123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151 |
- package middleware
- import (
- "crypto/subtle"
- "net/http"
- "strings"
- "github.com/owncast/owncast/core/data"
- "github.com/owncast/owncast/core/user"
- "github.com/owncast/owncast/utils"
- log "github.com/sirupsen/logrus"
- )
- // ExternalAccessTokenHandlerFunc is a function that is called after validing access.
- type ExternalAccessTokenHandlerFunc func(user.ExternalAPIUser, http.ResponseWriter, *http.Request)
- // UserAccessTokenHandlerFunc is a function that is called after validing user access.
- type UserAccessTokenHandlerFunc func(user.User, http.ResponseWriter, *http.Request)
- // RequireAdminAuth wraps a handler requiring HTTP basic auth for it using the given
- // the stream key as the password and and a hardcoded "admin" for username.
- func RequireAdminAuth(handler http.HandlerFunc) http.HandlerFunc {
- return func(w http.ResponseWriter, r *http.Request) {
- username := "admin"
- password := data.GetAdminPassword()
- realm := "Owncast Authenticated Request"
- // The following line is kind of a work around.
- // If you want HTTP Basic Auth + Cors it requires _explicit_ origins to be provided in the
- // Access-Control-Allow-Origin header. So we just pull out the origin header and specify it.
- // If we want to lock down admin APIs to not be CORS accessible for anywhere, this is where we would do that.
- w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin"))
- w.Header().Set("Access-Control-Allow-Credentials", "true")
- w.Header().Set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization")
- // For request needing CORS, send a 204.
- if r.Method == "OPTIONS" {
- w.WriteHeader(http.StatusNoContent)
- return
- }
- user, pass, ok := r.BasicAuth()
- // Failed
- if !ok || subtle.ConstantTimeCompare([]byte(user), []byte(username)) != 1 || subtle.ConstantTimeCompare([]byte(pass), []byte(password)) != 1 {
- w.Header().Set("WWW-Authenticate", `Basic realm="`+realm+`"`)
- http.Error(w, "Unauthorized", http.StatusUnauthorized)
- log.Debugln("Failed admin authentication")
- return
- }
- handler(w, r)
- }
- }
- func accessDenied(w http.ResponseWriter) {
- w.WriteHeader(http.StatusUnauthorized) //nolint
- w.Write([]byte("unauthorized")) //nolint
- }
- // RequireExternalAPIAccessToken will validate a 3rd party access token.
- func RequireExternalAPIAccessToken(scope string, handler ExternalAccessTokenHandlerFunc) http.HandlerFunc {
- return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- // We should accept 3rd party preflight OPTIONS requests.
- if r.Method == "OPTIONS" {
- // All OPTIONS requests should have a wildcard CORS header.
- w.Header().Set("Access-Control-Allow-Origin", "*")
- w.WriteHeader(http.StatusNoContent)
- return
- }
- authHeader := r.Header.Get("Authorization")
- token := ""
- if strings.HasPrefix(strings.ToLower(authHeader), "bearer ") {
- token = authHeader[len("bearer "):]
- }
- if token == "" {
- log.Warnln("invalid access token")
- accessDenied(w)
- return
- }
- integration, err := user.GetExternalAPIUserForAccessTokenAndScope(token, scope)
- if integration == nil || err != nil {
- accessDenied(w)
- return
- }
- // All auth'ed 3rd party requests should have a wildcard CORS header.
- w.Header().Set("Access-Control-Allow-Origin", "*")
- handler(*integration, w, r)
- if err := user.SetExternalAPIUserAccessTokenAsUsed(token); err != nil {
- log.Debugln("token not found when updating last_used timestamp")
- }
- })
- }
- // RequireUserAccessToken will validate a provided user's access token and make sure the associated user is enabled.
- // Not to be used for validating 3rd party access.
- func RequireUserAccessToken(handler UserAccessTokenHandlerFunc) http.HandlerFunc {
- return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- accessToken := r.URL.Query().Get("accessToken")
- if accessToken == "" {
- accessDenied(w)
- return
- }
- ipAddress := utils.GetIPAddressFromRequest(r)
- // Check if this client's IP address is banned.
- if blocked, err := data.IsIPAddressBanned(ipAddress); blocked {
- log.Debugln("Client ip address has been blocked. Rejecting.")
- accessDenied(w)
- return
- } else if err != nil {
- log.Errorln("error determining if IP address is blocked: ", err)
- }
- // A user is required to use the websocket
- user := user.GetUserByToken(accessToken)
- if user == nil || !user.IsEnabled() {
- accessDenied(w)
- return
- }
- handler(*user, w, r)
- })
- }
- // RequireUserModerationScopeAccesstoken will validate a provided user's access token and make sure the associated user is enabled
- // and has "MODERATOR" scope assigned to the user.
- func RequireUserModerationScopeAccesstoken(handler http.HandlerFunc) http.HandlerFunc {
- return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- accessToken := r.URL.Query().Get("accessToken")
- if accessToken == "" {
- accessDenied(w)
- return
- }
- // A user is required to use the websocket
- user := user.GetUserByToken(accessToken)
- if user == nil || !user.IsEnabled() || !user.IsModerator() {
- accessDenied(w)
- return
- }
- handler(w, r)
- })
- }
|