filebrowser/http/auth.go

package http

import (
	"encoding/json"
	"net/http"
	"net/url"
	"strings"
	"time"

	"github.com/dgrijalva/jwt-go"
	"github.com/dgrijalva/jwt-go/request"
	fm "github.com/hacdias/filemanager"
)

const reCaptchaAPI = "https://www.google.com/recaptcha/api/siteverify"

type cred struct {
	Password  string `json:"password"`
	Username  string `json:"username"`
	ReCaptcha string `json:"recaptcha"`
}

// reCaptcha checks the reCaptcha code.
func reCaptcha(secret string, response string) (bool, error) {
	body := url.Values{}
	body.Set("secret", secret)
	body.Add("response", response)

	client := &http.Client{}

	resp, err := client.Post(reCaptchaAPI, "application/x-www-form-urlencoded", strings.NewReader(body.Encode()))
	if err != nil {
		return false, err
	}

	if resp.StatusCode != http.StatusOK {
		return false, nil
	}

	var data struct {
		Success     bool        `json:"success"`
		ChallengeTS time.Time   `json:"challenge_ts"`
		Hostname    string      `json:"hostname"`
		ErrorCodes  interface{} `json:"error-codes"`
	}

	err = json.NewDecoder(resp.Body).Decode(&data)
	if err != nil {
		return false, err
	}

	return data.Success, nil
}

// authHandler processes the authentication for the user.
func authHandler(c *fm.Context, w http.ResponseWriter, r *http.Request) (int, error) {
	// NoAuth instances shouldn't call this method.
	if c.NoAuth {
		return 0, nil
	}

	// Receive the credentials from the request and unmarshal them.
	var cred cred
	if r.Body == nil {
		return http.StatusForbidden, nil
	}

	err := json.NewDecoder(r.Body).Decode(&cred)
	if err != nil {
		return http.StatusForbidden, nil
	}

	// If ReCaptcha is enabled, check the code.
	if len(c.ReCaptchaSecret) > 0 {
		ok, err := reCaptcha(c.ReCaptchaSecret, cred.ReCaptcha)
		if err != nil {
			return http.StatusForbidden, err
		}

		if !ok {
			return http.StatusForbidden, nil
		}
	}

	// Checks if the user exists.
	u, err := c.Store.Users.GetByUsername(cred.Username, c.NewFS)
	if err != nil {
		return http.StatusForbidden, nil
	}

	// Checks if the password is correct.
	if !fm.CheckPasswordHash(cred.Password, u.Password) {
		return http.StatusForbidden, nil
	}

	c.User = u
	return printToken(c, w)
}

// renewAuthHandler is used when the front-end already has a JWT token
// and is checking if it is up to date. If so, updates its info.
func renewAuthHandler(c *fm.Context, w http.ResponseWriter, r *http.Request) (int, error) {
	ok, u := validateAuth(c, r)
	if !ok {
		return http.StatusForbidden, nil
	}

	c.User = u
	return printToken(c, w)
}

// claims is the JWT claims.
type claims struct {
	fm.User
	jwt.StandardClaims
}

// printToken prints the final JWT token to the user.
func printToken(c *fm.Context, w http.ResponseWriter) (int, error) {
	// Creates a copy of the user and removes it password
	// hash so it never arrives to the user.
	u := fm.User{}
	u = *c.User
	u.Password = ""

	// Builds the claims.
	claims := claims{
		u,
		jwt.StandardClaims{
			ExpiresAt: time.Now().Add(time.Hour * 24).Unix(),
			Issuer:    "File Manager",
		},
	}

	// Creates the token and signs it.
	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
	signed, err := token.SignedString(c.Key)

	if err != nil {
		return http.StatusInternalServerError, err
	}

	// Writes the token.
	w.Header().Set("Content-Type", "cty")
	w.Write([]byte(signed))
	return 0, nil
}

type extractor []string

func (e extractor) ExtractToken(r *http.Request) (string, error) {
	token, _ := request.AuthorizationHeaderExtractor.ExtractToken(r)

