Example #1
0
// postLogin generates a new API key for this user
func postLogin(session data.UserRecord) ([]byte, error) {
	// Create key for this user's session
	key := new(data.APIKey)
	if err := key.Create(session.ID); err != nil {
		return nil, err
	}

	// Store key in database
	if err := key.Save(); err != nil {
		return nil, err
	}

	// Convert key to JSON form
	jsonKey, err := key.ToJSON()
	if err != nil {
		return nil, err
	}

	// Marshal into JSON
	res, err := json.Marshal(jsonKey)
	if err != nil {
		return nil, err
	}

	return res, nil
}
Example #2
0
// Auth handles validation of HMAC-SHA1 authentication
func (a *HMACAuthenticator) Auth(r *http.Request) (error, error) {
	// Check for Authorization header
	auth := r.Header.Get("Authorization")
	if auth == "" {
		// Check for X-Goat-Authorization header override
		auth = r.Header.Get("X-Goat-Authorization")
	}

	// Fetch credentials from HTTP Basic auth
	pubkey, credentials, err := basicCredentials(auth)
	if err != nil {
		return err, nil
	}

	// Split credentials into nonce and API signature
	pair := strings.Split(credentials, "/")
	if len(pair) < 2 {
		return errors.New("no nonce value"), nil
	}

	nonce := pair[0]
	signature := pair[1]

	// Check if nonce previously used, add it if it is not, to prevent replay attacks
	// note: bloom filter may report false positives, but better safe than sorry
	if nonceFilter.TestAndAdd([]byte(nonce)) {
		return errors.New("repeated API request"), nil
	}

	// Load API key by pubkey
	key, err := new(data.APIKey).Load(pubkey, "pubkey")
	if err != nil || key == (data.APIKey{}) {
		return errors.New("no such public key"), err
	}

	// Check if key is expired, delete it if it is
	if key.Expire <= time.Now().Unix() {
		go func(key data.APIKey) {
			if err := key.Delete(); err != nil {
				log.Println(err.Error())
			}
		}(key)

		return errors.New("expired API key"), nil
	}

	// Generate API signature
	expected, err := apiSignature(key.UserID, nonce, r.Method, r.URL.Path, key.Secret)
	if err != nil {
		return nil, errors.New("failed to generate API signature")
	}

	// Verify that HMAC signature is correct
	if !hmac.Equal([]byte(signature), []byte(expected)) {
		return errors.New("invalid API signature"), nil
	}

	// Update API key expiration time
	key.Expire = time.Now().Add(7 * 24 * time.Hour).Unix()
	go func(key data.APIKey) {
		if err := key.Save(); err != nil {
			log.Println(err.Error())
		}
	}(key)

	// Load user by user ID
	user, err := new(data.UserRecord).Load(key.UserID, "id")
	if err != nil || user == (data.UserRecord{}) {
		return errors.New("no such user"), err
	}

	// Store user for session
	a.session = user
	return nil, nil
}
Example #3
0
// TestBasicAuthenticator verifies that BasicAuthenticator.Auth works properly
func TestBasicAuthenticator(t *testing.T) {
	log.Println("TestBasicAuthenticator()")

	// Load config
	config := common.LoadConfig()
	common.Static.Config = config

	// Generate mock user
	user := data.UserRecord{
		Username:     "******",
		Passkey:      "abcdef0123456789",
		TorrentLimit: 10,
	}

	// Save mock user
	if !user.Save() {
		t.Fatalf("Failed to save mock user")
	}

	// Load mock user to fetch ID
	user = user.Load(user.Username, "username")
	if user == (data.UserRecord{}) {
		t.Fatalf("Failed to load mock user")
	}

	// Generate an API key and salt
	pass := "******"
	salt := "test"

	sha := sha1.New()
	sha.Write([]byte(pass + salt))
	hash := fmt.Sprintf("%x", sha.Sum(nil))

	// Generate mock API key
	key := data.APIKey{
		UserID: user.ID,
		Key:    hash,
		Salt:   salt,
	}

	// Save mock API key
	if !key.Save() {
		t.Fatalf("Failed to save mock data.APIKey")
	}

	// Load mock data.APIKey to fetch ID
	key = key.Load(key.Key, "key")
	if key == (data.APIKey{}) {
		t.Fatalf("Failed to load mock data.APIKey")
	}

	// Generate mock HTTP request
	r := http.Request{}
	headers := map[string][]string{
		"Authorization": {"Basic " + base64.URLEncoding.EncodeToString([]byte(user.Username+":"+pass))},
	}
	r.Header = headers

	// Perform authentication request
	auth := new(BasicAuthenticator).Auth(&r)
	if !auth {
		t.Fatalf("Failed to authenticate using BasicAuthenticator")
	}

	// Delete mock user
	if !user.Delete() {
		t.Fatalf("Failed to delete mock user")
	}

	// Delete mock API key
	if !key.Delete() {
		t.Fatalf("Failed to delete mock data.APIKey")
	}
}