81 lines
2.0 KiB
Go
81 lines
2.0 KiB
Go
package ctrlsubsonic
|
|
|
|
import (
|
|
"context"
|
|
"crypto/md5"
|
|
"encoding/hex"
|
|
"fmt"
|
|
"net/http"
|
|
"net/url"
|
|
|
|
"senan.xyz/g/gonic/server/ctrlsubsonic/spec"
|
|
"senan.xyz/g/gonic/server/key"
|
|
"senan.xyz/g/gonic/server/parsing"
|
|
)
|
|
|
|
var requiredParameters = []string{
|
|
"u", "v", "c",
|
|
}
|
|
|
|
func checkHasAllParams(params url.Values) error {
|
|
for _, req := range requiredParameters {
|
|
param := params.Get(req)
|
|
if param != "" {
|
|
continue
|
|
}
|
|
return fmt.Errorf("please provide a `%s` parameter", req)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func checkCredsToken(password, token, salt string) bool {
|
|
toHash := fmt.Sprintf("%s%s", password, salt)
|
|
hash := md5.Sum([]byte(toHash))
|
|
expToken := hex.EncodeToString(hash[:])
|
|
return token == expToken
|
|
}
|
|
|
|
func checkCredsBasic(password, given string) bool {
|
|
if len(given) >= 4 && given[:4] == "enc:" {
|
|
bytes, _ := hex.DecodeString(given[4:])
|
|
given = string(bytes)
|
|
}
|
|
return password == given
|
|
}
|
|
|
|
func (c *Controller) WithValidSubsonicArgs(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if err := checkHasAllParams(r.URL.Query()); err != nil {
|
|
writeResp(w, r, spec.NewError(10, err.Error()))
|
|
return
|
|
}
|
|
username := parsing.GetStrParam(r, "u")
|
|
password := parsing.GetStrParam(r, "p")
|
|
token := parsing.GetStrParam(r, "t")
|
|
salt := parsing.GetStrParam(r, "s")
|
|
passwordAuth := token == "" && salt == ""
|
|
tokenAuth := password == ""
|
|
if tokenAuth == passwordAuth {
|
|
writeResp(w, r, spec.NewError(10, "please provide `t` and `s`, or just `p`"))
|
|
return
|
|
}
|
|
user := c.DB.GetUserFromName(username)
|
|
if user == nil {
|
|
writeResp(w, r, spec.NewError(40, "invalid username `%s`", username))
|
|
return
|
|
}
|
|
var credsOk bool
|
|
if tokenAuth {
|
|
credsOk = checkCredsToken(user.Password, token, salt)
|
|
} else {
|
|
credsOk = checkCredsBasic(user.Password, password)
|
|
}
|
|
if !credsOk {
|
|
writeResp(w, r, spec.NewError(40, "invalid password"))
|
|
return
|
|
}
|
|
withUser := context.WithValue(r.Context(), key.User, user)
|
|
next.ServeHTTP(w, r.WithContext(withUser))
|
|
})
|
|
}
|