	// Checks if the token isn't empty and if it contains two dots.
	// The former prevents incompatibility with URLs that previously
	// used basic auth.
	if token != "" && strings.Count(token, ".") == 2 {
		return token, nil
	}

	cookie, err := r.Cookie("auth")
	if err != nil {
		return "", request.ErrNoTokenInRequest
	}

	return cookie.Value, nil
}

// validateAuth is used to validate the authentication and returns the
// User if it is valid.
func validateAuth(c *fm.Context, r *http.Request) (bool, *fm.User) {
	if c.NoAuth {
		c.User = c.DefaultUser
		return true, c.User
	}

	keyFunc := func(token *jwt.Token) (interface{}, error) {
		return c.Key, nil
	}

	var claims claims
	token, err := request.ParseFromRequestWithClaims(r,
		extractor{},
		&claims,
		keyFunc,
	)

	if err != nil || !token.Valid {
		return false, nil
	}

	u, err := c.Store.Users.Get(claims.User.ID, c.NewFS)
	if err != nil {
		return false, nil
	}

	c.User = u
	return true, u
}
updates 2017-08-18 08:00:32 +00:00			`package http`
Major changes on API 2017-07-02 16:40:52 +00:00
			`import (`
Updates on auth and db 2017-07-03 07:59:49 +00:00			`"encoding/json"`
Major changes on API 2017-07-02 16:40:52 +00:00			`"net/http"`
implement recaptcha on login 2017-09-11 08:00:59 +00:00			`"net/url"`
Fix authorization for paths that previously used basic auth or any other kind of auth 2017-07-22 12:46:21 +00:00			`"strings"`
Major changes on API 2017-07-02 16:40:52 +00:00			`"time"`

GOFMT 2017-10-30 15:47:59 +00:00			`"github.com/dgrijalva/jwt-go"`
Major changes on API 2017-07-02 16:40:52 +00:00			`"github.com/dgrijalva/jwt-go/request"`
updates 2017-08-18 08:00:32 +00:00			`fm "github.com/hacdias/filemanager"`
Major changes on API 2017-07-02 16:40:52 +00:00			`)`

Fix ViewMode related bugs: - The user will no longer lost their 'ViewMode' option after being updated in the settings. - The console will not output errors due tot he scroll function when Mosaic mode is on. 2017-10-31 18:23:31 +00:00			`const reCaptchaAPI = "https://www.google.com/recaptcha/api/siteverify"`

implement recaptcha on login 2017-09-11 08:00:59 +00:00			`type cred struct {`
			Password string `json:"password"`
			Username string `json:"username"`
Fix ViewMode related bugs: - The user will no longer lost their 'ViewMode' option after being updated in the settings. - The console will not output errors due tot he scroll function when Mosaic mode is on. 2017-10-31 18:23:31 +00:00			ReCaptcha string `json:"recaptcha"`
implement recaptcha on login 2017-09-11 08:00:59 +00:00			`}`

Fix ViewMode related bugs: - The user will no longer lost their 'ViewMode' option after being updated in the settings. - The console will not output errors due tot he scroll function when Mosaic mode is on. 2017-10-31 18:23:31 +00:00			`// reCaptcha checks the reCaptcha code.`
			`func reCaptcha(secret string, response string) (bool, error) {`
implement recaptcha on login 2017-09-11 08:00:59 +00:00			`body := url.Values{}`
			`body.Set("secret", secret)`
			`body.Add("response", response)`

			`client := &http.Client{}`
Fix ViewMode related bugs: - The user will no longer lost their 'ViewMode' option after being updated in the settings. - The console will not output errors due tot he scroll function when Mosaic mode is on. 2017-10-31 18:23:31 +00:00
			`resp, err := client.Post(reCaptchaAPI, "application/x-www-form-urlencoded", strings.NewReader(body.Encode()))`
implement recaptcha on login 2017-09-11 08:00:59 +00:00			`if err != nil {`
			`return false, err`
			`}`

			`if resp.StatusCode != http.StatusOK {`
			`return false, nil`
			`}`

			`var data struct {`
			Success bool `json:"success"`
			ChallengeTS time.Time `json:"challenge_ts"`
			Hostname string `json:"hostname"`
			ErrorCodes interface{} `json:"error-codes"`
			`}`

			`err = json.NewDecoder(resp.Body).Decode(&data)`
			`if err != nil {`
			`return false, err`
			`}`

			`return data.Success, nil`
			`}`

Version 1.3.9 2017-10-31 19:20:36 +00:00			`// authHandler processes the authentication for the user.`
updates 2017-08-18 08:00:32 +00:00			`func authHandler(c fm.Context, w http.ResponseWriter, r http.Request) (int, error) {`
Add option to use FM w/o login 2017-08-02 13:10:05 +00:00			`// NoAuth instances shouldn't call this method.`
			`if c.NoAuth {`
			`return 0, nil`
			`}`

