├── .gitignore ├── .travis.yml ├── start-test-env.sh ├── gobfile_test.go ├── LICENSE.txt ├── leveldbAuthBackend_test.go ├── mongoBackend_test.go ├── sqlBackend_test.go ├── README.md ├── gobfile.go ├── mongoBackend.go ├── leveldbAuthBackend.go ├── backend_test.go ├── sqlBackend.go ├── auth_test.go ├── examples └── server.go └── auth.go /.gitignore: -------------------------------------------------------------------------------- 1 | files 2 | data 3 | auth 4 | usage 5 | auth_test.gob 6 | auth.gob 7 | server 8 | mongodbtest 9 | pgdbtest 10 | test.ldb 11 | gobfile_test.gob 12 | httpauth_test_sqlite.db 13 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: go 2 | 3 | go: 4 | - tip 5 | - 1.6 6 | - 1.5 7 | - 1.4 8 | 9 | install: 10 | - go get golang.org/x/crypto/bcrypt 11 | - go get github.com/gorilla/mux 12 | - go get github.com/gorilla/sessions 13 | - go get github.com/go-sql-driver/mysql 14 | - go get gopkg.in/mgo.v2 15 | - go get github.com/lib/pq 16 | - go get github.com/mattn/go-sqlite3 17 | - go get github.com/syndtr/goleveldb/leveldb 18 | 19 | before_script: 20 | - mysql -e 'create database httpauth_test;' 21 | - psql -c 'create database httpauth_test;' -U postgres 22 | 23 | services: 24 | - mongodb 25 | 26 | before_install: 27 | - go get github.com/axw/gocov/gocov 28 | - go get github.com/mattn/goveralls 29 | - go get golang.org/x/tools/cmd/cover 30 | 31 | script: 32 | - $HOME/gopath/bin/goveralls -repotoken HQ2GKw3BZ02GdvxTWqMKVZ68iKBdE5OLR 33 | 34 | git: 35 | depth: 3 36 | 37 | sudo: false 38 | -------------------------------------------------------------------------------- /start-test-env.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | mkdir -p mongodbtest 4 | mongod --dbpath mongodbtest >/dev/null & 5 | mongopid=$! 6 | echo "mongod started with pid: $mongopid" 7 | 8 | mysqld --skip-grant-tables >/dev/null 2>/dev/null & 9 | mysqlpid=$! 10 | echo "WARNING: mysqld started with no security" 11 | echo "mysqld started with pid: $mysqlpid" 12 | 13 | mkdir -p pgdbtest 14 | initdb pgdbtest -E utf8 >/dev/null 2>/dev/null 15 | postgres -D pgdbtest >/dev/null 2>/dev/null & 16 | postgrespid=$! 17 | echo "postgres started with pid: $postgrespid" 18 | sleep 5 19 | createuser --createdb postgres >/dev/null 2>/dev/null 20 | createdb httpauth_test >/dev/null 2>/dev/null 21 | 22 | function ctrl_c() { 23 | echo "shutting down databases" 24 | kill -15 $mongopid 2>/dev/null 25 | kill -15 $mysqlpid 2>/dev/null 26 | kill -15 $postgrespid 2>/dev/null 27 | 28 | rm -rf mongodbtest pgdbtest auth_test.gob 29 | exit 0 30 | } 31 | trap ctrl_c INT 32 | 33 | echo "ready to test... press ctrl-c to quit" 34 | # wait forever 35 | cat 36 | -------------------------------------------------------------------------------- /gobfile_test.go: -------------------------------------------------------------------------------- 1 | package httpauth 2 | 3 | import ( 4 | "os" 5 | "testing" 6 | ) 7 | 8 | // Establish new gobfile for testing due to issues with busy process from previous test. 9 | var gobfile = "gobfile_test.gob" 10 | 11 | func TestInitGobFileAuthBackend(t *testing.T) { 12 | err := os.Remove(gobfile) 13 | b, err := NewGobFileAuthBackend(gobfile) 14 | if err != ErrMissingBackend { 15 | t.Fatal(err.Error()) 16 | } 17 | 18 | _, err = os.Create(gobfile) 19 | if err != nil { 20 | t.Fatal(err.Error()) 21 | } 22 | b, err = NewGobFileAuthBackend(gobfile) 23 | if err != nil { 24 | t.Fatal(err.Error()) 25 | } 26 | if b.filepath != gobfile { 27 | t.Fatal("File path not saved.") 28 | } 29 | if len(b.users) != 0 { 30 | t.Fatal("Users initialized with items.") 31 | } 32 | 33 | testBackend(t, b) 34 | } 35 | 36 | func TestGobReopen(t *testing.T) { 37 | b, err := NewGobFileAuthBackend(gobfile) 38 | if err != nil { 39 | t.Fatal(err.Error()) 40 | } 41 | b.Close() 42 | b, err = NewGobFileAuthBackend(gobfile) 43 | if err != nil { 44 | t.Fatal(err.Error()) 45 | } 46 | 47 | testBackend2(t, b) 48 | } 49 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2014 Cameron Little 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /leveldbAuthBackend_test.go: -------------------------------------------------------------------------------- 1 | package httpauth 2 | 3 | import ( 4 | "os" 5 | "testing" 6 | ) 7 | 8 | var ( 9 | fileldb = "test.ldb" 10 | ) 11 | 12 | func TestInitLeveldbAuthBackend(t *testing.T) { 13 | // test if ErrMissingLeveldbBackend is thrown if no leveldb database exists 14 | err := os.RemoveAll(fileldb) 15 | if err != nil { 16 | t.Fatal(err.Error()) 17 | } 18 | b, err := NewLeveldbAuthBackend(fileldb) 19 | if err != ErrMissingLeveldbBackend { 20 | t.Fatal(err.Error()) 21 | } 22 | 23 | err = os.MkdirAll(fileldb, 0700) 24 | if err != nil { 25 | t.Fatal(err.Error()) 26 | } 27 | b, err = NewLeveldbAuthBackend(fileldb) 28 | if err != nil { 29 | t.Fatal(err.Error()) 30 | } 31 | if b.filepath != fileldb { 32 | t.Fatal("File path not saved.") 33 | } 34 | if len(b.users) != 0 { 35 | t.Fatal("Users initialized with items.") 36 | } 37 | 38 | testBackend(t, b) 39 | } 40 | 41 | func TestLeveldbReopen(t *testing.T) { 42 | defer os.RemoveAll(fileldb) 43 | b, err := NewLeveldbAuthBackend(fileldb) 44 | if err != nil { 45 | t.Fatal(err.Error()) 46 | } 47 | b.Close() 48 | b, err = NewLeveldbAuthBackend(fileldb) 49 | if err != nil { 50 | t.Fatal(err.Error()) 51 | } 52 | 53 | testBackend2(t, b) 54 | } 55 | -------------------------------------------------------------------------------- /mongoBackend_test.go: -------------------------------------------------------------------------------- 1 | package httpauth 2 | 3 | import ( 4 | "fmt" 5 | "gopkg.in/mgo.v2" 6 | "os" 7 | "testing" 8 | ) 9 | 10 | func TestMongodbInit(t *testing.T) { 11 | con, err := mgo.Dial("mongodb://127.0.0.1/") 12 | if err != nil { 13 | fmt.Printf("Couldn't set up test mongodb session: %v\n", err) 14 | os.Exit(1) 15 | } 16 | defer con.Close() 17 | err = con.Ping() 18 | if err != nil { 19 | t.Errorf("Couldn't ping test mongodb database: %v", err) 20 | fmt.Printf("Couldn't ping test mongodb database: %v\n", err) 21 | // t.Errorf("Couldn't ping test database: %v\n", err) 22 | os.Exit(1) 23 | } 24 | database := con.DB("httpauth_test") 25 | err = database.DropDatabase() 26 | if err != nil { 27 | t.Errorf("Couldn't drop test mongodb database: %v", err) 28 | fmt.Printf("Couldn't drop test mongodb database: %v\n", err) 29 | // t.Errorf("Couldn't ping test database: %v\n", err) 30 | os.Exit(1) 31 | } 32 | } 33 | 34 | func TestNewMongodbAuthBackend(t *testing.T) { 35 | // Note: the following takes 10 seconds. It really should be included, but 36 | // I don't want to wait that long. 37 | //_, err = NewMongodbBackend("mongodb://example.com.doesntexist", db) 38 | //if err == nil { 39 | // t.Fatal("Expected error on invalid url.") 40 | //} 41 | mongo_backend, err := NewMongodbBackend("mongodb://doesn'texist/", "httpauth_test") 42 | if err == nil { 43 | t.Fatalf("expected NewMongodbBackend error") 44 | } 45 | mongo_backend, err = NewMongodbBackend("mongodb://127.0.0.1/", "httpauth_test") 46 | if err != nil { 47 | t.Fatalf("NewMongodbBackend error: %v", err) 48 | } 49 | if mongo_backend.mongoURL != "mongodb://127.0.0.1/" { 50 | t.Error("Url name.") 51 | } 52 | if mongo_backend.database != "httpauth_test" { 53 | t.Error("DB not saved.") 