Exemple #1
0
// UserMiddleware is middleware which checks for session tokens on the Request
// and looks up and attaches a user for that token if one is found.
func UserMiddleware(um auth.UserManager) func(rw http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
	return func(rw http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
		token := ""
		var err error
		// Grab token auth from cookies
		for _, cookie := range r.Cookies() {
			if cookie.Name == evergreen.AuthTokenCookie {
				if token, err = url.QueryUnescape(cookie.Value); err == nil {
					break
				}
			}
		}

		// Grab API auth details from header
		var authDataAPIKey, authDataName string
		if len(r.Header["Api-Key"]) > 0 {
			authDataAPIKey = r.Header["Api-Key"][0]
		}
		if len(r.Header["Auth-Username"]) > 0 {
			authDataName = r.Header["Auth-Username"][0]
		}
		if len(authDataName) == 0 && len(r.Header["Api-User"]) > 0 {
			authDataName = r.Header["Api-User"][0]
		}

		if len(token) > 0 {
			dbUser, err := um.GetUserByToken(token)
			if err != nil {
				evergreen.Logger.Logf(slogger.INFO, "Error getting user %v: %v", authDataName, err)
			} else {
				// Get the user's full details from the DB or create them if they don't exists
				dbUser, err := model.GetOrCreateUser(dbUser.Username(), dbUser.DisplayName(), dbUser.Email())
				if err != nil {
					evergreen.Logger.Logf(slogger.INFO, "Error looking up user %v: %v", dbUser.Username(), err)
				} else {
					context.Set(r, RequestUser, dbUser)
				}
			}
		} else if len(authDataAPIKey) > 0 {
			dbUser, err := user.FindOne(user.ById(authDataName))
			if dbUser != nil && err == nil {
				if dbUser.APIKey != authDataAPIKey {
					http.Error(rw, "Unauthorized - invalid API key", http.StatusUnauthorized)
					return
				}
				context.Set(r, RequestUser, dbUser)
			} else {
				evergreen.Logger.Logf(slogger.ERROR, "Error getting user: %v", err)
			}
		}
		next(rw, r)
	}
}
Exemple #2
0
// UserMiddleware checks for session tokens on the request, then looks up and attaches a user
// for that token if one is found.
func UserMiddleware(um auth.UserManager) func(rw http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
	return func(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
		err := r.ParseForm()
		if err != nil {
			http.Error(w, "can't parse form?", http.StatusBadRequest)
			return
		}
		// Note: at this point the "token" is actually a json object in string form,
		// containing both the username and token.
		token := r.FormValue("id_token")
		if len(token) == 0 {
			next(w, r)
			return
		}
		authData := struct {
			Name   string `json:"auth_user"`
			Token  string `json:"auth_token"`
			APIKey string `json:"api_key"`
		}{}
		if err := util.ReadJSONInto(ioutil.NopCloser(strings.NewReader(token)), &authData); err != nil {
			http.Error(w, err.Error(), http.StatusBadRequest)
			return
		}

		if len(authData.Token) > 0 { // legacy auth - token lookup
			authedUser, err := um.GetUserByToken(authData.Token)
			if err != nil {
				evergreen.Logger.Logf(slogger.ERROR, "Error getting user: %v", err)
			} else {
				// Get the user's full details from the DB or create them if they don't exists
				dbUser, err := model.GetOrCreateUser(authedUser.Username(),
					authedUser.DisplayName(), authedUser.Email())
				if err != nil {
					evergreen.Logger.Logf(slogger.ERROR, "Error looking up user %v: %v", authedUser.Username(), err)
				} else {
					context.Set(r, apiUserKey, dbUser)
				}
			}
		} else if len(authData.APIKey) > 0 {
			dbUser, err := user.FindOne(user.ById(authData.Name))
			if dbUser != nil && err == nil {
				if dbUser.APIKey != authData.APIKey {
					http.Error(w, "Unauthorized - invalid API key", http.StatusUnauthorized)
					return
				}
				context.Set(r, apiUserKey, dbUser)
			} else {
				evergreen.Logger.Logf(slogger.ERROR, "Error getting user: %v", err)
			}
		}
		next(w, r)
	}
}