092134f3f3
The semantics of the Authorization header are defined by RFC 9110, which says: > It uses a case-insensitive token to identify the authentication scheme: Therefore, "bearer", "Bearer", and "bEARER" are equivalent. This patch fixes the parsing of the Authorization header to check for the Bearer authentication scheme case insensitively. I've modified one of the test cases to use lowercase "bearer", so there's test coverage for this.
152 lines
5.0 KiB
Go
152 lines
5.0 KiB
Go
package middleware
|
|
|
|
import (
|
|
"crypto/subtle"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/owncast/owncast/core/data"
|
|
"github.com/owncast/owncast/core/user"
|
|
"github.com/owncast/owncast/utils"
|
|
log "github.com/sirupsen/logrus"
|
|
)
|
|
|
|
// ExternalAccessTokenHandlerFunc is a function that is called after validing access.
|
|
type ExternalAccessTokenHandlerFunc func(user.ExternalAPIUser, http.ResponseWriter, *http.Request)
|
|
|
|
// UserAccessTokenHandlerFunc is a function that is called after validing user access.
|
|
type UserAccessTokenHandlerFunc func(user.User, http.ResponseWriter, *http.Request)
|
|
|
|
// RequireAdminAuth wraps a handler requiring HTTP basic auth for it using the given
|
|
// the stream key as the password and and a hardcoded "admin" for username.
|
|
func RequireAdminAuth(handler http.HandlerFunc) http.HandlerFunc {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
username := "admin"
|
|
password := data.GetAdminPassword()
|
|
realm := "Owncast Authenticated Request"
|
|
|
|
// The following line is kind of a work around.
|
|
// If you want HTTP Basic Auth + Cors it requires _explicit_ origins to be provided in the
|
|
// Access-Control-Allow-Origin header. So we just pull out the origin header and specify it.
|
|
// If we want to lock down admin APIs to not be CORS accessible for anywhere, this is where we would do that.
|
|
w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin"))
|
|
w.Header().Set("Access-Control-Allow-Credentials", "true")
|
|
w.Header().Set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization")
|
|
|
|
// For request needing CORS, send a 204.
|
|
if r.Method == "OPTIONS" {
|
|
w.WriteHeader(http.StatusNoContent)
|
|
return
|
|
}
|
|
|
|
user, pass, ok := r.BasicAuth()
|
|
|
|
// Failed
|
|
if !ok || subtle.ConstantTimeCompare([]byte(user), []byte(username)) != 1 || subtle.ConstantTimeCompare([]byte(pass), []byte(password)) != 1 {
|
|
w.Header().Set("WWW-Authenticate", `Basic realm="`+realm+`"`)
|
|
http.Error(w, "Unauthorized", http.StatusUnauthorized)
|
|
log.Debugln("Failed admin authentication")
|
|
return
|
|
}
|
|
|
|
handler(w, r)
|
|
}
|
|
}
|
|
|
|
func accessDenied(w http.ResponseWriter) {
|
|
w.WriteHeader(http.StatusUnauthorized) //nolint
|
|
w.Write([]byte("unauthorized")) //nolint
|
|
}
|
|
|
|
// RequireExternalAPIAccessToken will validate a 3rd party access token.
|
|
func RequireExternalAPIAccessToken(scope string, handler ExternalAccessTokenHandlerFunc) http.HandlerFunc {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
// We should accept 3rd party preflight OPTIONS requests.
|
|
if r.Method == "OPTIONS" {
|
|
// All OPTIONS requests should have a wildcard CORS header.
|
|
w.Header().Set("Access-Control-Allow-Origin", "*")
|
|
w.WriteHeader(http.StatusNoContent)
|
|
return
|
|
}
|
|
|
|
authHeader := r.Header.Get("Authorization")
|
|
token := ""
|
|
if strings.HasPrefix(strings.ToLower(authHeader), "bearer ") {
|
|
token = authHeader[len("bearer "):]
|
|
}
|
|
|
|
if token == "" {
|
|
log.Warnln("invalid access token")
|
|
accessDenied(w)
|
|
return
|
|
}
|
|
|
|
integration, err := user.GetExternalAPIUserForAccessTokenAndScope(token, scope)
|
|
if integration == nil || err != nil {
|
|
accessDenied(w)
|
|
return
|
|
}
|
|
|
|
// All auth'ed 3rd party requests should have a wildcard CORS header.
|
|
w.Header().Set("Access-Control-Allow-Origin", "*")
|
|
|
|
handler(*integration, w, r)
|
|
|
|
if err := user.SetExternalAPIUserAccessTokenAsUsed(token); err != nil {
|
|
log.Debugln("token not found when updating last_used timestamp")
|
|
}
|
|
})
|
|
}
|
|
|
|
// RequireUserAccessToken will validate a provided user's access token and make sure the associated user is enabled.
|
|
// Not to be used for validating 3rd party access.
|
|
func RequireUserAccessToken(handler UserAccessTokenHandlerFunc) http.HandlerFunc {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
accessToken := r.URL.Query().Get("accessToken")
|
|
if accessToken == "" {
|
|
accessDenied(w)
|
|
return
|
|
}
|
|
|
|
ipAddress := utils.GetIPAddressFromRequest(r)
|
|
// Check if this client's IP address is banned.
|
|
if blocked, err := data.IsIPAddressBanned(ipAddress); blocked {
|
|
log.Debugln("Client ip address has been blocked. Rejecting.")
|
|
accessDenied(w)
|
|
return
|
|
} else if err != nil {
|
|
log.Errorln("error determining if IP address is blocked: ", err)
|
|
}
|
|
|
|
// A user is required to use the websocket
|
|
user := user.GetUserByToken(accessToken)
|
|
if user == nil || !user.IsEnabled() {
|
|
accessDenied(w)
|
|
return
|
|
}
|
|
|
|
handler(*user, w, r)
|
|
})
|
|
}
|
|
|
|
// RequireUserModerationScopeAccesstoken will validate a provided user's access token and make sure the associated user is enabled
|
|
// and has "MODERATOR" scope assigned to the user.
|
|
func RequireUserModerationScopeAccesstoken(handler http.HandlerFunc) http.HandlerFunc {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
accessToken := r.URL.Query().Get("accessToken")
|
|
if accessToken == "" {
|
|
accessDenied(w)
|
|
return
|
|
}
|
|
|
|
// A user is required to use the websocket
|
|
user := user.GetUserByToken(accessToken)
|
|
if user == nil || !user.IsEnabled() || !user.IsModerator() {
|
|
accessDenied(w)
|
|
return
|
|
}
|
|
|
|
handler(w, r)
|
|
})
|
|
}
|