Updates on auth and db 2017-07-03 07:59:49 +00:00			`// Receive the credentials from the request and unmarshal them.`
implement recaptcha on login 2017-09-11 08:00:59 +00:00			`var cred cred`
Updates on auth and db 2017-07-03 07:59:49 +00:00			`if r.Body == nil {`
			`return http.StatusForbidden, nil`
			`}`

			`err := json.NewDecoder(r.Body).Decode(&cred)`
			`if err != nil {`
			`return http.StatusForbidden, nil`
			`}`

implement recaptcha on login 2017-09-11 08:00:59 +00:00			`// If ReCaptcha is enabled, check the code.`
			`if len(c.ReCaptchaSecret) > 0 {`
Fix ViewMode related bugs: - The user will no longer lost their 'ViewMode' option after being updated in the settings. - The console will not output errors due tot he scroll function when Mosaic mode is on. 2017-10-31 18:23:31 +00:00			`ok, err := reCaptcha(c.ReCaptchaSecret, cred.ReCaptcha)`
implement recaptcha on login 2017-09-11 08:00:59 +00:00			`if err != nil {`
			`return http.StatusForbidden, err`
			`}`

			`if !ok {`
			`return http.StatusForbidden, nil`
			`}`
			`}`

Updates on auth and db 2017-07-03 07:59:49 +00:00			`// Checks if the user exists.`
Some bug fixes 2017-08-20 08:55:45 +00:00			`u, err := c.Store.Users.GetByUsername(cred.Username, c.NewFS)`
DB Updates :) 2017-08-19 11:35:44 +00:00			`if err != nil {`
Updates on auth and db 2017-07-03 07:59:49 +00:00			`return http.StatusForbidden, nil`
			`}`

			`// Checks if the password is correct.`
DB Updates :) 2017-08-19 11:35:44 +00:00			`if !fm.CheckPasswordHash(cred.Password, u.Password) {`
Updates on auth and db 2017-07-03 07:59:49 +00:00			`return http.StatusForbidden, nil`
			`}`
Major changes on API 2017-07-02 16:40:52 +00:00
Start integrating Hugo in the new plugin 2017-07-11 15:58:18 +00:00			`c.User = u`
Don't send password hash to front-end 2017-07-06 08:31:07 +00:00			`return printToken(c, w)`
Major changes on API 2017-07-02 16:40:52 +00:00			`}`

Updates on auth and db 2017-07-03 07:59:49 +00:00			`// renewAuthHandler is used when the front-end already has a JWT token`
			`// and is checking if it is up to date. If so, updates its info.`
updates 2017-08-18 08:00:32 +00:00			`func renewAuthHandler(c fm.Context, w http.ResponseWriter, r http.Request) (int, error) {`
Updates on auth and db 2017-07-03 07:59:49 +00:00			`ok, u := validateAuth(c, r)`
			`if !ok {`
			`return http.StatusForbidden, nil`
			`}`

Start integrating Hugo in the new plugin 2017-07-11 15:58:18 +00:00			`c.User = u`
Don't send password hash to front-end 2017-07-06 08:31:07 +00:00			`return printToken(c, w)`
			`}`

			`// claims is the JWT claims.`
			`type claims struct {`
updates 2017-08-18 08:00:32 +00:00			`fm.User`
Don't send password hash to front-end 2017-07-06 08:31:07 +00:00			`jwt.StandardClaims`
			`}`

			`// printToken prints the final JWT token to the user.`
updates 2017-08-18 08:00:32 +00:00			`func printToken(c *fm.Context, w http.ResponseWriter) (int, error) {`
Don't send password hash to front-end 2017-07-06 08:31:07 +00:00			`// Creates a copy of the user and removes it password`
			`// hash so it never arrives to the user.`
updates 2017-08-18 08:00:32 +00:00			`u := fm.User{}`
Start integrating Hugo in the new plugin 2017-07-11 15:58:18 +00:00			`u = *c.User`
Don't send password hash to front-end 2017-07-06 08:31:07 +00:00			`u.Password = ""`

