func checkAuthHeader(state interfaces.IState, r *http.Request) error { if "" == state.GetRpcUser() { //no username was specified in the config file or command line, meaning factomd API is open access return nil } authhdr := r.Header["Authorization"] if len(authhdr) == 0 { return errors.New("no auth") } correctAuth := state.GetRpcAuthHash() h := sha256.New() h.Write([]byte(authhdr[0])) presentedPassHash := h.Sum(nil) cmp := subtle.ConstantTimeCompare(presentedPassHash, correctAuth) //compare hashes because ConstantTimeCompare takes a constant time based on the slice size. hashing gives a constant slice size. if cmp != 1 { return errors.New("bad auth") } return nil }
func Start(state interfaces.IState) { var server *web.Server ServersMutex.Lock() defer ServersMutex.Unlock() if Servers == nil { Servers = make(map[int]*web.Server) } rpcUser := state.GetRpcUser() rpcPass := state.GetRpcPass() h := sha256.New() h.Write(httpBasicAuth(rpcUser, rpcPass)) state.SetRpcAuthHash(h.Sum(nil)) //set this in the beginning to prevent timing attacks if Servers[state.GetPort()] == nil { server = web.NewServer() Servers[state.GetPort()] = server server.Env["state"] = state server.Post("/v1/factoid-submit/?", HandleFactoidSubmit) server.Post("/v1/commit-chain/?", HandleCommitChain) server.Post("/v1/reveal-chain/?", HandleRevealChain) server.Post("/v1/commit-entry/?", HandleCommitEntry) server.Post("/v1/reveal-entry/?", HandleRevealEntry) server.Get("/v1/directory-block-head/?", HandleDirectoryBlockHead) server.Get("/v1/get-raw-data/([^/]+)", HandleGetRaw) server.Get("/v1/get-receipt/([^/]+)", HandleGetReceipt) server.Get("/v1/directory-block-by-keymr/([^/]+)", HandleDirectoryBlock) server.Get("/v1/directory-block-height/?", HandleDirectoryBlockHeight) server.Get("/v1/entry-block-by-keymr/([^/]+)", HandleEntryBlock) server.Get("/v1/entry-by-hash/([^/]+)", HandleEntry) server.Get("/v1/chain-head/([^/]+)", HandleChainHead) server.Get("/v1/entry-credit-balance/([^/]+)", HandleEntryCreditBalance) server.Get("/v1/factoid-balance/([^/]+)", HandleFactoidBalance) server.Get("/v1/factoid-get-fee/", HandleGetFee) server.Get("/v1/properties/", HandleProperties) server.Get("/v1/heights/", HandleHeights) server.Post("/v2", HandleV2) server.Get("/v2", HandleV2) tlsIsEnabled, tlsPrivate, tlsPublic := state.GetTlsInfo() if tlsIsEnabled { log.Print("Starting encrypted API server") if !fileExists(tlsPrivate) && !fileExists(tlsPublic) { err := genCertPair(tlsPublic, tlsPrivate, state.GetFactomdLocations()) if err != nil { panic(fmt.Sprintf("could not start encrypted API server with error: %v", err)) } } keypair, err := tls.LoadX509KeyPair(tlsPublic, tlsPrivate) if err != nil { panic(fmt.Sprintf("could not create TLS keypair with error: %v", err)) } tlsConfig := &tls.Config{ Certificates: []tls.Certificate{keypair}, MinVersion: tls.VersionTLS12, } go server.RunTLS(fmt.Sprintf(":%d", state.GetPort()), tlsConfig) } else { log.Print("Starting API server") go server.Run(fmt.Sprintf(":%d", state.GetPort())) } } }