-
Notifications
You must be signed in to change notification settings - Fork 388
/
auth.go
147 lines (123 loc) · 3.17 KB
/
auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
// Package user contains the basic admin user creation and authentication code,
// specific to Ponzu systems.
package user
import (
"bytes"
crand "crypto/rand"
"encoding/base64"
"log"
mrand "math/rand"
"net/http"
"time"
"github.com/nilslice/jwt"
"golang.org/x/crypto/bcrypt"
)
// User defines a admin user in the system
type User struct {
ID int `json:"id"`
Email string `json:"email"`
Hash string `json:"hash"`
Salt string `json:"salt"`
}
var (
r = mrand.New(mrand.NewSource(time.Now().Unix()))
)
// New creates a user
func New(email, password string) (*User, error) {
salt, err := randSalt()
if err != nil {
return nil, err
}
hash, err := hashPassword([]byte(password), salt)
if err != nil {
return nil, err
}
user := &User{
Email: email,
Hash: string(hash),
Salt: base64.StdEncoding.EncodeToString(salt),
}
return user, nil
}
// Auth is HTTP middleware to ensure the request has proper token credentials
func Auth(next http.HandlerFunc) http.HandlerFunc {
return http.HandlerFunc(func(res http.ResponseWriter, req *http.Request) {
redir := req.URL.Scheme + req.URL.Host + "/admin/login"
if IsValid(req) {
next.ServeHTTP(res, req)
} else {
http.Redirect(res, req, redir, http.StatusFound)
}
})
}
// IsValid checks if the user request is authenticated
func IsValid(req *http.Request) bool {
// check if token exists in cookie
cookie, err := req.Cookie("_token")
if err != nil {
return false
}
// validate it and allow or redirect request
token := cookie.Value
return jwt.Passes(token)
}
// IsUser checks for consistency in email/pass combination
func IsUser(usr *User, password string) bool {
salt, err := base64.StdEncoding.DecodeString(usr.Salt)
if err != nil {
return false
}
err = checkPassword([]byte(usr.Hash), []byte(password), salt)
if err != nil {
log.Println("Error checking password:", err)
return false
}
return true
}
// randSalt generates 16 * 8 bits of data for a random salt
func randSalt() ([]byte, error) {
buf := make([]byte, 16)
count := len(buf)
n, err := crand.Read(buf)
if err != nil {
return nil, err
}
if n != count || err != nil {
for count > 0 {
count--
buf[count] = byte(r.Int31n(256))
}
}
return buf, nil
}
// saltPassword combines the salt and password provided
func saltPassword(password, salt []byte) ([]byte, error) {
salted := &bytes.Buffer{}
_, err := salted.Write(append(salt, password...))
if err != nil {
return nil, err
}
return salted.Bytes(), nil
}
// hashPassword encrypts the salted password using bcrypt
func hashPassword(password, salt []byte) ([]byte, error) {
salted, err := saltPassword(password, salt)
if err != nil {
return nil, err
}
hash, err := bcrypt.GenerateFromPassword(salted, 10)
if err != nil {
return nil, err
}
return hash, nil
}
// checkPassword compares the hash with the salted password. A nil return means
// the password is correct, but an error could mean either the password is not
// correct, or the salt process failed - indicated in logs
func checkPassword(hash, password, salt []byte) error {
salted, err := saltPassword(password, salt)
if err != nil {
return err
}
return bcrypt.CompareHashAndPassword(hash, salted)
}