gin/auth.go

// Copyright 2014 Manu Martinez-Almeida. All rights reserved.
// Use of this source code is governed by a MIT style
// license that can be found in the LICENSE file.

package gin

import (
	"crypto/subtle"
	"encoding/base64"
	"net/http"
	"strconv"

	"github.com/gin-gonic/gin/internal/bytesconv"
)

// AuthUserKey is the cookie name for user credential in basic auth.
const AuthUserKey = "user"

// AuthProxyUserKey is the cookie name for proxy_user credential in basic auth for proxy.
const AuthProxyUserKey = "proxy_user"

// Accounts defines a key/value for user/pass list of authorized logins.
type Accounts map[string]string

type authPair struct {
	value string
	user  string
}

type authPairs []authPair

func (a authPairs) searchCredential(authValue string) (string, bool) {
	if authValue == "" {
		return "", false
	}
	for _, pair := range a {
		if subtle.ConstantTimeCompare(bytesconv.StringToBytes(pair.value), bytesconv.StringToBytes(authValue)) == 1 {
			return pair.user, true
		}
	}
	return "", false
}

// BasicAuthForRealm returns a Basic HTTP Authorization middleware. It takes as arguments a map[string]string where
// the key is the user name and the value is the password, as well as the name of the Realm.
// If the realm is empty, "Authorization Required" will be used by default.
// (see http://tools.ietf.org/html/rfc2617#section-1.2)
func BasicAuthForRealm(accounts Accounts, realm string) HandlerFunc {
	if realm == "" {
		realm = "Authorization Required"
	}
	realm = "Basic realm=" + strconv.Quote(realm)
	pairs := processAccounts(accounts)
	return func(c *Context) {
		// Search user in the slice of allowed credentials
		user, found := pairs.searchCredential(c.requestHeader("Authorization"))
		if !found {
			// Credentials doesn't match, we return 401 and abort handlers chain.
			c.Header("WWW-Authenticate", realm)
			c.AbortWithStatus(http.StatusUnauthorized)
			return
		}

		// The user credentials was found, set user's id to key AuthUserKey in this context, the user's id can be read later using
		// c.MustGet(gin.AuthUserKey).
		c.Set(AuthUserKey, user)
	}
}

// BasicAuth returns a Basic HTTP Authorization middleware. It takes as argument a map[string]string where
// the key is the user name and the value is the password.
func BasicAuth(accounts Accounts) HandlerFunc {
	return BasicAuthForRealm(accounts, "")
}

func processAccounts(accounts Accounts) authPairs {
	length := len(accounts)
	assert1(length > 0, "Empty list of authorized credentials")
	pairs := make(authPairs, 0, length)
	for user, password := range accounts {
		assert1(user != "", "User can not be empty")
		value := authorizationHeader(user, password)
		pairs = append(pairs, authPair{
			value: value,
			user:  user,
		})
	}
	return pairs
}

func authorizationHeader(user, password string) string {
	base := user + ":" + password
	return "Basic " + base64.StdEncoding.EncodeToString(bytesconv.StringToBytes(base))
}

// BasicAuthForProxy returns a Basic HTTP Proxy-Authorization middleware.
// If the realm is empty, "Proxy Authorization Required" will be used by default.
func BasicAuthForProxy(accounts Accounts, realm string) HandlerFunc {
	if realm == "" {
		realm = "Proxy Authorization Required"
	}
	realm = "Basic realm=" + strconv.Quote(realm)
	pairs := processAccounts(accounts)
	return func(c *Context) {
		proxyUser, found := pairs.searchCredential(c.requestHeader("Proxy-Authorization"))
		if !found {
			// Credentials doesn't match, we return 407 and abort handlers chain.
			c.Header("Proxy-Authenticate", realm)
			c.AbortWithStatus(http.StatusProxyAuthRequired)
			return
		}
		// The proxy_user credentials was found, set proxy_user's id to key AuthProxyUserKey in this context, the proxy_user's id can be read later using
		// c.MustGet(gin.AuthProxyUserKey).
		c.Set(AuthProxyUserKey, proxyUser)
	}
}
chore: update go.mod and remove space from copyright (#3158) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2022-05-28 02:42:28 +00:00			`// Copyright 2014 Manu Martinez-Almeida. All rights reserved.`
Adds in-code license 2014-08-29 17:49:50 +00:00			`// Use of this source code is governed by a MIT style`
			`// license that can be found in the LICENSE file.`