54 | } 55 | 56 | testBackend(t, mongo_backend) 57 | } 58 | 59 | func TestMongodbReopen(t *testing.T) { 60 | mongo_backend, err := NewMongodbBackend("mongodb://127.0.0.1/", "httpauth_test") 61 | if err != nil { 62 | t.Fatal(err.Error()) 63 | } 64 | mongo_backend.Close() 65 | mongo_backend, err = NewMongodbBackend("mongodb://127.0.0.1/", "httpauth_test") 66 | if err != nil { 67 | t.Fatal(err.Error()) 68 | } 69 | 70 | testBackend2(t, mongo_backend) 71 | } 72 | -------------------------------------------------------------------------------- /sqlBackend_test.go: -------------------------------------------------------------------------------- 1 | package httpauth 2 | 3 | import ( 4 | "database/sql" 5 | "fmt" 6 | _ "github.com/go-sql-driver/mysql" 7 | _ "github.com/lib/pq" 8 | _ "github.com/mattn/go-sqlite3" 9 | "os" 10 | "testing" 11 | ) 12 | 13 | func testSqlInit(t *testing.T, driver string, info string) { 14 | con, err := sql.Open(driver, info) 15 | if err != nil { 16 | t.Errorf("Couldn't set up test database: %v", err) 17 | fmt.Printf("Couldn't set up test database: %v\n", err) 18 | os.Exit(1) 19 | } 20 | err = con.Ping() 21 | if err != nil { 22 | t.Errorf("Couldn't ping test database: %v", err) 23 | fmt.Printf("Couldn't ping test database: %v\n", err) 24 | // t.Errorf("Couldn't ping test database: %v\n", err) 25 | os.Exit(1) 26 | } 27 | con.Exec("drop table goauth") 28 | } 29 | 30 | func testSqlBackend(t *testing.T, driver string, info string) { 31 | var err error 32 | _, err = NewSqlAuthBackend(driver, info+"_fail") 33 | if err == nil { 34 | t.Fatal("Expected error on invalid connection.") 35 | } 36 | backend, err := NewSqlAuthBackend(driver, info) 37 | if err != nil { 38 | t.Fatal(err.Error()) 39 | } 40 | if backend.driverName != driver { 41 | t.Fatal("Driver name.") 42 | } 43 | if backend.dataSourceName != info { 44 | t.Fatal("Driver info not saved.") 45 | } 46 | 47 | testBackend(t, backend) 48 | } 49 | 50 | func testSqlReopen(t *testing.T, driver string, info string) { 51 | var err error 52 | 53 | backend, err := NewSqlAuthBackend(driver, info) 54 | if err != nil { 55 | t.Fatal(err.Error()) 56 | } 57 | 58 | backend.Close() 59 | 60 | backend, err = NewSqlAuthBackend(driver, info) 61 | if err != nil { 62 | t.Fatal(err.Error()) 63 | } 64 | 65 | testAfterReopen(t, backend) 66 | } 67 | 68 | func sqlTests(t *testing.T, driver string, info string) { 69 | testSqlInit(t, driver, info) 70 | testSqlBackend(t, driver, info) 71 | testSqlReopen(t, driver, info) 72 | } 73 | 74 | // 75 | // mysql tests 76 | // 77 | func TestMysqlBackend(t *testing.T) { 78 | sqlTests(t, "mysql", "travis@tcp(127.0.0.1:3306)/httpauth_test") 79 | } 80 | 81 | // 82 | // postgres tests 83 | // 84 | func TestPostgresBackend(t *testing.T) { 85 | sqlTests(t, "postgres", "user=postgres password='' dbname=httpauth_test sslmode=disable") 86 | } 87 | 88 | // 89 | // sqlite3 tests 90 | // 91 | func TestSqliteBackend(t *testing.T) { 92 | os.Create("./httpauth_test_sqlite.db") 93 | sqlTests(t, "sqlite3", "./httpauth_test_sqlite.db") 94 | os.Remove("./httpauth_test_sqlite.db") 95 | } 96 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Go Session Authentication 2 | [![Build Status](http://img.shields.io/travis/apexskier/httpauth.svg)](https://travis-ci.org/apexskier/httpauth) 3 | [![Coverage Status](https://coveralls.io/repos/github/apexskier/httpauth/badge.svg?branch=master)](https://coveralls.io/github/apexskier/httpauth?branch=master) 4 | [![GoDoc](http://img.shields.io/badge/godoc-reference-blue.svg)](https://godoc.org/github.com/apexskier/httpauth) 5 | ![Version 2.0.0](https://img.shields.io/badge/version-2.0.0-lightgrey.svg) 6 | 7 | See git tags/releases for information about potentially breaking change. 8 | 9 | This package uses the [Gorilla web toolkit](http://www.gorillatoolkit.org/)'s 10 | sessions package to implement a user authentication and authorization system 11 | for Go web servers. 12 | 13 | Multiple user data storage backends are available, and new ones can be 14 | implemented relatively easily. 15 | 16 | - [File based](https://godoc.org/github.com/apexskier/goauth#NewGobFileAuthBackend) ([gob](http://golang.org/pkg/encoding/gob/)) 17 | - [Various SQL Databases](https://godoc.org/github.com/apexskier/httpauth#NewSqlAuthBackend) 18 | (tested with [MySQL](https://github.com/go-sql-driver/mysql), 19 | [PostgresSQL](https://github.com/lib/pq), 20 | [SQLite](https://github.com/mattn/go-sqlite3)) 21 | - [MongoDB](https://godoc.org/github.com/apexskier/httpauth#NewMongodbBackend) ([mgo](http://gopkg.in/mgo.v2)) 22 | 23 | Access can be restricted by a users' role. 24 | 25 | Uses [bcrypt](http://codahale.com/how-to-safely-store-a-password/) for password 26 | hashing. 27 | 28 | ```go 29 | var ( 30 | aaa httpauth.Authorizer 31 | ) 32 | 33 | func login(rw http.ResponseWriter, req *http.Request) { 34 | username := req.PostFormValue("username") 35 | password := req.PostFormValue("password") 36 | if err := aaa.Login(rw, req, username, password, "/"); err != nil && err.Error() == "already authenticated" { 37 | http.Redirect(rw, req, "/", http.StatusSeeOther) 38 | } else if err != nil { 39 | fmt.Println(err) 40 | http.Redirect(rw, req, "/login", http.StatusSeeOther) 41 | } 42 | } 43 | ``` 44 | 45 | Run `go run server.go` from the examples directory and visit `localhost:8009` 46 | for an example. You can login with the username "admin" and password "adminadmin". 47 | 48 | Tests can be run by simulating Travis CI's build environment. There's a very 49 | unsafe script --- `start-test-env.sh` that will do this for you. 50 | 51 | You should [follow me on Twitter](https://twitter.com/apexskier). [Appreciate this package?](https://cash.me/$apexskier) 52 | 53 | ### TODO 54 | 55 | - User roles - modification 56 | - SMTP email validation (key based) 57 | - More backends 58 | - Possible remove dependance on bcrypt 59 | -------------------------------------------------------------------------------- /gobfile.go: -------------------------------------------------------------------------------- 1 | package httpauth 2 | 3 | import ( 4 | "encoding/gob" 5 | "errors" 6 | "fmt" 7 | "os" 8 | ) 9 | 10 | // ErrMissingBackend is returned by NewGobFileAuthBackend when the file doesn't 11 | // exist. Be sure to create (or touch) it if using brand new backend or 12 | // resetting backend. 13 | var ( 14 | ErrMissingBackend = errors.New("gobfilebackend: missing backend") 15 | ) 16 | 17 | // GobFileAuthBackend stores user data and the location of the gob file. 18 | type GobFileAuthBackend struct { 19 | filepath string 20 | users map[string]UserData 21 | } 22 | 23 | // NewGobFileAuthBackend initializes a new backend by loading a map of users 24 | // from a file. 25 | // If the file doesn't exist, returns an error. 26 | func NewGobFileAuthBackend(filepath string) (b GobFileAuthBackend, e error) { 27 | b.filepath = filepath 28 | if _, err := os.Stat(b.filepath); err == nil { 29 | f, err := os.Open(b.filepath) 30 | defer f.Close() 31 | if err != nil { 32 | return b, fmt.Errorf("gobfilebackend: %v", err.Error()) 33 | } 34 | dec := gob.NewDecoder(f) 35 | dec.Decode(&b.users) 36 | } else if !os.IsNotExist(err) { 37 | return b, fmt.Errorf("gobfilebackend: %v", err.Error()) 38 | } else { 39 | return b, ErrMissingBackend 40 | } 41 | if b.users == nil { 42 | b.users = make(map[string]UserData) 43 | } 44 | return b, nil 45 | } 46 | 47 | // User returns the user with the given username. Error is set to 48 | // ErrMissingUser if user is not found. 49 | func (b GobFileAuthBackend) User(username string) (user UserData, e error) { 50 | if user, ok := b.users[username]; ok { 51 | return user, nil 52 | } 53 | return user, ErrMissingUser 54 | } 55 | 56 | // Users returns a slice of all users. 