Home Explore Help
Sign In
fgm
/
go__basicauth_demo
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: main
Branches Tags
go__basicauth_d...
/
server
/
middleware.go

middleware.go 2.1 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748 
  1. package server
    2. 

  2. 

  3. import (
    4. 

  4. 	"crypto/sha256"
    5. 

  5. 	"crypto/subtle"
    6. 

  6. 	"net/http"
    7. 

  7. )
    8. 

  8. 

  9. func (app *Application) BasicAuth(next http.HandlerFunc) http.HandlerFunc {
    10. 

  10. 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    11. 

  11. 		// Extract the username and password from the request Authorization header.
    12. 

  12. 		// If no Authentication header is present, or if the header value is
    13. 

  13. 		// invalid, then the 'ok' return value will be false.
    14. 

  14. 		username, password, ok := r.BasicAuth()
    15. 

  15. 		if ok {
    16. 

  16. 			// Calculate SHA-256 hashes for the provided and expected usernames
    17. 

  17. 			// and passwords in order to have constant length values.
    18. 

  18. 			actualUsernameHash := sha256.Sum256([]byte(username))
    19. 

  19. 			actualPasswordHash := sha256.Sum256([]byte(password))
    20. 

  20. 			expectedUsernameHash := sha256.Sum256([]byte(app.Username))
    21. 

  21. 			expectedPasswordHash := sha256.Sum256([]byte(app.Password))
    22. 

  22. 

  23. 			// Use the subtle.ConstantTimeCompare() function to check if the
    24. 

  24. 			// provided username and password hashes equal the expected
    25. 

  25. 			// username and password hashes.
    26. 

  26. 			// ConstantTimeCompare will return 1 if the values are equal, or 0 otherwise.
    27. 

  27. 			// Importantly, we should do the work to evaluate both the username
    28. 

  28. 			// and password before checking the return values, to avoid leaking information.
    29. 

  29. 			usernameMatch := 1 == subtle.ConstantTimeCompare(actualUsernameHash[:], expectedUsernameHash[:])
    30. 

  30. 			passwordMatch := 1 == subtle.ConstantTimeCompare(actualPasswordHash[:], expectedPasswordHash[:])
    31. 

  31. 

  32. 			// If the username and password are correct, then call the next
    33. 

  33. 			// handler in the chain. Make sure to return afterwards, so that
    34. 

  34. 			// none of the code below is run.
    35. 

  35. 			if usernameMatch && passwordMatch {
    36. 

  36. 				next.ServeHTTP(w, r)
    37. 

  37. 				return
    38. 

  38. 			}
    39. 

  39. 		}
    40. 

  40. 

  41. 		// If the Authentication header is not present, is invalid, or the
    42. 

  42. 		// username or password is wrong, then set a WWW-Authenticate header
    43. 

  43. 		// to inform the client that we expect them to use basic authentication
    44. 

  44. 		// and send a 401 Unauthorized response.
    45. 

  45. 		w.Header().Set("WWW-Authenticate", `Basic realm="restricted", charset="UTF-8"`)
    46. 

  46. 		http.Error(w, "Please provide an authorization", http.StatusUnauthorized)
    47. 

  47. 	})
    48. 

  48. }
    49.