			`// Builds the claims.`
Updates on auth and db 2017-07-03 07:59:49 +00:00			`claims := claims{`
			`u,`
			`jwt.StandardClaims{`
			`ExpiresAt: time.Now().Add(time.Hour * 24).Unix(),`
			`Issuer: "File Manager",`
			`},`
			`}`
Major changes on API 2017-07-02 16:40:52 +00:00
Don't send password hash to front-end 2017-07-06 08:31:07 +00:00			`// Creates the token and signs it.`
Updates on auth and db 2017-07-03 07:59:49 +00:00			`token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)`
DB Updates :) 2017-08-19 11:35:44 +00:00			`signed, err := token.SignedString(c.Key)`
Don't send password hash to front-end 2017-07-06 08:31:07 +00:00
Updates on auth and db 2017-07-03 07:59:49 +00:00			`if err != nil {`
			`return http.StatusInternalServerError, err`
Major changes on API 2017-07-02 16:40:52 +00:00			`}`

Don't send password hash to front-end 2017-07-06 08:31:07 +00:00			`// Writes the token.`
Add Content Type to print jwt; #170 2017-07-29 13:19:09 +00:00			`w.Header().Set("Content-Type", "cty")`
Add option to use FM w/o login 2017-08-02 13:10:05 +00:00			`w.Write([]byte(signed))`
Updates on auth and db 2017-07-03 07:59:49 +00:00			`return 0, nil`
			`}`

working better 2017-07-03 14:19:17 +00:00			`type extractor []string`

			`func (e extractor) ExtractToken(r *http.Request) (string, error) {`
			`token, _ := request.AuthorizationHeaderExtractor.ExtractToken(r)`
Fix authorization for paths that previously used basic auth or any other kind of auth 2017-07-22 12:46:21 +00:00
Add some auth tests 2017-07-25 10:57:27 +00:00			`// Checks if the token isn't empty and if it contains two dots.`
Fix authorization for paths that previously used basic auth or any other kind of auth 2017-07-22 12:46:21 +00:00			`// The former prevents incompatibility with URLs that previously`
			`// used basic auth.`
Add some auth tests 2017-07-25 10:57:27 +00:00			`if token != "" && strings.Count(token, ".") == 2 {`
working better 2017-07-03 14:19:17 +00:00			`return token, nil`
			`}`

Trying to fix 403 on many requests #143 2017-07-19 07:28:01 +00:00			`cookie, err := r.Cookie("auth")`
			`if err != nil {`
			`return "", request.ErrNoTokenInRequest`
working better 2017-07-03 14:19:17 +00:00			`}`

Trying to fix 403 on many requests #143 2017-07-19 07:28:01 +00:00			`return cookie.Value, nil`
working better 2017-07-03 14:19:17 +00:00			`}`

Updates on auth and db 2017-07-03 07:59:49 +00:00			`// validateAuth is used to validate the authentication and returns the`
			`// User if it is valid.`
updates 2017-08-18 08:00:32 +00:00			`func validateAuth(c fm.Context, r http.Request) (bool, *fm.User) {`
Add option to use FM w/o login 2017-08-02 13:10:05 +00:00			`if c.NoAuth {`
			`c.User = c.DefaultUser`
			`return true, c.User`
			`}`

Updates on auth and db 2017-07-03 07:59:49 +00:00			`keyFunc := func(token *jwt.Token) (interface{}, error) {`
DB Updates :) 2017-08-19 11:35:44 +00:00			`return c.Key, nil`
Updates on auth and db 2017-07-03 07:59:49 +00:00			`}`
Fix ViewMode related bugs: - The user will no longer lost their 'ViewMode' option after being updated in the settings. - The console will not output errors due tot he scroll function when Mosaic mode is on. 2017-10-31 18:23:31 +00:00
Updates on auth and db 2017-07-03 07:59:49 +00:00			`var claims claims`
			`token, err := request.ParseFromRequestWithClaims(r,`
working better 2017-07-03 14:19:17 +00:00			`extractor{},`
Updates on auth and db 2017-07-03 07:59:49 +00:00			`&claims,`
			`keyFunc,`
			`)`

			`if err != nil \|\| !token.Valid {`
			`return false, nil`
			`}`

FS as an interface, close #205 2017-08-20 08:21:36 +00:00			`u, err := c.Store.Users.Get(claims.User.ID, c.NewFS)`
DB Updates :) 2017-08-19 11:35:44 +00:00			`if err != nil {`
Updates on auth and db 2017-07-03 07:59:49 +00:00			`return false, nil`
			`}`

Start integrating Hugo in the new plugin 2017-07-11 15:58:18 +00:00			`c.User = u`
Updates on auth and db 2017-07-03 07:59:49 +00:00			`return true, u`
			`}`