57 | func (b GobFileAuthBackend) Users() (us []UserData, e error) { 58 | for _, user := range b.users { 59 | us = append(us, user) 60 | } 61 | return 62 | } 63 | 64 | // SaveUser adds a new user, replacing one with the same username, and saves a 65 | // gob file. 66 | func (b GobFileAuthBackend) SaveUser(user UserData) error { 67 | b.users[user.Username] = user 68 | err := b.save() 69 | return err 70 | } 71 | 72 | func (b GobFileAuthBackend) save() error { 73 | f, err := os.Create(b.filepath) 74 | defer f.Close() 75 | if err != nil { 76 | return errors.New("gobfilebackend: failed to edit auth file") 77 | } 78 | enc := gob.NewEncoder(f) 79 | err = enc.Encode(b.users) 80 | if err != nil { 81 | fmt.Errorf("gobfilebackend: save: %v", err) 82 | } 83 | return nil 84 | } 85 | 86 | // DeleteUser removes a user, raising ErrDeleteNull if that user was missing. 87 | func (b GobFileAuthBackend) DeleteUser(username string) error { 88 | _, err := b.User(username) 89 | if err == ErrMissingUser { 90 | return ErrDeleteNull 91 | } else if err != nil { 92 | return fmt.Errorf("gobfilebackend: %v", err) 93 | } 94 | delete(b.users, username) 95 | return b.save() 96 | } 97 | 98 | // Close cleans up the backend. Currently a no-op for gobfiles. 99 | func (b GobFileAuthBackend) Close() { 100 | 101 | } 102 | -------------------------------------------------------------------------------- /mongoBackend.go: -------------------------------------------------------------------------------- 1 | package httpauth 2 | 3 | import ( 4 | "errors" 5 | "gopkg.in/mgo.v2" 6 | "gopkg.in/mgo.v2/bson" 7 | ) 8 | 9 | // MongodbAuthBackend stores database connection information. 10 | type MongodbAuthBackend struct { 11 | mongoURL string 12 | database string 13 | session *mgo.Session 14 | } 15 | 16 | func (b MongodbAuthBackend) connect() *mgo.Collection { 17 | session := b.session.Copy() 18 | return session.DB(b.database).C("goauth") 19 | } 20 | 21 | func mkmgoerror(msg string) error { 22 | return errors.New("mongobackend: " + msg) 23 | } 24 | 25 | // NewMongodbBackend initializes a new backend. 26 | // Be sure to call Close() on this to clean up the mongodb connection. 27 | // Example: 28 | // backend = httpauth.MongodbAuthBackend("mongodb://127.0.0.1/", "auth") 29 | // defer backend.Close() 30 | func NewMongodbBackend(mongoURL string, database string) (b MongodbAuthBackend, e error) { 31 | // Set up connection to database 32 | b.mongoURL = mongoURL 33 | b.database = database 34 | session, err := mgo.Dial(b.mongoURL) 35 | if err != nil { 36 | return b, mkmgoerror(err.Error()) 37 | } 38 | err = session.Ping() 39 | if err != nil { 40 | return b, mkmgoerror(err.Error()) 41 | } 42 | 43 | // Ensure that the Username field is unique 44 | index := mgo.Index{ 45 | Key: []string{"Username"}, 46 | Unique: true, 47 | } 48 | err = session.DB(b.database).C("goauth").EnsureIndex(index) 49 | if err != nil { 50 | return b, mkmgoerror(err.Error()) 51 | } 52 | b.session = session 53 | return 54 | } 55 | 56 | // User returns the user with the given username. Error is set to 57 | // ErrMissingUser if user is not found. 58 | func (b MongodbAuthBackend) User(username string) (user UserData, e error) { 59 | var result UserData 60 | 61 | c := b.connect() 62 | defer c.Database.Session.Close() 63 | 64 | err := c.Find(bson.M{"Username": username}).One(&result) 65 | if err != nil { 66 | return result, ErrMissingUser 67 | } 68 | return result, nil 69 | } 70 | 71 | // Users returns a slice of all users. 72 | func (b MongodbAuthBackend) Users() (us []UserData, e error) { 73 | c := b.connect() 74 | defer c.Database.Session.Close() 75 | 76 | err := c.Find(bson.M{}).All(&us) 77 | if err != nil { 78 | return us, mkmgoerror(err.Error()) 79 | } 80 | return 81 | } 82 | 83 | // SaveUser adds a new user, replacing if the same username is in use. 84 | func (b MongodbAuthBackend) SaveUser(user UserData) error { 85 | c := b.connect() 86 | defer c.Database.Session.Close() 87 | 88 | _, err := c.Upsert(bson.M{"Username": user.Username}, bson.M{"$set": user}) 89 | return err 90 | } 91 | 92 | // DeleteUser removes a user. ErrNotFound is returned if the user isn't found. 93 | func (b MongodbAuthBackend) DeleteUser(username string) error { 94 | c := b.connect() 95 | defer c.Database.Session.Close() 96 | 97 | // raises error if "username" doesn't exist 98 | err := c.Remove(bson.M{"Username": username}) 99 | if err == mgo.ErrNotFound { 100 | return ErrDeleteNull 101 | } 102 | return err 103 | } 104 | 105 | // Close cleans up the backend once done with. This should be called before 106 | // program exit. 107 | func (b MongodbAuthBackend) Close() { 108 | if b.session != nil { 109 | b.session.Close() 110 | } 111 | } 112 | -------------------------------------------------------------------------------- /leveldbAuthBackend.go: -------------------------------------------------------------------------------- 1 | package httpauth 2 | 3 | import ( 4 | "encoding/json" 5 | "errors" 6 | "fmt" 7 | "github.com/syndtr/goleveldb/leveldb" 8 | "os" 9 | ) 10 | 11 | // ErrMissingLeveldbBackend is returned by NewLeveldbAuthBackend when the file 12 | // doesn't exist. Be sure to create (or touch) it if using brand new backend or 13 | // resetting backend. 14 | var ( 15 | ErrMissingLeveldbBackend = errors.New("leveldbauthbackend: missing backend") 16 | ) 17 | 18 | // LeveldbAuthBackend stores user data and the location of a leveldb file. 19 | // 20 | // Current implementation holds all user data in memory, flushing to leveldb 21 | // as a single value to the key "httpauth::userdata" on saves. 22 | type LeveldbAuthBackend struct { 23 | filepath string 24 | users map[string]UserData 25 | } 26 | 27 | // NewLeveldbAuthBackend initializes a new backend by loading a map of users 28 | // from a file. 29 | // If the file doesn't exist, returns an error. 30 | func NewLeveldbAuthBackend(filepath string) (b LeveldbAuthBackend, e error) { 31 | b.filepath = filepath 32 | if _, err := os.Stat(b.filepath); err == nil { 33 | db, err := leveldb.OpenFile(b.filepath, nil) 34 | defer db.Close() 35 | if err != nil { 36 | return b, fmt.Errorf("leveldbauthbackend: %v", err.Error()) 37 | } 38 | data, err := db.Get([]byte("httpauth::userdata"), nil) 39 | err = json.Unmarshal(data, &b.users) 40 | if err != nil { 41 | b.users = make(map[string]UserData) 42 | } 43 | } else { 44 | return b, ErrMissingLeveldbBackend 45 | } 46 | if b.users == nil { 47 | b.users = make(map[string]UserData) 48 | } 49 | return b, nil 50 | } 51 | 52 | // User returns the user with the given username. Error is set to 53 | // ErrMissingUser if user is not found. 54 | func (b LeveldbAuthBackend) User(username string) (user UserData, e error) { 55 | if user, ok := b.users[username]; ok { 56 | return user, nil 57 | } 58 | return user, ErrMissingUser 59 | } 60 | 61 | // Users returns a slice of all users. 62 | func (b LeveldbAuthBackend) Users() (us []UserData, e error) { 63 | for _, user := range b.users { 64 | us = append(us, user) 65 | } 66 | return 67 | } 68 | 69 | // SaveUser adds a new user, replacing one with the same username, and flushes 70 | // to the db. 71 | func (b LeveldbAuthBackend) SaveUser(user UserData) error { 72 | b.users[user.Username] = user 73 | err := b.save() 74 | return err 75 | } 76 | 77 | func (b LeveldbAuthBackend) save() error { 78 | db, err := leveldb.OpenFile(b.filepath, nil) 79 | defer db.Close() 80 | if err != nil { 81 | return errors.New("leveldbauthbackend: failed to edit auth file") 82 | } 83 | data, err := json.Marshal(b.users) 84 | if err != nil { 85 | return errors.New(fmt.Sprintf("leveldbauthbackend: save: %v", err)) 86 | } 87 | err = db.Put([]byte("httpauth::userdata"), data, nil) 88 | if err != nil { 89 | return errors.New(fmt.Sprintf("leveldbauthbackend: save: %v", err)) 90 | } 91 | return nil 92 | } 93 | 94 | // DeleteUser removes a user, raising ErrDeleteNull if that user was missing. 