feat(httpapi): env-based login and session auth middleware
This commit is contained in:
@@ -0,0 +1,67 @@
|
||||
package httpapi
|
||||
|
||||
import (
|
||||
"crypto/subtle"
|
||||
"encoding/json"
|
||||
"net/http"
|
||||
"time"
|
||||
|
||||
"github.com/vasyansk/imap-copier/internal/config"
|
||||
"github.com/vasyansk/imap-copier/internal/crypto"
|
||||
"github.com/vasyansk/imap-copier/internal/orchestrator"
|
||||
"github.com/vasyansk/imap-copier/internal/store"
|
||||
"github.com/vasyansk/imap-copier/internal/wshub"
|
||||
)
|
||||
|
||||
const cookieName = "session"
|
||||
|
||||
type Server struct {
|
||||
cfg config.Config
|
||||
store *store.Store
|
||||
orch *orchestrator.Orchestrator
|
||||
hub *wshub.Hub
|
||||
}
|
||||
|
||||
func NewServer(cfg config.Config, s *store.Store, orch *orchestrator.Orchestrator, hub *wshub.Hub) *Server {
|
||||
return &Server{cfg: cfg, store: s, orch: orch, hub: hub}
|
||||
}
|
||||
|
||||
func (s *Server) handleLogin(w http.ResponseWriter, r *http.Request) {
|
||||
var body struct{ User, Pass string }
|
||||
if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
|
||||
http.Error(w, "bad json", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
uOK := subtle.ConstantTimeCompare([]byte(body.User), []byte(s.cfg.AuthUser)) == 1
|
||||
pOK := subtle.ConstantTimeCompare([]byte(body.Pass), []byte(s.cfg.AuthPass)) == 1
|
||||
if !uOK || !pOK {
|
||||
http.Error(w, "invalid credentials", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
tok := crypto.SignSession(s.cfg.SessionSecret, body.User, time.Now().Add(24*time.Hour))
|
||||
http.SetCookie(w, &http.Cookie{
|
||||
Name: cookieName, Value: tok, Path: "/",
|
||||
HttpOnly: true, SameSite: http.SameSiteLaxMode, MaxAge: 86400,
|
||||
})
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}
|
||||
|
||||
func (s *Server) handleLogout(w http.ResponseWriter, r *http.Request) {
|
||||
http.SetCookie(w, &http.Cookie{Name: cookieName, Value: "", Path: "/", MaxAge: -1})
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}
|
||||
|
||||
func (s *Server) requireAuth(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
c, err := r.Cookie(cookieName)
|
||||
if err != nil {
|
||||
http.Error(w, "unauthorized", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
if _, ok := crypto.VerifySession(s.cfg.SessionSecret, c.Value, time.Now()); !ok {
|
||||
http.Error(w, "unauthorized", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
next.ServeHTTP(w, r)
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,57 @@
|
||||
package httpapi
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"github.com/vasyansk/imap-copier/internal/config"
|
||||
)
|
||||
|
||||
func testServer() *Server {
|
||||
return &Server{cfg: config.Config{
|
||||
AuthUser: "admin", AuthPass: "pw", SessionSecret: []byte("sekret"),
|
||||
}}
|
||||
}
|
||||
|
||||
func TestLoginSetsCookie(t *testing.T) {
|
||||
s := testServer()
|
||||
req := httptest.NewRequest("POST", "/api/login", strings.NewReader(`{"user":"admin","pass":"pw"}`))
|
||||
rw := httptest.NewRecorder()
|
||||
s.handleLogin(rw, req)
|
||||
if rw.Code != http.StatusOK {
|
||||
t.Fatalf("code=%d", rw.Code)
|
||||
}
|
||||
if len(rw.Result().Cookies()) == 0 {
|
||||
t.Fatal("no session cookie set")
|
||||
}
|
||||
}
|
||||
|
||||
func TestRequireAuthBlocksNoCookie(t *testing.T) {
|
||||
s := testServer()
|
||||
h := s.requireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(200) }))
|
||||
rw := httptest.NewRecorder()
|
||||
h.ServeHTTP(rw, httptest.NewRequest("GET", "/api/tasks", nil))
|
||||
if rw.Code != http.StatusUnauthorized {
|
||||
t.Fatalf("want 401, got %d", rw.Code)
|
||||
}
|
||||
}
|
||||
|
||||
func TestRequireAuthAllowsValidCookie(t *testing.T) {
|
||||
s := testServer()
|
||||
// логинимся, забираем cookie, повторяем запрос
|
||||
lr := httptest.NewRequest("POST", "/api/login", strings.NewReader(`{"user":"admin","pass":"pw"}`))
|
||||
lrw := httptest.NewRecorder()
|
||||
s.handleLogin(lrw, lr)
|
||||
cookie := lrw.Result().Cookies()[0]
|
||||
|
||||
h := s.requireAuth(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(200) }))
|
||||
req := httptest.NewRequest("GET", "/api/tasks", nil)
|
||||
req.AddCookie(cookie)
|
||||
rw := httptest.NewRecorder()
|
||||
h.ServeHTTP(rw, req)
|
||||
if rw.Code != 200 {
|
||||
t.Fatalf("want 200, got %d", rw.Code)
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user