scip/ephemerup
1
0
Fork 0
mirror of https://codeberg.org/scip/ephemerup.git synced 2025-12-16 20:20:58 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
05fa5cd41b9b684bc35bd6c99d339e1eab47576e
ephemerup/api/auth.go
Thomas von Dein 05fa5cd41b changes: 
- added unit tests
    - put all subcmds into one file
    - use io.Writer for output, better for testing
    - added upload form support
    - added api docs
    - generalized db engine
    - added mail notify support for forms
    - enhanced server/SetupAuthStore() to also look up form ids
    - added form template (put into .go file by Makefile
    - renamed project
2023-03-29 13:36:20 +02:00

127 lines
3.4 KiB
Go
Raw Blame History

/*
Copyright © 2023 Thomas von Dein
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
package api
import (
"crypto/sha256"
"crypto/subtle"
"errors"
"github.com/gofiber/fiber/v2"
"github.com/gofiber/keyauth/v2"
"github.com/tlinden/ephemerup/cfg"
"github.com/tlinden/ephemerup/common"
)
// these vars can be savely global, since they don't change ever
var (
errMissing = &fiber.Error{
Code: 403000,
Message: "Missing API key",
}
errInvalid = &fiber.Error{
Code: 403001,
Message: "Invalid API key",
}
Apikeys []cfg.Apicontext
)
// fill from server: accepted keys
func AuthSetApikeys(keys []cfg.Apicontext) {
Apikeys = keys
}
// make sure we always return JSON encoded errors
func AuthErrHandler(ctx *fiber.Ctx, err error) error {
ctx.Status(fiber.StatusForbidden)
if err == errMissing {
return ctx.JSON(errMissing)
}
return ctx.JSON(errInvalid)
}
// validator hook, validates incoming api key against form id, which
// also acts as onetime api key
func AuthValidateOnetimeKey(c *fiber.Ctx, key string, db *Db) (bool, error) {
resp, err := db.Get("", key, common.TypeForm)
if err != nil {
return false, errors.New("Onetime key doesn't match any form id!")
}
if len(resp.Forms) != 1 {
return false, errors.New("db.Get(form) returned no results and no errors!")
}
sess, err := Sessionstore.Get(c)
// store the result into the session, the 'formid' key tells the
// upload handler that the apicontext it sees is in fact a form id
// and has to be deleted if set to asap.
sess.Set("apicontext", resp.Forms[0].Context)
sess.Set("formid", key)
if err := sess.Save(); err != nil {
return false, errors.New("Unable to save session store!")
}
return true, nil
}
// validator hook, called by fiber via server keyauth.New()
func AuthValidateAPIKey(c *fiber.Ctx, key string) (bool, error) {
// create a new session, it will be thrown away if something fails
sess, err := Sessionstore.Get(c)
if err != nil {
return false, errors.New("Unable to initialize session store from context!")
}
// if Apikeys is empty, the server works unauthenticated
// FIXME: maybe always reject?
if len(Apikeys) == 0 {
sess.Set("apicontext", "default")
if err := sess.Save(); err != nil {
return false, errors.New("Unable to save session store!")
}
return true, nil
}
// actual key comparision
for _, apicontext := range Apikeys {
hashedAPIKey := sha256.Sum256([]byte(apicontext.Key))
hashedKey := sha256.Sum256([]byte(key))
if subtle.ConstantTimeCompare(hashedAPIKey[:], hashedKey[:]) == 1 {
// apikey matches, register apicontext for later use by the handlers
sess.Set("apicontext", apicontext.Context)
if err := sess.Save(); err != nil {
return false, errors.New("Unable to save session store!")
}
return true, nil
}
}
return false, keyauth.ErrMissingOrMalformedAPIKey
}
Reference in New Issue View Git Blame Copy Permalink