95 | func (b LeveldbAuthBackend) DeleteUser(username string) error { 96 | _, err := b.User(username) 97 | if err == ErrMissingUser { 98 | return ErrDeleteNull 99 | } else if err != nil { 100 | return fmt.Errorf("leveldbauthbackend: %v", err) 101 | } 102 | delete(b.users, username) 103 | return b.save() 104 | } 105 | 106 | // Close cleans up the backend. Currently a no-op for gobfiles. 107 | func (b LeveldbAuthBackend) Close() { 108 | 109 | } 110 | -------------------------------------------------------------------------------- /backend_test.go: -------------------------------------------------------------------------------- 1 | package httpauth 2 | 3 | import ( 4 | "bytes" 5 | "testing" 6 | ) 7 | 8 | func testBackendAuthorizer(t *testing.T, backend AuthBackend) { 9 | roles := make(map[string]Role) 10 | roles["user"] = 40 11 | roles["admin"] = 80 12 | _, err := NewAuthorizer(backend, []byte("testkey"), "user", roles) 13 | if err != nil { 14 | t.Fatal(err) 15 | } 16 | } 17 | 18 | func testBackendSaveUser(t *testing.T, backend AuthBackend) { 19 | user2 := UserData{"username2", "email2", []byte("passwordhash2"), "role2"} 20 | if err := backend.SaveUser(user2); err != nil { 21 | t.Fatalf("SaveUser sql error: %v", err) 22 | } 23 | 24 | user := UserData{"username", "email", []byte("passwordhash"), "role"} 25 | if err := backend.SaveUser(user); err != nil { 26 | t.Fatalf("SaveUser sql error: %v", err) 27 | } 28 | } 29 | 30 | func testBackendNewAuthBackend_existing(t *testing.T, backend AuthBackend) { 31 | user, err := backend.User("username") 32 | if err != nil { 33 | t.Fatal("Secondary backend failed") 34 | } 35 | if user.Username != "username" { 36 | t.Fatal("Username not correct.") 37 | } 38 | if user.Email != "email" { 39 | t.Fatal("User email not correct.") 40 | } 41 | if !bytes.Equal(user.Hash, []byte("passwordhash")) { 42 | t.Fatal("User password not correct.") 43 | } 44 | } 45 | 46 | func testBackendUser_existing(t *testing.T, backend AuthBackend) { 47 | if user, err := backend.User("username"); err == nil { 48 | if user.Username != "username" { 49 | t.Error("Username not correct.") 50 | } 51 | if user.Email != "email" { 52 | t.Error("User email not correct.") 53 | } 54 | if !bytes.Equal(user.Hash, []byte("passwordhash")) { 55 | t.Error("User password not correct.") 56 | } 57 | } else { 58 | t.Errorf("User not found: %v", err) 59 | } 60 | if user, err := backend.User("username2"); err == nil { 61 | if user.Username != "username2" { 62 | t.Error("Username not correct.") 63 | } 64 | if user.Email != "email2" { 65 | t.Error("User email not correct.") 66 | } 67 | if !bytes.Equal(user.Hash, []byte("passwordhash2")) { 68 | t.Error("User password not correct.") 69 | } 70 | } else { 71 | t.Fatalf("User not found: %v", err) 72 | } 73 | } 74 | 75 | func testBackendUser_notexisting(t *testing.T, backend AuthBackend) { 76 | if _, err := backend.User("notexist"); err != ErrMissingUser { 77 | t.Fatal("Not existing user found.") 78 | } 79 | } 80 | 81 | func testBackendUsers(t *testing.T, backend AuthBackend) { 82 | var ( 83 | u1 UserData 84 | u2 UserData 85 | ) 86 | users, err := backend.Users() 87 | if err != nil { 88 | t.Fatal(err.Error()) 89 | } 90 | if len(users) != 2 { 91 | t.Fatal("Wrong amount of users found.") 92 | } 93 | if users[0].Username == "username" { 94 | u1 = users[0] 95 | u2 = users[1] 96 | } else if users[1].Username == "username" { 97 | u1 = users[1] 98 | u2 = users[0] 99 | } else { 100 | t.Fatal("One of the users not found.") 101 | } 102 | 103 | if u1.Username != "username" { 104 | t.Error("Username not correct.") 105 | } 106 | if u1.Email != "email" { 107 | t.Error("User email not correct.") 108 | } 109 | if !bytes.Equal(u1.Hash, []byte("passwordhash")) { 110 | t.Error("User password not correct.") 111 | } 112 | if u2.Username != "username2" { 113 | t.Error("Username not correct.") 114 | } 115 | if u2.Email != "email2" { 116 | t.Error("User email not correct.") 117 | } 118 | if !bytes.Equal(u2.Hash, []byte("passwordhash2")) { 119 | t.Error("User password not correct.") 120 | } 121 | } 122 | 123 | func testBackendUpdateUser(t *testing.T, backend AuthBackend) { 124 | user2 := UserData{"username", "newemail", []byte("newpassword"), "newrole"} 125 | if err := backend.SaveUser(user2); err != nil { 126 | t.Fatalf("SaveUser sql error: %v", err) 127 | } 128 | u2, err := backend.User("username") 129 | if err != nil { 130 | t.Fatal("Updated user not found") 131 | } 132 | if u2.Username != "username" { 133 | t.Fatal("Username not correct.") 134 | } 135 | if u2.Email != "newemail" { 136 | t.Fatal("User email not correct.") 137 | } 138 | if u2.Role != "newrole" { 139 | t.Fatalf("User role not correct: found %v, expected %v", u2.Role, "newrole") 140 | } 141 | if !bytes.Equal(u2.Hash, []byte("newpassword")) { 142 | t.Fatal("User password not correct.") 143 | } 144 | } 145 | 146 | func testBackendDeleteUser(t *testing.T, backend AuthBackend) { 147 | if err := backend.DeleteUser("username"); err != nil { 148 | t.Fatalf("DeleteUser error: %v", err) 149 | } 150 | err := backend.DeleteUser("username") 151 | if err == nil { 152 | t.Fatalf("DeleteUser should have raised error") 153 | } else if err != ErrDeleteNull { 154 | t.Fatalf("DeleteUser raised unexpected error: %v", err) 155 | } 156 | } 157 | 158 | func testBackendClose(t *testing.T, backend AuthBackend) { 159 | backend.Close() 160 | } 161 | 162 | func testBackend(t *testing.T, backend AuthBackend) { 163 | testBackendAuthorizer(t, backend) 164 | testBackendSaveUser(t, backend) 165 | testBackendNewAuthBackend_existing(t, backend) 166 | testBackendUser_existing(t, backend) 167 | testBackendUser_notexisting(t, backend) 168 | testBackendUsers(t, backend) 169 | testBackendUpdateUser(t, backend) 170 | testBackendDeleteUser(t, backend) 171 | testBackendClose(t, backend) 172 | } 173 | 174 | func testAfterReopen(t *testing.T, backend AuthBackend) { 175 | users, err := backend.Users() 176 | if err != nil { 177 | t.Fatal(err.Error()) 178 | } 179 | if len(users) != 1 { 180 | t.Fatalf("Users not loaded properly. length = %d", len(users)) 181 | } 182 | if users[0].Username != "username2" { 183 | t.Error("Username not correct.") 184 | } 185 | if users[0].Email != "email2" { 186 | t.Error("User email not correct.") 187 | } 188 | if !bytes.Equal(users[0].Hash, []byte("passwordhash2")) { 189 | t.Error("User password not correct.") 190 | } 191 | } 192 | 193 | func testDelete2(t *testing.T, backend AuthBackend) { 194 | if err := backend.DeleteUser("username2"); err != nil { 195 | t.Fatalf("DeleteUser error: %v", err) 196 | } 197 | } 198 | 199 | func testClose2(t *testing.T, backend AuthBackend) { 200 | backend.Close() 201 | } 202 | 203 | func testBackend2(t *testing.T, backend AuthBackend) { 204 | testAfterReopen(t, backend) 205 | testDelete2(t, backend) 206 | testClose2(t, backend) 207 | } 208 | -------------------------------------------------------------------------------- /sqlBackend.go: -------------------------------------------------------------------------------- 1 | package httpauth 2 | 3 | import ( 4 | "database/sql" 5 | "errors" 6 | "fmt" 7 | "os" 8 | ) 9 | 10 | // SqlAuthBackend database and database connection information. 11 | type SqlAuthBackend struct { 12 | driverName string 13 | dataSourceName string 14 | db *sql.DB 15 | 16 | // prepared statements 17 | userStmt *sql.Stmt 18 | usersStmt *sql.Stmt 19 | insertStmt *sql.Stmt 20 | updateStmt *sql.Stmt 21 | deleteStmt *sql.Stmt 22 | } 23 | 24 | func mksqlerror(msg string) error { 25 | return errors.New("sqlbackend: " + msg) 26 | } 27 | 28 | // NewSqlAuthBackend initializes a new backend by testing the database 29 | // connection and making sure the storage table exists. The table is called 30 | // goauth. 