50 lines
1.5 KiB
Go
50 lines
1.5 KiB
Go
package auth
|
|
|
|
import (
|
|
"os"
|
|
"crypto/sha512"
|
|
"crypto/subtle"
|
|
"encoding/hex"
|
|
"net/http"
|
|
"log"
|
|
|
|
"github.com/labstack/echo/v4"
|
|
)
|
|
|
|
const (
|
|
envUsernameHash = "HUGOMARDBRINK_USERNAME"
|
|
envPasswordHash = "HUGOMARDBRINK_PASSWORD"
|
|
)
|
|
|
|
func BasicAuth(next echo.HandlerFunc) echo.HandlerFunc {
|
|
return echo.HandlerFunc(func(c echo.Context) error {
|
|
username, password, ok := c.Request().BasicAuth()
|
|
|
|
if !ok {
|
|
c.Response().Header().Set("WWW-Authenticate", `Basic realm="restricted", charset="UTF-8"`)
|
|
return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
|
|
}
|
|
|
|
usernameHash := sha512.Sum512([]byte(username))
|
|
passwordHash := sha512.Sum512([]byte(password))
|
|
|
|
expectedUsernameHash, err := hex.DecodeString(os.Getenv(envUsernameHash))
|
|
if err != nil {
|
|
log.Fatal(err)
|
|
}
|
|
expectedPasswordHash, err := hex.DecodeString(os.Getenv(envPasswordHash))
|
|
if err != nil {
|
|
log.Fatal(err)
|
|
}
|
|
|
|
usernameMatch := subtle.ConstantTimeCompare(usernameHash[:], expectedUsernameHash[:]) == 1
|
|
passwordMatch := subtle.ConstantTimeCompare(passwordHash[:], expectedPasswordHash[:]) == 1
|
|
|
|
if usernameMatch && passwordMatch {
|
|
return next(c)
|
|
} else {
|
|
c.Response().Header().Set("WWW-Authenticate", `Basic realm="restricted", charset="UTF-8"`)
|
|
return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
|
|
}
|
|
})
|
|
}
|