func (h *handler) checkAuth(context *db.DatabaseContext) error {
h.user = nil
if context == nil {
return nil
}
// Check basic auth first
if userName, password := h.getBasicAuth(); userName != "" {
h.user = context.Authenticator().AuthenticateUser(userName, password)
if h.user == nil {
base.Logf("HTTP auth failed for username=%q", userName)
h.response.Header().Set("WWW-Authenticate", `Basic realm="Couchbase Sync Gateway"`)
return base.HTTPErrorf(http.StatusUnauthorized, "Invalid login")
}
return nil
}
// Check cookie
var err error
h.user, err = context.Authenticator().AuthenticateCookie(h.rq, h.response)
if err != nil {
return err
} else if h.user != nil {
return nil
}
// No auth given -- check guest access
if h.user, err = context.Authenticator().GetUser(""); err != nil {
return err
}
if h.privs == regularPrivs && h.user.Disabled() {
h.response.Header().Set("WWW-Authenticate", `Basic realm="Couchbase Sync Gateway"`)
return base.HTTPErrorf(http.StatusUnauthorized, "Login required")
}
return nil
}
func (h *handler) checkAuth(context *db.DatabaseContext) error {
h.user = nil
if context == nil {
return nil
}
var err error
// If oidc enabled, check for bearer ID token
if context.Options.OIDCOptions != nil {
if token := h.getBearerToken(); token != "" {
h.user, _, err = context.Authenticator().AuthenticateUntrustedJWT(token, context.OIDCProviders, h.getOIDCCallbackURL)
if h.user == nil || err != nil {
return base.HTTPErrorf(http.StatusUnauthorized, "Invalid login")
}
return nil
}
/*
* If unsupported/oidc testing is enabled
* and this is a call on the token endpoint
* and the username and password match those in the oidc default provider config
* then authorize this request
*/
if unsupportedOptions := context.Options.UnsupportedOptions; unsupportedOptions != nil {
if unsupportedOptions.OidcTestProvider.Enabled && strings.HasSuffix(h.rq.URL.Path, "/_oidc_testing/token") {
if username, password := h.getBasicAuth(); username != "" && password != "" {
provider := context.Options.OIDCOptions.Providers.GetProviderForIssuer(issuerUrlForDB(h, context.Name), testProviderAudiences)
if provider != nil && provider.ClientID != nil && provider.ValidationKey != nil {
if *provider.ClientID == username && *provider.ValidationKey == password {
return nil
}
}
}
}
}
}
// Check basic auth first
if userName, password := h.getBasicAuth(); userName != "" {
h.user = context.Authenticator().AuthenticateUser(userName, password)
if h.user == nil {
base.Logf("HTTP auth failed for username=%q", userName)
h.response.Header().Set("WWW-Authenticate", `Basic realm="Couchbase Sync Gateway"`)
return base.HTTPErrorf(http.StatusUnauthorized, "Invalid login")
}
return nil
}
// Check cookie
h.user, err = context.Authenticator().AuthenticateCookie(h.rq, h.response)
if err != nil {
return err
} else if h.user != nil {
return nil
}
// No auth given -- check guest access
if h.user, err = context.Authenticator().GetUser(""); err != nil {
return err
}
if h.privs == regularPrivs && h.user.Disabled() {
h.response.Header().Set("WWW-Authenticate", `Basic realm="Couchbase Sync Gateway"`)
return base.HTTPErrorf(http.StatusUnauthorized, "Login required")
}
return nil
}