31 | // 32 | // Returns an error if connecting to the database fails, pinging the database 33 | // fails, or creating the table fails. 34 | // 35 | // This uses the databases/sql package to open a connection. Its parameters 36 | // should match the sql.Open function. See 37 | // http://golang.org/pkg/database/sql/#Open for more information. 38 | // 39 | // Be sure to import "database/sql" and your driver of choice. If you're not 40 | // using sql for your own purposes, you'll need to use the underscore to import 41 | // for side effects; see http://golang.org/doc/effective_go.html#blank_import. 42 | func NewSqlAuthBackend(driverName, dataSourceName string) (b SqlAuthBackend, e error) { 43 | b.driverName = driverName 44 | b.dataSourceName = dataSourceName 45 | if driverName == "sqlite3" { 46 | if _, err := os.Stat(dataSourceName); os.IsNotExist(err) { 47 | return b, ErrMissingBackend 48 | } 49 | } 50 | db, err := sql.Open(driverName, dataSourceName) 51 | if err != nil { 52 | return b, mksqlerror(err.Error()) 53 | } 54 | err = db.Ping() 55 | if err != nil { 56 | return b, mksqlerror(err.Error()) 57 | } 58 | b.db = db 59 | _, err = db.Exec(`create table if not exists goauth (Username varchar(255), Email varchar(255), Hash varchar(255), Role varchar(255), primary key (Username))`) 60 | if err != nil { 61 | return b, mksqlerror(err.Error()) 62 | } 63 | 64 | // prepare statements for concurrent use and better preformance 65 | // 66 | // NOTE: 67 | // I don't want to have to check if it's postgres, but postgres uses 68 | // different tokens for placeholders. :( Also be aware that postgres 69 | // lowercases all these column names. 70 | // 71 | // Thanks to mjhall for letting me know about this. 72 | if driverName == "postgres" { 73 | b.userStmt, err = db.Prepare(`select Email, Hash, Role from goauth where Username = $1`) 74 | if err != nil { 75 | return b, mksqlerror(fmt.Sprintf("userstmt: %v", err)) 76 | } 77 | b.usersStmt, err = db.Prepare(`select Username, Email, Hash, Role from goauth`) 78 | if err != nil { 79 | return b, mksqlerror(fmt.Sprintf("usersstmt: %v", err)) 80 | } 81 | b.insertStmt, err = db.Prepare(`insert into goauth (Username, Email, Hash, Role) values ($1, $2, $3, $4)`) 82 | if err != nil { 83 | return b, mksqlerror(fmt.Sprintf("insertstmt: %v", err)) 84 | } 85 | b.updateStmt, err = db.Prepare(`update goauth set Email = $1, Hash = $2, Role = $3 where Username = $4`) 86 | if err != nil { 87 | return b, mksqlerror(fmt.Sprintf("updatestmt: %v", err)) 88 | } 89 | b.deleteStmt, err = db.Prepare(`delete from goauth where Username = $1`) 90 | if err != nil { 91 | return b, mksqlerror(fmt.Sprintf("deletestmt: %v", err)) 92 | } 93 | } else { 94 | b.userStmt, err = db.Prepare(`select Email, Hash, Role from goauth where Username = ?`) 95 | if err != nil { 96 | return b, mksqlerror(fmt.Sprintf("userstmt: %v", err)) 97 | } 98 | b.usersStmt, err = db.Prepare(`select Username, Email, Hash, Role from goauth`) 99 | if err != nil { 100 | return b, mksqlerror(fmt.Sprintf("usersstmt: %v", err)) 101 | } 102 | b.insertStmt, err = db.Prepare(`insert into goauth (Username, Email, Hash, Role) values (?, ?, ?, ?)`) 103 | if err != nil { 104 | return b, mksqlerror(fmt.Sprintf("insertstmt: %v", err)) 105 | } 106 | b.updateStmt, err = db.Prepare(`update goauth set Email = ?, Hash = ?, Role = ? where Username = ?`) 107 | if err != nil { 108 | return b, mksqlerror(fmt.Sprintf("updatestmt: %v", err)) 109 | } 110 | b.deleteStmt, err = db.Prepare(`delete from goauth where Username = ?`) 111 | if err != nil { 112 | return b, mksqlerror(fmt.Sprintf("deletestmt: %v", err)) 113 | } 114 | } 115 | 116 | return b, nil 117 | } 118 | 119 | // User returns the user with the given username. Error is set to 120 | // ErrMissingUser if user is not found. 121 | func (b SqlAuthBackend) User(username string) (user UserData, e error) { 122 | row := b.userStmt.QueryRow(username) 123 | err := row.Scan(&user.Email, &user.Hash, &user.Role) 124 | if err != nil { 125 | if err == sql.ErrNoRows { 126 | return user, ErrMissingUser 127 | } 128 | return user, mksqlerror(err.Error()) 129 | } 130 | user.Username = username 131 | return user, nil 132 | } 133 | 134 | // Users returns a slice of all users. 135 | func (b SqlAuthBackend) Users() (us []UserData, e error) { 136 | rows, err := b.usersStmt.Query() 137 | if err != nil { 138 | return us, mksqlerror(err.Error()) 139 | } 140 | var ( 141 | username, email, role string 142 | hash []byte 143 | ) 144 | for rows.Next() { 145 | err = rows.Scan(&username, &email, &hash, &role) 146 | if err != nil { 147 | return us, mksqlerror(err.Error()) 148 | } 149 | us = append(us, UserData{username, email, hash, role}) 150 | } 151 | return us, nil 152 | } 153 | 154 | // SaveUser adds a new user, replacing one with the same username. 155 | func (b SqlAuthBackend) SaveUser(user UserData) (err error) { 156 | if _, err := b.User(user.Username); err == nil { 157 | _, err = b.updateStmt.Exec(user.Email, user.Hash, user.Role, user.Username) 158 | } else { 159 | _, err = b.insertStmt.Exec(user.Username, user.Email, user.Hash, user.Role) 160 | } 161 | return 162 | } 163 | 164 | // DeleteUser removes a user, raising ErrDeleteNull if that user was missing. 165 | func (b SqlAuthBackend) DeleteUser(username string) error { 166 | result, err := b.deleteStmt.Exec(username) 167 | if err != nil { 168 | return mksqlerror(err.Error()) 169 | } 170 | rows, err := result.RowsAffected() 171 | if err != nil { 172 | return mksqlerror(err.Error()) 173 | } 174 | if rows == 0 { 175 | return ErrDeleteNull 176 | } 177 | return nil 178 | } 179 | 180 | // Close cleans up the backend by terminating the database connection. 181 | func (b SqlAuthBackend) Close() { 182 | b.db.Close() 183 | b.userStmt.Close() 184 | b.usersStmt.Close() 185 | b.insertStmt.Close() 186 | b.updateStmt.Close() 187 | b.deleteStmt.Close() 188 | } 189 | -------------------------------------------------------------------------------- /auth_test.go: -------------------------------------------------------------------------------- 1 | package httpauth 2 | 3 | import ( 4 | "net/http" 5 | "net/http/httptest" 6 | "os" 7 | "testing" 8 | "time" 9 | ) 10 | 11 | var ( 12 | b GobFileAuthBackend 13 | a Authorizer 14 | file = "auth_test.gob" 15 | c http.Client 16 | authCookie http.Cookie 17 | ) 18 | 19 | func init() { 20 | roles := make(map[string]Role) 21 | roles["user"] = 40 22 | roles["admin"] = 80 23 | t, _ := time.Parse("Mon, 02 Jan 2006 15:04:05 MST", "Mon, 07 Apr 2014 21:47:54 UTC") 24 | authCookie = http.Cookie{ 25 | Name: "auth", 26 | Value: "MTM5NDMxNTI3NHxEdi1GQkFFQ180WUFBUkFCRUFBQUt2LUdBQUVHYzNSeWFXNW5EQW9BQ0hWelpYSnVZVzFsQm5OMGNtbHVad3dLQUFoMWMyVnlibUZ0WlE9PXxR5vqFijkMnXg5SNpymM0LhaNRdlA97bBarGb_S4ghGQ==", 27 | Path: "/", 28 | Expires: t, 29 | MaxAge: 2592000} 30 | } 31 | 32 | func TestNewAuthorizer(t *testing.T) { 33 | os.Remove(file) 34 | if _, err := os.Create(file); err != nil { 35 | t.Fatal(err.Error()) 36 | } 37 | 38 | var err error 39 | b, err = NewGobFileAuthBackend(file) 40 | if err != nil { 41 | t.Fatal(err.Error()) 42 | } 43 | 44 | roles := make(map[string]Role) 45 | roles["user"] = 40 46 | roles["admin"] = 80 47 | a, err = NewAuthorizer(b, []byte("testkey"), "user", roles) 48 | if err != nil { 49 | t.Fatal(err.Error()) 50 | } 51 | } 52 | 53 | func TestRegister(t *testing.T) { 54 | rw := httptest.NewRecorder() 55 | req, _ := http.NewRequest("POST", "/", nil) 56 | newUser := UserData{Username: "username", Email: "email@example.com"} 57 | err := a.Register(rw, req, newUser, "password") 58 | if err != nil { 59 | t.Fatalf("Register: %v", err) 60 | } 61 | if rw.Code != http.StatusOK { 62 | t.Fatalf("Register: Wrong status code: %v", rw.Code) 63 | } 64 | 65 | newUser2 := UserData{Username: "username", Email: "email@example.com", Role: "admin"} 66 | err = a.Register(rw, req, newUser2, "password") 67 | if rw.Code != http.StatusOK { 68 | t.Fatalf("Register: Wrong status code: %v", rw.Code) 69 | } 70 | if err == nil { 71 | t.Fatal("Register: User registered with duplicate name") 72 | } 73 | if em := err.Error(); em != "httpauth: user already exists" { 74 | t.Fatalf("Register: %v", em) 75 | } 76 | headers := rw.Header() 77 | if headers.Get("Set-Cookie") == "" { 78 | t.Fatal("Messages cookies not set") 79 | } 80 | } 81 | 82 | func TestUpdate(t *testing.T) { 83 | rw := httptest.NewRecorder() 84 | req, _ := http.NewRequest("POST", "/", nil) 85 | updatedEmail := "email2@example.com" 86 | err := a.Update(rw, req, "username", "", updatedEmail) 87 | if err != nil { 88 | t.Fatalf("Update: %v", err) 89 | } 90 | if rw.Code != http.StatusOK { 91 | t.Fatalf("Update: Wrong status code: %v", rw.Code) 92 | } 93 | 94 | user, err := a.backend.User("username") 95 | if err != nil { 96 | t.Fatalf("Couldn't get updated user: %v", err) 97 | } 98 | 99 | if user.Email != updatedEmail { 100 | t.Errorf("Updated user's email is %s, expected %s", user.Email, updatedEmail) 101 | } 102 | } 103 | 104 | func TestLogin(t *testing.T) { 105 | rw := httptest.NewRecorder() 106 | req, _ := http.NewRequest("POST", "/", nil) 107 | if err := a.Login(rw, req, "username", "wrongpassword", "/redirect"); err == nil { 108 | t.Fatal("Login: Logged in with incorrect password.") 109 | } 110 | headers := rw.Header() 111 | if cookies := headers.Get("Set-Cookie"); cookies == "" { 112 | t.Fatal("Login: No cookies set") 113 | } 114 | 115 | req.AddCookie(&authCookie) 116 | if err := a.Login(rw, req, "username", "password", "/redirect"); err != nil { 117 | t.Fatal("Login: Didn't catch existing cookie") 118 | } 119 | req, _ = http.NewRequest("POST", "/", nil) 120 | if err := a.Login(rw, req, "username", "password", "/redirect"); err != nil { 121 | t.Fatalf("Login: Error on login: %v", err) 122 | } 123 | headers = rw.Header() 124 | if loc := headers.Get("Location"); loc != "/redirect" { 125 | t.Fatal("Login: Redirect not set") 126 | } 127 | if cookies := headers.Get("Set-Cookie"); cookies == "" { 128 | t.Fatal("Login: No cookies set") 129 | } 130 | } 131 | 132 | func TestAuthorize(t *testing.T) { 133 | rw := httptest.NewRecorder() 134 | req, _ := http.NewRequest("GET", "/", nil) 135 | if err := a.Authorize(rw, req, true); err == nil { 136 | t.Fatal("Authorize: no error on non authorized request") 137 | } 138 | a.Login(rw, req, "username", "password", "/redirect") 139 | 140 | req.AddCookie(&authCookie) 141 | if err := a.Authorize(rw, req, true); err == nil || err.Error() != "no session existed" { 142 | t.Log("Authorization: didn't catch new cookie") 143 | } 144 | req, _ = http.NewRequest("GET", "/", nil) 145 | if err := a.Login(rw, req, "username", "password", "/redirect"); err != nil { 146 | t.Fatalf("Authorization login error: %v", err) 147 | } 148 | req.AddCookie(&authCookie) 149 | if err := a.Authorize(rw, req, true); err != nil { 150 | t.Fatalf("Authorization error: %v", err) // Should work 151 | } 152 | } 153 | 154 | func TestAuthorizeRole(t *testing.T) { 155 | rw := httptest.NewRecorder() 156 | req, _ := http.NewRequest("GET", "/", nil) 157 | if err := a.AuthorizeRole(rw, req, "user", true); err == nil { 158 | t.Fatal("AuthorizeRole: no error on non authorized request") 159 | } 160 | a.Login(rw, req, "username", "password", "/redirect") 161 | 162 | req.AddCookie(&authCookie) 163 | // TODO: 164 | //if err := a.AuthorizeRole(rw, req, 20, true); err == nil || err.Error() != "no session existed" { 165 | // t.Log("Authorization: didn't catch new cookie") 166 | //} 167 | req, _ = http.NewRequest("GET", "/", nil) 168 | if err := a.Login(rw, req, "username", "password", "/redirect"); err != nil { 169 | t.Fatalf("Authorization login error: %v", err) 170 | } 171 | req.AddCookie(&authCookie) 172 | if err := a.AuthorizeRole(rw, req, "blah", true); err == nil { 173 | t.Fatal("AuthorizeRole error: Didn't fail on invalid role") 174 | } 175 | if err := a.AuthorizeRole(rw, req, "user", true); err != nil { 176 | t.Fatalf("AuthorizeRole error: %v", err) // Should work 177 | } 178 | if err := a.AuthorizeRole(rw, req, "admin", true); err == nil { 179 | t.Fatal("AuthorizeRole error: didn't restrict lower role user", err) // Should work 180 | } 181 | } 182 | 183 | func TestLogout(t *testing.T) { 184 | rw := httptest.NewRecorder() 185 | req, _ := http.NewRequest("GET", "/", nil) 186 | if err := a.Logout(rw, req); err != nil { 187 | t.Fatalf("Logout error: %v", err) 188 | } 189 | // headers := rw.Header() 190 | // TODO: Test that the auth cookie's expiration date is set to Thu, 01 Jan 1970 00:00:01 191 | } 192 | 193 | func TestDeleteUser(t *testing.T) { 194 | if err := a.DeleteUser("username"); err != nil { 195 | t.Fatalf("DeleteUser error: %v", err) 196 | } 197 | if err := a.DeleteUser("username"); err != ErrDeleteNull { 198 | t.Fatalf("DeleteUser should have returned ErrDeleteNull: got %v", err) 199 | } 200 | 201 | os.Remove(file) 202 | } 203 | -------------------------------------------------------------------------------- /examples/server.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "html/template" 6 | "net/http" 7 | "strings" 8 | "os" 9 | 10 | "github.com/apexskier/httpauth" 11 | "github.com/gorilla/mux" 12 | ) 13 | 14 | var ( 15 | backend httpauth.LeveldbAuthBackend 16 | aaa httpauth.Authorizer 17 | roles map[string]httpauth.Role 18 | port = 8009 19 | backendfile = "auth.leveldb" 20 | ) 21 | 22 | func main() { 23 | var err error 24 | os.Mkdir(backendfile, 0755) 25 | defer os.Remove(backendfile) 26 | 27 | // create the backend 28 | backend, err = httpauth.NewLeveldbAuthBackend(backendfile) 29 | if err != nil { 30 | panic(err) 31 | } 32 | 33 | // create some default roles 34 | roles = make(map[string]httpauth.Role) 35 | roles["user"] = 30 36 | roles["admin"] = 80 37 | aaa, err = httpauth.NewAuthorizer(backend, []byte("cookie-encryption-key"), "user", roles) 38 | 39 | // create a default user 40 | username := "admin" 41 | defaultUser := httpauth.UserData{Username: username, Role: "admin"} 42 | err = backend.SaveUser(defaultUser) 43 | if err != nil { 44 | panic(err) 45 | } 46 | // Update user with a password and email address 47 | err = aaa.Update(nil, nil, username, "adminadmin", "admin@localhost.com") 48 | if err != nil { 49 | panic(err) 50 | } 51 | 52 | // set up routers and route handlers 53 | r := mux.NewRouter() 54 | r.HandleFunc("/login", getLogin).Methods("GET") 55 | r.HandleFunc("/register", postRegister).Methods("POST") 56 | r.HandleFunc("/login", postLogin).Methods("POST") 57 | r.HandleFunc("/admin", handleAdmin).Methods("GET") 58 | r.HandleFunc("/add_user", postAddUser).Methods("POST") 59 | r.HandleFunc("/change", postChange).Methods("POST") 60 | r.HandleFunc("/", handlePage).Methods("GET") // authorized page 61 | r.HandleFunc("/logout", handleLogout) 62 | 63 | http.Handle("/", r) 64 | fmt.Printf("Server running on port %d\n", port) 65 | http.ListenAndServe(fmt.Sprintf(":%d", port), nil) 66 | } 67 | 68 | func getLogin(rw http.ResponseWriter, req *http.Request) { 69 | messages := aaa.Messages(rw, req) 70 | fmt.Fprintf(rw, ` 71 | 72 | Login 73 | 74 |

