    "auth",
 		Value:   username + ":" + secret(username, password),
-		Expires: expires,
-		Path:    cookiePath,
-	}
-	http.SetCookie(rw, &cookie)
+		Expires: time.Now().Add(time.Hour * 24 * 7), // 1 week,
+		Path:    basepath,
+	})
 }

-func Logout(rw http.ResponseWriter) {
-	cookie := http.Cookie{
+func Logout(rw http.ResponseWriter, basepath string) {
+	http.SetCookie(rw, &http.Cookie{
 		Name:    "auth",
 		Value:   "",
 		MaxAge:  -1,
-	}
-	http.SetCookie(rw, &cookie)
+		Path:    basepath,
+	})
 }

 func StringsEqual(p1, p2 string) bool {
--- a/src/server/middleware.go
+++ b/src/server/middleware.go
@ -16,8 +16,12 @@ type authMiddleware struct {
 	public   string
 }

+func unsafeMethod(method string) bool {
+	return method == "POST" || method == "PUT" || method == "DELETE"
+}
+
 func (m *authMiddleware) handler(c *router.Context) {
-	if strings.HasPrefix(c.Req.URL.Path, m.public) {
+	if strings.HasPrefix(c.Req.URL.Path, m.basepath + m.public) {
 		c.Next()
 		return
 	}
@ -26,9 +30,14 @@ func (m *authMiddleware) handler(c *router.Context) {
 		return
 	}

-	if c.Req.URL.Path != m.basepath {
-		// TODO: check ajax
-		c.Out.WriteHeader(http.StatusForbidden)
+	rootUrl := m.basepath + "/"
+
+	if c.Req.URL.Path != rootUrl {
+		if unsafeMethod(c.Req.Method) && c.Req.Header.Get("X-Requested-By") != "yarr" {
+			c.Out.WriteHeader(http.StatusUnauthorized)
+			return
+		}
+		c.Redirect(rootUrl)
 		return
 	}

@ -37,10 +46,9 @@ func (m *authMiddleware) handler(c *router.Context) {
 		password := c.Req.FormValue("password")
 		if auth.StringsEqual(username, m.username) && auth.StringsEqual(password, m.password) {
 			auth.Authenticate(c.Out, m.username, m.password, m.basepath)
-			c.Redirect(m.basepath)
+			c.Redirect(rootUrl)
 			return
 		} else {
-			// TODO: show error
 			c.HTML(http.StatusOK, assets.Template("login.html"), map[string]string{
 				"username": username,
 				"error": "Invalid username/password",
--- a/src/server/routes.go
+++ b/src/server/routes.go
@ -21,10 +21,10 @@ func (s *Server) handler() http.Handler {
 	// TODO: auth, base, security
 	if s.Username != "" && s.Password != "" {
 		a := &authMiddleware{
+			basepath: BasePath,
 			username: s.Username,
 			password: s.Password,
-			basepath: BasePath + "/",
-			public: BasePath + "/static",
+			public:   "/static",
 		}
 		r.Use(a.handler)
 	}
@ -401,6 +401,6 @@ func (s *Server) handlePageCrawl(c *router.Context) {
 }

 func (s *Server) handleLogout(c *router.Context) {
-	auth.Logout(c.Out)
+	auth.Logout(c.Out, BasePath)
 	c.Out.WriteHeader(http.StatusNoContent)
 }
--- a/src/server/server.go
+++ b/src/server/server.go
@ -54,9 +54,6 @@ func (s *Server) Start() {
 	}
 }

-func unsafeMethod(method string) bool {
-	return method == "POST" || method == "PUT" || method == "DELETE"
-}

 /*
 func (h Server) ServeHTTP(rw http.ResponseWriter, req *http.Request) {