Initial commit 2014-06-17 23:42:34 +00:00			`package gin`

			`import (`
basic auth: fix timing oracle (#2609) Co-authored-by: thinkerou <thinkerou@gmail.com> 2021-01-13 01:40:37 +00:00			`"crypto/subtle"`
Initial commit 2014-06-17 23:42:34 +00:00			`"encoding/base64"`
remove hardcode instead of http status value (#1411) 2018-06-26 09:21:32 +00:00			`"net/http"`
Fixes important bug in Basic Auth when using custom realm. 2015-05-19 18:15:28 +00:00			`"strconv"`
Use zero-copy approach to convert types between string and byte… (#2206) * Use zero-copy approach to convert types between string and byte slice * Rename argument to a eligible one Benchmark: BenchmarkBytesConvBytesToStrRaw-4 21003800 70.9 ns/op 96 B/op 1 allocs/op BenchmarkBytesConvBytesToStr-4 1000000000 0.333 ns/op 0 B/op 0 allocs/op BenchmarkBytesConvStrToBytesRaw-4 18478059 59.3 ns/op 96 B/op 1 allocs/op BenchmarkBytesConvStrToBytes-4 1000000000 0.373 ns/op 0 B/op 0 allocs/op Co-authored-by: Bo-Yi Wu <appleboy.tw@gmail.com> 2020-01-17 16:32:50 +00:00
			`"github.com/gin-gonic/gin/internal/bytesconv"`
Initial commit 2014-06-17 23:42:34 +00:00			`)`

update comment (#1057) 2017-08-16 03:55:50 +00:00			`// AuthUserKey is the cookie name for user credential in basic auth.`
Comments + IRoutes + IRouter + unexported AbortIndex 2015-07-02 18:24:54 +00:00			`const AuthUserKey = "user"`
docs: Add document to constant `AuthProxyUserKey` and `BasicAuthForProxy`. (#3887) 2024-03-13 15:22:05 +00:00
			`// AuthProxyUserKey is the cookie name for proxy_user credential in basic auth for proxy.`
feat(auth): add proxy-server authentication (#3877) 2024-03-11 14:22:58 +00:00			`const AuthProxyUserKey = "proxy_user"`
Fixes Basic HTTP Authorization middleware 2014-07-01 20:58:29 +00:00
update comment (#1057) 2017-08-16 03:55:50 +00:00			`// Accounts defines a key/value for user/pass list of authorized logins.`
separate type define (#975) 2017-07-05 07:47:36 +00:00			`type Accounts map[string]string`

			`type authPair struct {`
use lower if the struct is private (#1185) 2017-12-17 05:02:33 +00:00			`value string`
			`user string`
separate type define (#975) 2017-07-05 07:47:36 +00:00			`}`

			`type authPairs []authPair`
Initial commit 2014-06-17 23:42:34 +00:00
Dropping bsearch in BasicAuth() 2015-05-19 18:35:38 +00:00			`func (a authPairs) searchCredential(authValue string) (string, bool) {`
Empty string check (#1101) 2017-09-28 16:22:35 +00:00			`if authValue == "" {`
Better unit tests for BasicAuth middleware 2015-04-08 13:17:41 +00:00			`return "", false`
			`}`
Dropping bsearch in BasicAuth() 2015-05-19 18:35:38 +00:00			`for _, pair := range a {`
use StringToBytes func (#2798) 2022-04-23 10:01:41 +00:00			`if subtle.ConstantTimeCompare(bytesconv.StringToBytes(pair.value), bytesconv.StringToBytes(authValue)) == 1 {`
use lower if the struct is private (#1185) 2017-12-17 05:02:33 +00:00			`return pair.user, true`
Dropping bsearch in BasicAuth() 2015-05-19 18:35:38 +00:00			`}`
Better unit tests for BasicAuth middleware 2015-04-08 13:17:41 +00:00			`}`
Dropping bsearch in BasicAuth() 2015-05-19 18:35:38 +00:00			`return "", false`
Better unit tests for BasicAuth middleware 2015-04-08 13:17:41 +00:00			`}`

