pimhwang
/
owncast
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Take control over your live stream video by running it yourself. Streaming + chat out of the box.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1267 Commits
34 Branches
16 Tags
724 MiB
 
 
 
 
 
 
Tree: 7361578412
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7361578412'
${ noResults }
owncast/router/middleware/auth.go

77 lines
2.6 KiB
Raw Blame History

package middleware
import (
"crypto/subtle"
"net/http"
"strings"
"github.com/owncast/owncast/core/data"
log "github.com/sirupsen/logrus"
)
// RequireAdminAuth wraps a handler requiring HTTP basic auth for it using the given
// the stream key as the password and and a hardcoded "admin" for username.
func RequireAdminAuth(handler http.HandlerFunc) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
username := "admin"
password := data.GetStreamKey()
realm := "Owncast Authenticated Request"
// The following line is kind of a work around.
// If you want HTTP Basic Auth + Cors it requires _explicit_ origins to be provided in the
// Access-Control-Allow-Origin header. So we just pull out the origin header and specify it.
// If we want to lock down admin APIs to not be CORS accessible for anywhere, this is where we would do that.
w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin"))
w.Header().Set("Access-Control-Allow-Credentials", "true")
w.Header().Set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization")
// For request needing CORS, send a 200.
if r.Method == "OPTIONS" {
w.WriteHeader(http.StatusOK)
return
}
user, pass, ok := r.BasicAuth()
// Failed
if !ok || subtle.ConstantTimeCompare([]byte(user), []byte(username)) != 1 || subtle.ConstantTimeCompare([]byte(pass), []byte(password)) != 1 {
w.Header().Set("WWW-Authenticate", `Basic realm="`+realm+`"`)
http.Error(w, "Unauthorized", http.StatusUnauthorized)
log.Debugln("Failed authentication for", r.URL.Path, "from", r.RemoteAddr, r.UserAgent())
return
}
handler(w, r)
}
}
func RequireAccessToken(scope string, handler http.HandlerFunc) http.HandlerFunc {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
authHeader := strings.Split(r.Header.Get("Authorization"), "Bearer ")
token := strings.Join(authHeader, "")
if len(authHeader) == 0 || token == "" {
log.Warnln("invalid access token")
w.WriteHeader(http.StatusUnauthorized) //nolint
w.Write([]byte("invalid access token")) //nolint
return
}
if accepted, err := data.DoesTokenSupportScope(token, scope); err != nil {
w.WriteHeader(http.StatusInternalServerError) //nolint
w.Write([]byte(err.Error())) //nolint
return
} else if !accepted {
log.Warnln("invalid access token")
w.WriteHeader(http.StatusUnauthorized) //nolint
w.Write([]byte("invalid access token")) //nolint
return
}
handler(w, r)
if err := data.SetAccessTokenAsUsed(token); err != nil {
log.Debugln(token, "not found when updating last_used timestamp")
}
})
}