Httpauth example

75 |

Entry Page

76 |

Messages: %v

77 |

Login

78 |
79 |
80 |
81 | 82 |
83 |

Register

84 |
85 |
86 |
87 |
88 | 89 |
90 | 91 | 92 | `, messages) 93 | } 94 | 95 | func postLogin(rw http.ResponseWriter, req *http.Request) { 96 | username := req.PostFormValue("username") 97 | password := req.PostFormValue("password") 98 | if err := aaa.Login(rw, req, username, password, "/"); err == nil || (err != nil && strings.Contains(err.Error(), "already authenticated")) { 99 | http.Redirect(rw, req, "/", http.StatusSeeOther) 100 | } else if err != nil { 101 | fmt.Println(err) 102 | http.Redirect(rw, req, "/login", http.StatusSeeOther) 103 | } 104 | } 105 | 106 | func postRegister(rw http.ResponseWriter, req *http.Request) { 107 | var user httpauth.UserData 108 | user.Username = req.PostFormValue("username") 109 | user.Email = req.PostFormValue("email") 110 | password := req.PostFormValue("password") 111 | if err := aaa.Register(rw, req, user, password); err == nil { 112 | postLogin(rw, req) 113 | } else { 114 | http.Redirect(rw, req, "/login", http.StatusSeeOther) 115 | } 116 | } 117 | 118 | func postAddUser(rw http.ResponseWriter, req *http.Request) { 119 | var user httpauth.UserData 120 | user.Username = req.PostFormValue("username") 121 | user.Email = req.PostFormValue("email") 122 | password := req.PostFormValue("password") 123 | user.Role = req.PostFormValue("role") 124 | if err := aaa.Register(rw, req, user, password); err != nil { 125 | // maybe something 126 | } 127 | 128 | http.Redirect(rw, req, "/admin", http.StatusSeeOther) 129 | } 130 | 131 | func postChange(rw http.ResponseWriter, req *http.Request) { 132 | email := req.PostFormValue("new_email") 133 | aaa.Update(rw, req, "", "", email) 134 | http.Redirect(rw, req, "/", http.StatusSeeOther) 135 | } 136 | 137 | func handlePage(rw http.ResponseWriter, req *http.Request) { 138 | if err := aaa.Authorize(rw, req, true); err != nil { 139 | fmt.Println(err) 140 | http.Redirect(rw, req, "/login", http.StatusSeeOther) 141 | return 142 | } 143 | if user, err := aaa.CurrentUser(rw, req); err == nil { 144 | type data struct { 145 | User httpauth.UserData 146 | } 147 | d := data{User: user} 148 | t, err := template.New("page").Parse(` 149 | 150 | Secret page 151 | 152 |

Httpauth example

153 | {{ with .User }} 154 |

Hello {{ .Username }}

155 |

Your role is '{{ .Role }}'. Your email is {{ .Email }}.

156 |

{{ if .Role | eq "admin" }}Admin page {{ end }}Logout

157 | {{ end }} 158 |
159 |

Change email

160 |

161 | 162 |
163 | 164 | `) 165 | if err != nil { 166 | panic(err) 167 | } 168 | t.Execute(rw, d) 169 | } 170 | } 171 | 172 | func handleAdmin(rw http.ResponseWriter, req *http.Request) { 173 | if err := aaa.AuthorizeRole(rw, req, "admin", true); err != nil { 174 | fmt.Println(err) 175 | http.Redirect(rw, req, "/login", http.StatusSeeOther) 176 | return 177 | } 178 | if user, err := aaa.CurrentUser(rw, req); err == nil { 179 | type data struct { 180 | User httpauth.UserData 181 | Roles map[string]httpauth.Role 182 | Users []httpauth.UserData 183 | Msg []string 184 | } 185 | messages := aaa.Messages(rw, req) 186 | users, err := backend.Users() 187 | if err != nil { 188 | panic(err) 189 | } 190 | d := data{User: user, Roles: roles, Users: users, Msg: messages} 191 | t, err := template.New("admin").Parse(` 192 | 193 | Admin page 194 | 195 |

Httpauth example

196 |

Admin Page

197 |

{{.Msg}}

198 | {{ with .User }}

Hello {{ .Username }}, your role is '{{ .Role }}'. Your email is {{ .Email }}.

