Actually use the auth middleware for assets routes

2022-05-19 22:44:33 -06:00 · 2022-05-19 22:44:33 -06:00 · 3664286506
commit 3664286506
parent 8da42184eb
6 changed files with 70 additions and 17 deletions
--- a/config.nix
+++ b/config.nix
@ -1,14 +1,19 @@
 {
-    runDir = "/tmp/mediocre-blog/run";
-    dataDir = "/tmp/mediocre-blog/data";
+  runDir = "/tmp/mediocre-blog/run";
+  dataDir = "/tmp/mediocre-blog/data";

-    powSecret = "ssshhh";
-    mlSMTPAddr = "";
-    mlSMTPAuth = "";
-    mlPublicURL = "http://localhost:4000";
-    listenProto = "tcp";
-    listenAddr = ":4000";
+  powSecret = "ssshhh";
+  mlSMTPAddr = "";
+  mlSMTPAuth = "";
+  mlPublicURL = "http://localhost:4000";
+  listenProto = "tcp";
+  listenAddr = ":4000";

-    # If empty then a derived static directory is used
-    staticProxyURL = "http://127.0.0.1:4002";
+  # If empty then a derived static directory is used
+  staticProxyURL = "http://127.0.0.1:4002";
+
+  # password is "bar". This should definitely be changed for prod.
+  apiAuthUsers = {
+    "foo" = "$2a$13$0JdWlUfHc.3XimEMpEu1cuu6RodhUvzD9l7iiAqa4YkM3mcFV5Pxi";
+  };
 }
--- a/srv/default.nix
+++ b/srv/default.nix
@ -32,6 +32,9 @@
      # listening
      export MEDIOCRE_BLOG_LISTEN_PROTO="${config.listenProto}"
      export MEDIOCRE_BLOG_LISTEN_ADDR="${config.listenAddr}"
+
+      # api
+      export MEDIOCRE_BLOG_API_AUTH_USERS='${builtins.toJSON config.apiAuthUsers}'
    '';

    build = buildGoModule {
--- a/srv/src/api/api.go
+++ b/srv/src/api/api.go
@ -54,6 +54,11 @@ type Params struct {
 	// reverse-proxied there.
 	StaticDir   string
 	StaticProxy *url.URL
+
+	// AuthUsers keys are usernames which are allowed to edit server-side data,
+	// and the values are the password hash which accompanies those users. The
+	// password hash must have been produced by NewPasswordHash.
+	AuthUsers map[string]string
 }

 // SetupCfg implement the cfg.Cfger interface.
@ -176,6 +181,8 @@ func (a *api) handler() http.Handler {
 		return h
 	}

+	auther := NewAuther(a.params.AuthUsers)
+
 	mux := http.NewServeMux()

 	mux.Handle("/", staticHandler)
@ -208,9 +215,13 @@ func (a *api) handler() http.Handler {
 		v2Mux.Handle("/posts/", a.renderPostHandler())
 		v2Mux.Handle("/assets/", http.StripPrefix("/assets",
 			apiutil.MethodMux(map[string]http.Handler{
-				"GET":    a.getPostAssetHandler(),
-				"POST":   formMiddleware(a.postPostAssetHandler()),
-				"DELETE": formMiddleware(a.deletePostAssetHandler()),
+				"GET": a.getPostAssetHandler(),
+				"POST": authMiddleware(auther,
+					formMiddleware(a.postPostAssetHandler()),
+				),
+				"DELETE": authMiddleware(auther,
+					formMiddleware(a.deletePostAssetHandler()),
+				),
 			}),
 		))
 		v2Mux.Handle("/", a.renderIndexHandler())
--- a/srv/src/api/auth.go
+++ b/srv/src/api/auth.go
@ -3,13 +3,14 @@ package api
 import (
 	"net/http"

+	"github.com/mediocregopher/blog.mediocregopher.com/srv/api/apiutil"
 	"golang.org/x/crypto/bcrypt"
 )

 // NewPasswordHash returns the hash of the given plaintext password, for use
 // with Auther.
 func NewPasswordHash(plaintext string) string {
-	hashedPassword, err := bcrypt.GenerateFromPassword([]byte(plaintext), 12)
+	hashedPassword, err := bcrypt.GenerateFromPassword([]byte(plaintext), 13)
 	if err != nil {
 		panic(err)
 	}
@ -48,9 +49,10 @@ func (a *auther) Allowed(username, password string) bool {

 func authMiddleware(auther Auther, h http.Handler) http.Handler {

-	respondUnauthorized := func(rw http.ResponseWriter) {
+	respondUnauthorized := func(rw http.ResponseWriter, r *http.Request) {
 		rw.Header().Set("WWW-Authenticate", `Basic realm="NOPE"`)
 		rw.WriteHeader(http.StatusUnauthorized)
+		apiutil.GetRequestLogger(r).WarnString(r.Context(), "unauthorized")
 	}

 	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
@ -58,12 +60,12 @@ func authMiddleware(auther Auther, h http.Handler) http.Handler {
 		username, password, ok := r.BasicAuth()

 		if !ok {
-			respondUnauthorized(rw)
+			respondUnauthorized(rw, r)
 			return
 		}

 		if !auther.Allowed(username, password) {
-			respondUnauthorized(rw)
+			respondUnauthorized(rw, r)
 			return
 		}

--- a/srv/src/cmd/hash-password/main.go
+++ b/srv/src/cmd/hash-password/main.go
@ -0,0 +1,23 @@
+package main
+
+import (
+	"bufio"
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/mediocregopher/blog.mediocregopher.com/srv/api"
+)
+
+func main() {
+
+	fmt.Fprint(os.Stderr, "Password: ")
+
+	line, err := bufio.NewReader(os.Stdin).ReadString('\n')
+
+	if err != nil {
+		panic(err)
+	}
+
+	fmt.Println(api.NewPasswordHash(strings.TrimSpace(line)))
+}
--- a/srv/src/cmd/mediocre-blog/main.go
+++ b/srv/src/cmd/mediocre-blog/main.go
@ -2,6 +2,7 @@ package main

 import (
 	"context"
+	"encoding/json"
 	"os"
 	"os/signal"
 	"syscall"
@ -55,6 +56,8 @@ func main() {

 	pathPrefix := cfg.String("path-prefix", "", "Prefix which is optionally applied to all URL paths rendered by the blog")

+	apiAuthUsersStr := cfg.String("api-auth-users", "{}", "JSON object with usernames as values and password hashes (produced by the hash-password binary) as values. Denotes users which are able to edit server-side data")
+
 	// initialization
 	err := cfg.Init(ctx)

@ -128,6 +131,11 @@ func main() {
 	postStore := post.NewStore(postSQLDB)
 	postAssetStore := post.NewAssetStore(postSQLDB)

+	var apiAuthUsers map[string]string
+	if err := json.Unmarshal([]byte(*apiAuthUsersStr), &apiAuthUsers); err != nil {
+		logger.Fatal(ctx, "unmarshaling -api-auth-users", err)
+	}
+
 	apiParams.Logger = logger.WithNamespace("api")
 	apiParams.PowManager = powMgr
 	apiParams.PathPrefix = *pathPrefix
@ -136,6 +144,7 @@ func main() {
 	apiParams.MailingList = ml
 	apiParams.GlobalRoom = chatGlobalRoom
 	apiParams.UserIDCalculator = chatUserIDCalc
+	apiParams.AuthUsers = apiAuthUsers

 	logger.Info(ctx, "listening")
 	a, err := api.New(apiParams)