Comments + IRoutes + IRouter + unexported AbortIndex 2015-07-02 18:24:54 +00:00			`// BasicAuthForRealm returns a Basic HTTP Authorization middleware. It takes as arguments a map[string]string where`
			`// the key is the user name and the value is the password, as well as the name of the Realm.`
			`// If the realm is empty, "Authorization Required" will be used by default.`
Add customizable Realm for Basic authentication Depending on the use case, it might be useful to be able to have different realms for different route groups. 2015-03-04 22:15:03 +00:00			`// (see http://tools.ietf.org/html/rfc2617#section-1.2)`
			`func BasicAuthForRealm(accounts Accounts, realm string) HandlerFunc {`
Performance improvement in Auth middleware 2015-04-07 18:00:10 +00:00			`if realm == "" {`
			`realm = "Authorization Required"`
			`}`
Fixes important bug in Basic Auth when using custom realm. 2015-05-19 18:15:28 +00:00			`realm = "Basic realm=" + strconv.Quote(realm)`
Refactores BasicAuth 2015-03-23 03:38:32 +00:00			`pairs := processAccounts(accounts)`
General refactoring. Part 2. 2014-10-08 23:40:42 +00:00			`return func(c *Context) {`
			`// Search user in the slice of allowed credentials`
refactor: using requestHeader internal func (#1083) * refactor: using requestHeader internal func. * update Signed-off-by: Bo-Yi Wu <appleboy.tw@gmail.com> 2017-08-26 10:02:47 +00:00			`user, found := pairs.searchCredential(c.requestHeader("Authorization"))`
Cosmetic changes in auth.go 2015-05-19 18:20:52 +00:00			`if !found {`
			`// Credentials doesn't match, we return 401 and abort handlers chain.`
Fixes important bug in Basic Auth when using custom realm. 2015-05-19 18:15:28 +00:00			`c.Header("WWW-Authenticate", realm)`
remove hardcode instead of http status value (#1411) 2018-06-26 09:21:32 +00:00			`c.AbortWithStatus(http.StatusUnauthorized)`
use return not use else (#1028) 2017-07-18 00:54:38 +00:00			`return`
General refactoring. Part 2. 2014-10-08 23:40:42 +00:00			`}`
use return not use else (#1028) 2017-07-18 00:54:38 +00:00
			`// The user credentials was found, set user's id to key AuthUserKey in this context, the user's id can be read later using`
update comment (#1057) 2017-08-16 03:55:50 +00:00			`// c.MustGet(gin.AuthUserKey).`
use return not use else (#1028) 2017-07-18 00:54:38 +00:00			`c.Set(AuthUserKey, user)`
General refactoring. Part 2. 2014-10-08 23:40:42 +00:00			`}`
			`}`
Initial commit 2014-06-17 23:42:34 +00:00
Comments + IRoutes + IRouter + unexported AbortIndex 2015-07-02 18:24:54 +00:00			`// BasicAuth returns a Basic HTTP Authorization middleware. It takes as argument a map[string]string where`
Add customizable Realm for Basic authentication Depending on the use case, it might be useful to be able to have different realms for different route groups. 2015-03-04 22:15:03 +00:00			`// the key is the user name and the value is the password.`
			`func BasicAuth(accounts Accounts) HandlerFunc {`
			`return BasicAuthForRealm(accounts, "")`
			`}`

