eg
This commit is contained in:
sentriz
98
server/handler/middleware_sub.go
Normal file
98
server/handler/middleware_sub.go
Normal file
@@ -0,0 +1,98 @@
|
||||
package handler
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/md5"
|
||||
"encoding/hex"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"net/url"
|
||||
)
|
||||
|
||||
var (
|
||||
requiredParameters = []string{
|
||||
"u", "v", "c",
|
||||
}
|
||||
)
|
||||
|
||||
func checkHasAllParams(params url.Values) error {
|
||||
for _, req := range requiredParameters {
|
||||
param := params.Get(req)
|
||||
if param != "" {
|
||||
continue
|
||||
}
|
||||
return fmt.Errorf("please provide a `%s` parameter", req)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func checkCredentialsToken(password, token, salt string) bool {
|
||||
toHash := fmt.Sprintf("%s%s", password, salt)
|
||||
hash := md5.Sum([]byte(toHash))
|
||||
expToken := hex.EncodeToString(hash[:])
|
||||
return token == expToken
|
||||
}
|
||||
|
||||
func checkCredentialsBasic(password, givenPassword string) bool {
|
||||
if givenPassword[:4] == "enc:" {
|
||||
bytes, _ := hex.DecodeString(givenPassword[4:])
|
||||
givenPassword = string(bytes)
|
||||
}
|
||||
return password == givenPassword
|
||||
}
|
||||
|
||||
func (c *Controller) WithValidSubsonicArgs(next http.HandlerFunc) http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
err := checkHasAllParams(r.URL.Query())
|
||||
if err != nil {
|
||||
respondError(w, r, 10, err.Error())
|
||||
return
|
||||
}
|
||||
username, password := r.URL.Query().Get("u"),
|
||||
r.URL.Query().Get("p")
|
||||
token, salt := r.URL.Query().Get("t"),
|
||||
r.URL.Query().Get("s")
|
||||
passwordAuth, tokenAuth := token == "" && salt == "",
|
||||
password == ""
|
||||
if tokenAuth == passwordAuth {
|
||||
respondError(w, r,
|
||||
10, "please provide parameters `t` and `s`, or just `p`",
|
||||
)
|
||||
return
|
||||
}
|
||||
user := c.GetUserFromName(username)
|
||||
if user.ID == 0 {
|
||||
// the user does not exist
|
||||
respondError(w, r, 40, "invalid username")
|
||||
return
|
||||
}
|
||||
var credsOk bool
|
||||
if tokenAuth {
|
||||
credsOk = checkCredentialsToken(user.Password, token, salt)
|
||||
} else {
|
||||
credsOk = checkCredentialsBasic(user.Password, password)
|
||||
}
|
||||
if !credsOk {
|
||||
respondError(w, r, 40, "invalid password")
|
||||
return
|
||||
}
|
||||
withUser := context.WithValue(r.Context(), contextUserKey, user)
|
||||
next.ServeHTTP(w, r.WithContext(withUser))
|
||||
}
|
||||
}
|
||||
|
||||
func (c *Controller) WithCORS(next http.HandlerFunc) http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
w.Header().Set("Access-Control-Allow-Origin", "*")
|
||||
w.Header().Set("Access-Control-Allow-Methods",
|
||||
"POST, GET, OPTIONS, PUT, DELETE",
|
||||
)
|
||||
w.Header().Set("Access-Control-Allow-Headers",
|
||||
"Accept, Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization",
|
||||
)
|
||||
if r.Method == "OPTIONS" {
|
||||
return
|
||||
}
|
||||
next.ServeHTTP(w, r)
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user