//Validate access token
func (s *Server) validateAccessLoginToken(token string) (string, bool) {
btok, err := base64.URLEncoding.DecodeString(token)
if err != nil {
return "", false
}
k := fernet.MustDecodeKeys(s.config.Clients["browser"].Secret)
email := fernet.VerifyAndDecrypt(btok, 60*time.Second, k)
c := s.redisConn()
defer c.Close()
status, err := redis.String(c.Do("GET", email))
if err != nil {
return "", false
}
if status == "loggedin" {
return string(email), true
} else {
return "", false
}
}
// ParseAndDecrypt returns the outlet's API credentials which
// are expected to be signed & encrypted and stuffed into the
// authorization header of the HTTP request.
func ParseAndDecrypt(r *http.Request) (string, string, error) {
header, err := parseAuthHeader(r)
if err != nil {
return "", "", err
}
user, _, err := ParseRaw(header)
if err != nil {
return "", "", err
}
// If we have gotten here, we have a signed, authentication request.
// If we can verify & decrypt, then we will pass the decrypted credenti
// to the caller. Most of the time, the username and password will be
// credentials to Librato metric API. We don't care about the
// validity of those credentials here. If they are wrong
// the metrics will be dropped in the outlet. Keep an eye on HTTP
// authentication errors from the log output of the outlets.
if len(keys) > 0 {
s := fernet.VerifyAndDecrypt([]byte(user), ttl, keys)
if s != nil {
parts := strings.Split(string(s), ":")
return parts[0], parts[1], nil
}
}
return "", "", errors.New("End of Authentication chain reached.")
}
func Parse(r *http.Request) (string, string, error) {
header, err := parseAuthHeader(r)
if err != nil {
return "", "", err
}
user, _, err := ParseRaw(header)
if err != nil {
return "", "", err
}
//If we have gotten here, we have a signed, db-less authentication reque
//If we can verify and decrypt, then we will pass the decrypted credenti
//to the caller. Most of the time, the username and password will be
//credentials to outlet providers. (e.g. Librato creds or Graphite creds
//We care about the validity of those credentials here. If they are wron
//the metrics will be dropped at the outlet. Keep an eye on http
//authentication errors from the log output of the outlets.
if len(keys) > 0 {
if s := fernet.VerifyAndDecrypt([]byte(user), OneHundredYears, keys); s != nil {
parts := strings.Split(string(s), ":")
return parts[0], parts[1], nil
}
}
return "", "", errors.New("End of Authentication chain reached.")
}
func Example() {
k := fernet.MustDecodeKeys("cw_0x689RpI-jtRR7oE8h_eQsKImvJapLeSbXpwF4e4=")
tok, err := fernet.EncryptAndSign([]byte("hello"), k[0])
if err != nil {
panic(err)
}
msg := fernet.VerifyAndDecrypt(tok, 60*time.Second, k)
fmt.Println(string(msg))
// Output:
// hello
}
//Validate access token
func (s *Server) validateSharedToken(token string) bool {
btok, err := base64.URLEncoding.DecodeString(token)
if err != nil {
return false
}
k := fernet.MustDecodeKeys(s.config.Clients["browser"].Secret)
shared_token := fernet.VerifyAndDecrypt(btok, 60*10*time.Second, k)
if string(shared_token) == string(s.config.Clients["browser"].Token) {
return true
} else {
return false
}
}
func ParseAuth(r *http.Request) (string, string, error) {
header, err := parseAuthHeader(r)
if err != nil {
return "", "", err
}
user, _, err := parseAuthValue(header)
if err != nil {
return "", "", err
}
//If we have gotten here, we have a signed, db-less authentication reque
//If we can verify and decrypt, then we will pass the decrypted credenti
//to the caller. Most of the time, the username and password will be
//credentials to outlet providers. (e.g. Librato creds or Graphite creds
//We care about the validity of those credentials here. If they are wron
//the metrics will be dropped at the outlet. Keep an eye on http
//authentication errors from the log output of the outlets.
if len(keys) > 0 {
if s := fernet.VerifyAndDecrypt([]byte(user), OneHundredYears, keys); s != nil {
parts := strings.Split(string(s), ":")
return parts[0], parts[1], nil
}
}
//If the user is not == "l2met" then dbless-auth is requested.
//ATM we assume the first part (user field) contains a base64 encoded
//representation of the outlet credentials.
if len(user) > 0 {
trimmedUser := strings.Replace(user, ":", "", -1)
decodedUser, err := base64.StdEncoding.DecodeString(trimmedUser)
if err != nil {
return trimmedUser, "", err
}
outletCreds := strings.Split(string(decodedUser), ":")
//If the : is absent in parts[0], outletCreds[0] will contain the entire string in parts[0].
u := outletCreds[0]
//It is not required for the outletCreds to contain a pass.
//The empty string that is returned will be handled by the outlet.
var p string
if len(outletCreds) > 1 {
p = outletCreds[1]
}
return u, p, nil
}
return "", "", errors.New("End of Authe chain reached.")
}
func TestFernet(t *testing.T) {
k := fernet.MustDecodeKeys("YI1ZYdopn6usnQ/5gMAHg8+pNh6D0DdaJkytdoLWUj0=")
tok, err := fernet.EncryptAndSign([]byte("mysharedtoken"), k[0])
if err != nil {
t.Fatalf("fernet encryption failed %v\n", err)
}
stok := base64.URLEncoding.EncodeToString(tok)
btok, err := base64.URLEncoding.DecodeString(stok)
//fmt.Println(btok)
if err != nil {
t.Fatalf("fernet key decryption failed %v\n", err)
}
msg := fernet.VerifyAndDecrypt(btok, 60*time.Second, k)
if string(msg) != "mysharedtoken" {
t.Fatalf("verification failed!\n")
}
}