whiskr/auth.go

package main

import (
	"crypto/hmac"
	"crypto/sha256"
	"encoding/hex"
	"encoding/json"
	"net/http"
	"strings"

	"golang.org/x/crypto/bcrypt"
)

type AuthenticationRequest struct {
	Username string `json:"username"`
	Password string `json:"password"`
}

func (u *EnvUser) Signature(secret string) []byte {
	mac := hmac.New(sha256.New, []byte(secret))

	mac.Write([]byte(u.Password))
	mac.Write([]byte(u.Username))

	return mac.Sum(nil)
}

func (e *Environment) Authenticate(username, password string) *EnvUser {
	user, ok := e.Authentication.lookup[username]
	if !ok {
		return nil
	}

	if bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password)) != nil {
		return nil
	}

	return user
}

func (e *Environment) SignAuthToken(user *EnvUser) string {
	signature := user.Signature(e.Tokens.Secret)

	return user.Username + ":" + hex.EncodeToString(signature)
}

func (e *Environment) VerifyAuthToken(token string) bool {
	index := strings.Index(token, ":")
	if index == -1 {
		return false
	}

	username := token[:index]

	user, ok := e.Authentication.lookup[username]
	if !ok {
		return false
	}

	signature, err := hex.DecodeString(token[index+1:])
	if err != nil {
		return false
	}

	expected := user.Signature(e.Tokens.Secret)

	return hmac.Equal(signature, expected)
}

func IsAuthenticated(r *http.Request) bool {
	if !env.Authentication.Enabled {
		return true
	}

	cookie, err := r.Cookie("whiskr_token")
	if err != nil {
		return false
	}

	return env.VerifyAuthToken(cookie.Value)
}

func Authenticate(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		if !IsAuthenticated(r) {
			RespondJson(w, http.StatusUnauthorized, map[string]any{
				"error": "unauthorized",
			})

			return
		}

		next.ServeHTTP(w, r)
	})
}

func HandleAuthentication(w http.ResponseWriter, r *http.Request) {
	var request AuthenticationRequest

	if err := json.NewDecoder(r.Body).Decode(&request); err != nil {
		RespondJson(w, http.StatusBadRequest, map[string]any{
			"error": "missing username or password",
		})

		return
	}

	user := env.Authenticate(request.Username, request.Password)
	if user == nil {
		RespondJson(w, http.StatusUnauthorized, map[string]any{
			"error": "invalid username or password",
		})

		return
	}

	http.SetCookie(w, &http.Cookie{
		Name:  "whiskr_token",
		Value: env.SignAuthToken(user),
	})

	RespondJson(w, http.StatusOK, map[string]any{
		"authenticated": true,
	})
}
authentication 2025-08-16 17:18:48 +02:00			`package main`

			`import (`
			`"crypto/hmac"`
			`"crypto/sha256"`
			`"encoding/hex"`
			`"encoding/json"`
			`"net/http"`
			`"strings"`

			`"golang.org/x/crypto/bcrypt"`
			`)`

			`type AuthenticationRequest struct {`
			Username string `json:"username"`
			Password string `json:"password"`
			`}`

			`func (u *EnvUser) Signature(secret string) []byte {`
			`mac := hmac.New(sha256.New, []byte(secret))`

			`mac.Write([]byte(u.Password))`
			`mac.Write([]byte(u.Username))`

			`return mac.Sum(nil)`
			`}`

			`func (e Environment) Authenticate(username, password string) EnvUser {`
			`user, ok := e.Authentication.lookup[username]`
			`if !ok {`
			`return nil`
			`}`

			`if bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password)) != nil {`
			`return nil`
			`}`

			`return user`
			`}`

			`func (e Environment) SignAuthToken(user EnvUser) string {`
			`signature := user.Signature(e.Tokens.Secret)`

			`return user.Username + ":" + hex.EncodeToString(signature)`
			`}`

			`func (e *Environment) VerifyAuthToken(token string) bool {`
			`index := strings.Index(token, ":")`
			`if index == -1 {`
			`return false`
			`}`

			`username := token[:index]`

			`user, ok := e.Authentication.lookup[username]`
			`if !ok {`
			`return false`
			`}`

			`signature, err := hex.DecodeString(token[index+1:])`
			`if err != nil {`
			`return false`
			`}`

			`expected := user.Signature(e.Tokens.Secret)`

			`return hmac.Equal(signature, expected)`
			`}`

			`func IsAuthenticated(r *http.Request) bool {`
			`if !env.Authentication.Enabled {`
			`return true`
			`}`

			`cookie, err := r.Cookie("whiskr_token")`
			`if err != nil {`
			`return false`
			`}`

			`return env.VerifyAuthToken(cookie.Value)`
			`}`

			`func Authenticate(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`if !IsAuthenticated(r) {`
			`RespondJson(w, http.StatusUnauthorized, map[string]any{`
			`"error": "unauthorized",`
			`})`

			`return`
			`}`

			`next.ServeHTTP(w, r)`
			`})`
			`}`

			`func HandleAuthentication(w http.ResponseWriter, r *http.Request) {`
			`var request AuthenticationRequest`

			`if err := json.NewDecoder(r.Body).Decode(&request); err != nil {`
			`RespondJson(w, http.StatusBadRequest, map[string]any{`
			`"error": "missing username or password",`
			`})`

			`return`
			`}`

			`user := env.Authenticate(request.Username, request.Password)`
			`if user == nil {`
			`RespondJson(w, http.StatusUnauthorized, map[string]any{`
			`"error": "invalid username or password",`
			`})`

			`return`
			`}`

			`http.SetCookie(w, &http.Cookie{`
			`Name: "whiskr_token",`
			`Value: env.SignAuthToken(user),`
			`})`

			`RespondJson(w, http.StatusOK, map[string]any{`
			`"authenticated": true,`
			`})`
			`}`