Refactores BasicAuth 2015-03-23 03:38:32 +00:00			`func processAccounts(accounts Accounts) authPairs {`
chore: update the result of CR (#2354) * chore: update the result of CR * Update utils.go * Update utils.go * Update context.go * Update context.go 2020-05-04 03:40:41 +00:00			`length := len(accounts)`
			`assert1(length > 0, "Empty list of authorized credentials")`
			`pairs := make(authPairs, 0, length)`
Nicer BasicAuth API 2014-07-04 02:28:25 +00:00			`for user, password := range accounts {`
Empty string check (#1101) 2017-09-28 16:22:35 +00:00			`assert1(user != "", "User can not be empty")`
Adds unit tests for Utils 2015-04-08 13:32:50 +00:00			`value := authorizationHeader(user, password)`
General refactoring. Part 2. 2014-10-08 23:40:42 +00:00			`pairs = append(pairs, authPair{`
use lower if the struct is private (#1185) 2017-12-17 05:02:33 +00:00			`value: value,`
			`user: user,`
General refactoring. Part 2. 2014-10-08 23:40:42 +00:00			`})`
Initial commit 2014-06-17 23:42:34 +00:00			`}`
Refactores BasicAuth 2015-03-23 03:38:32 +00:00			`return pairs`
Initial commit 2014-06-17 23:42:34 +00:00			`}`

Better unit tests for BasicAuth middleware 2015-04-08 13:17:41 +00:00			`func authorizationHeader(user, password string) string {`
			`base := user + ":" + password`
Use zero-copy approach to convert types between string and byte… (#2206) * Use zero-copy approach to convert types between string and byte slice * Rename argument to a eligible one Benchmark: BenchmarkBytesConvBytesToStrRaw-4 21003800 70.9 ns/op 96 B/op 1 allocs/op BenchmarkBytesConvBytesToStr-4 1000000000 0.333 ns/op 0 B/op 0 allocs/op BenchmarkBytesConvStrToBytesRaw-4 18478059 59.3 ns/op 96 B/op 1 allocs/op BenchmarkBytesConvStrToBytes-4 1000000000 0.373 ns/op 0 B/op 0 allocs/op Co-authored-by: Bo-Yi Wu <appleboy.tw@gmail.com> 2020-01-17 16:32:50 +00:00			`return "Basic " + base64.StdEncoding.EncodeToString(bytesconv.StringToBytes(base))`
Initial commit 2014-06-17 23:42:34 +00:00			`}`
feat(auth): add proxy-server authentication (#3877) 2024-03-11 14:22:58 +00:00
docs(middleware): comments to function `BasicAuthForProxy` (#3881) 2024-03-12 05:51:04 +00:00			`// BasicAuthForProxy returns a Basic HTTP Proxy-Authorization middleware.`
docs: Add document to constant `AuthProxyUserKey` and `BasicAuthForProxy`. (#3887) 2024-03-13 15:22:05 +00:00			`// If the realm is empty, "Proxy Authorization Required" will be used by default.`
feat(auth): add proxy-server authentication (#3877) 2024-03-11 14:22:58 +00:00			`func BasicAuthForProxy(accounts Accounts, realm string) HandlerFunc {`
			`if realm == "" {`
			`realm = "Proxy Authorization Required"`
			`}`
			`realm = "Basic realm=" + strconv.Quote(realm)`
			`pairs := processAccounts(accounts)`
			`return func(c *Context) {`
			`proxyUser, found := pairs.searchCredential(c.requestHeader("Proxy-Authorization"))`
			`if !found {`
			`// Credentials doesn't match, we return 407 and abort handlers chain.`
			`c.Header("Proxy-Authenticate", realm)`
			`c.AbortWithStatus(http.StatusProxyAuthRequired)`
			`return`
			`}`
			`// The proxy_user credentials was found, set proxy_user's id to key AuthProxyUserKey in this context, the proxy_user's id can be read later using`
			`// c.MustGet(gin.AuthProxyUserKey).`
			`c.Set(AuthProxyUserKey, proxyUser)`
			`}`
			`}`