{{ end }} 199 |

Back Logout

200 |

Users

201 | 202 |
203 |

Add user

204 |


205 |
206 |
207 |

211 | 212 |
213 | 214 | `) 215 | if err != nil { 216 | panic(err) 217 | } 218 | t.Execute(rw, d) 219 | } 220 | } 221 | 222 | func handleLogout(rw http.ResponseWriter, req *http.Request) { 223 | if err := aaa.Logout(rw, req); err != nil { 224 | fmt.Println(err) 225 | // this shouldn't happen 226 | return 227 | } 228 | http.Redirect(rw, req, "/", http.StatusSeeOther) 229 | } 230 | -------------------------------------------------------------------------------- /auth.go: -------------------------------------------------------------------------------- 1 | // Package httpauth implements cookie/session based authentication and 2 | // authorization. Intended for use with the net/http or github.com/gorilla/mux 3 | // packages, but may work with github.com/codegangsta/martini as well. 4 | // Credentials are stored as a username + password hash, computed with bcrypt. 5 | // 6 | // Three user storage systems are currently implemented: file based 7 | // (encoding/gob), sql databases (database/sql), and MongoDB databases. 8 | // 9 | // Access can be restricted by a users' role. A higher role will give more 10 | // access. 11 | // 12 | // Users can be redirected to the page that triggered an authentication error. 13 | // 14 | // Messages describing the reason a user could not authenticate are saved in a 15 | // cookie, and can be accessed with the Messages function. 16 | // 17 | // Example source can be found at 18 | // https://github.com/apexskier/httpauth/blob/master/examples/server.go 19 | package httpauth 20 | 21 | import ( 22 | "errors" 23 | "net/http" 24 | 25 | "github.com/gorilla/sessions" 26 | "golang.org/x/crypto/bcrypt" 27 | ) 28 | 29 | // ErrDeleteNull is returned by DeleteUser when that user didn't exist at the 30 | // time of call. 31 | // ErrMissingUser is returned by Users when a user is not found. 32 | var ( 33 | ErrDeleteNull = mkerror("deleting nonexistent user") 34 | ErrMissingUser = mkerror("can't find user") 35 | ) 36 | 37 | // Role represents an interal role. Roles are essentially a string mapped to an 38 | // integer. Roles must be greater than zero. 39 | type Role int 40 | 41 | // UserData represents a single user. It contains the users username, email, 42 | // and role as well as a hash of their password. When creating 43 | // users, you should not specify a hash; it will be generated in the Register 44 | // and Update functions. 45 | type UserData struct { 46 | Username string `bson:"Username"` 47 | Email string `bson:"Email"` 48 | Hash []byte `bson:"Hash"` 49 | Role string `bson:"Role"` 50 | } 51 | 52 | // Authorizer structures contain the store of user session cookies a reference 53 | // to a backend storage system. 54 | type Authorizer struct { 55 | cookiejar *sessions.CookieStore 56 | backend AuthBackend 57 | defaultRole string 58 | roles map[string]Role 59 | } 60 | 61 | // The AuthBackend interface defines a set of methods an AuthBackend must 62 | // implement. 63 | type AuthBackend interface { 64 | SaveUser(u UserData) error 65 | User(username string) (user UserData, e error) 66 | Users() (users []UserData, e error) 67 | DeleteUser(username string) error 68 | Close() 69 | } 70 | 71 | // Helper function to add a user directed message to a message queue. 72 | func (a Authorizer) addMessage(rw http.ResponseWriter, req *http.Request, message string) { 73 | messageSession, _ := a.cookiejar.Get(req, "messages") 74 | defer messageSession.Save(req, rw) 75 | messageSession.AddFlash(message) 76 | } 77 | 78 | // Helper function to save a redirect to the page a user tried to visit before 79 | // logging in. 80 | func (a Authorizer) goBack(rw http.ResponseWriter, req *http.Request) { 81 | redirectSession, _ := a.cookiejar.Get(req, "redirects") 82 | defer redirectSession.Save(req, rw) 83 | redirectSession.Flashes() 84 | redirectSession.AddFlash(req.URL.Path) 85 | } 86 | 87 | func mkerror(msg string) error { 88 | return errors.New("httpauth: " + msg) 89 | } 90 | 91 | // NewAuthorizer returns a new Authorizer given an AuthBackend, a cookie store 92 | // key, a default user role, and a map of roles. If the key changes, logged in 93 | // users will need to reauthenticate. 94 | // 95 | // Roles are a map of string to httpauth.Role values (integers). Higher Role values 96 | // have more access. 97 | // 98 | // Example roles: 99 | // 100 | // var roles map[string]httpauth.Role 101 | // roles["user"] = 2 102 | // roles["admin"] = 4 103 | // roles["moderator"] = 3 104 | func NewAuthorizer(backend AuthBackend, key []byte, defaultRole string, roles map[string]Role) (Authorizer, error) { 105 | var a Authorizer 106 | a.cookiejar = sessions.NewCookieStore([]byte(key)) 107 | a.backend = backend 108 | a.roles = roles 109 | a.defaultRole = defaultRole 110 | if _, ok := roles[defaultRole]; !ok { 111 | return a, mkerror("httpauth: defaultRole missing") 112 | } 113 | return a, nil 114 | } 115 | 116 | // Login logs a user in. They will be redirected to dest or to the last 117 | // location an authorization redirect was triggered (if found) on success. A 118 | // message will be added to the session on failure with the reason. 119 | func (a Authorizer) Login(rw http.ResponseWriter, req *http.Request, u string, p string, dest string) error { 120 | session, _ := a.cookiejar.Get(req, "auth") 121 | if session.Values["username"] == u { 122 | return mkerror("already authenticated") 123 | } 124 | if user, err := a.backend.User(u); err == nil { 125 | verify := bcrypt.CompareHashAndPassword(user.Hash, []byte(p)) 126 | if verify != nil { 127 | a.addMessage(rw, req, "Invalid username or password.") 128 | return mkerror("password doesn't match") 129 | } 130 | } else { 131 | a.addMessage(rw, req, "Invalid username or password.") 132 | return mkerror("user not found") 133 | } 134 | session.Values["username"] = u 135 | session.Save(req, rw) 136 | 137 | redirectSession, _ := a.cookiejar.Get(req, "redirects") 138 | if flashes := redirectSession.Flashes(); len(flashes) > 0 { 139 | dest = flashes[0].(string) 140 | } 141 | http.Redirect(rw, req, dest, http.StatusSeeOther) 142 | return nil 143 | } 144 | 145 | // Register and save a new user. Returns an error and adds a message if the 146 | // username is in use. 147 | // 148 | // Pass in a instance of UserData with at least a username and email specified. If no role 149 | // is given, the default one is used. 150 | func (a Authorizer) Register(rw http.ResponseWriter, req *http.Request, user UserData, password string) error { 151 | if user.Username == "" { 152 | return mkerror("no username given") 153 | } 154 | if user.Email == "" { 155 | return mkerror("no email given") 156 | } 157 | if user.Hash != nil { 158 | return mkerror("hash will be overwritten") 159 | } 160 | if password == "" { 161 | return mkerror("no password given") 162 | } 163 | 164 | // Validate username 165 | _, err := a.backend.User(user.Username) 166 | if err == nil { 167 | a.addMessage(rw, req, "Username has been taken.") 168 | return mkerror("user already exists") 169 | } else if err != ErrMissingUser { 170 | if err != nil { 171 | return mkerror(err.Error()) 172 | } 173 | return nil 174 | } 175 | 176 | // Generate and save hash 177 | hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost) 178 | if err != nil { 179 | return mkerror("couldn't save password: " + err.Error()) 180 | } 181 | user.Hash = hash 182 | 183 | // Validate role 184 | if user.Role == "" { 185 | user.Role = a.defaultRole 186 | } else { 187 | if _, ok := a.roles[user.Role]; !ok { 188 | return mkerror("nonexistent role") 189 | } 190 | } 191 | 192 | err = a.backend.SaveUser(user) 193 | if err != nil { 194 | a.addMessage(rw, req, err.Error()) 195 | return mkerror(err.Error()) 196 | } 197 | return nil 198 | } 199 | 200 | // Update changes data for an existing user. 201 | // The behavior of the update varies depending on how the arguments are passed: 202 | // If an empty username u is passed then it updates the current user from the session 203 | // (self-edit scenario) 204 | // If the username u is passed explicitly then it updates the passed username 205 | // (admin update scenario) 206 | // If an empty password p is passed then it keeps the original rather than 207 | // regenerating the hash, if a new password is passed then it regenerates the hash. 208 | // If an empty email e is passed then it keeps the orginal rather than updating it, 209 | // if a new email is passedn then it updates it. 210 | func (a Authorizer) Update(rw http.ResponseWriter, req *http.Request, u string, p string, e string) error { 211 | var ( 212 | hash []byte 213 | email string 214 | username string 215 | ok bool 216 | ) 217 | if u != "" { 218 | username = u 219 | } else { 220 | authSession, err := a.cookiejar.Get(req, "auth") 221 | if err != nil { 222 | return mkerror("couldn't get session needed to update user: " + err.Error()) 223 | } 224 | username, ok = authSession.Values["username"].(string) 225 | if !ok { 226 | return mkerror("not logged in") 227 | } 228 | } 229 | user, err := a.backend.User(username) 230 | if err == ErrMissingUser { 231 | a.addMessage(rw, req, "User doesn't exist.") 232 | return mkerror("user doesn't exists") 233 | } else if err != nil { 234 | return mkerror(err.Error()) 235 | } 236 | if p != "" { 237 | hash, err = bcrypt.GenerateFromPassword([]byte(p), bcrypt.DefaultCost) 238 | if err != nil { 239 | return mkerror("couldn't save password: " + err.Error()) 240 | } 241 | } else { 242 | hash = user.Hash 243 | } 244 | if e != "" { 245 | email = e 246 | } else { 247 | email = user.Email 248 | } 249 | 250 | newuser := UserData{username, email, hash, user.Role} 251 | 252 | err = a.backend.SaveUser(newuser) 253 | if err != nil { 254 | a.addMessage(rw, req, err.Error()) 255 | } 256 | return nil 257 | } 258 | 259 | // Authorize checks if a user is logged in and returns an error on failed 260 | // authentication. If redirectWithMessage is set, the page being authorized 261 | // will be saved and a "Login to do that." message will be saved to the 262 | // messages list. The next time the user logs in, they will be redirected back 263 | // to the saved page. 264 | func (a Authorizer) Authorize(rw http.ResponseWriter, req *http.Request, redirectWithMessage bool) error { 265 | authSession, err := a.cookiejar.Get(req, "auth") 266 | if err != nil { 267 | if redirectWithMessage { 268 | a.goBack(rw, req) 269 | } 270 | return mkerror("new authorization session") 271 | } 272 | /*if authSession.IsNew { 273 | if redirectWithMessage { 274 | a.goBack(rw, req) 275 | a.addMessage(rw, req, "Log in to do that.") 276 | } 277 | return mkerror("no session existed") 278 | }*/ 279 | username := authSession.Values["username"] 280 | if !authSession.IsNew && username != nil { 281 | _, err := a.backend.User(username.(string)) 282 | if err == ErrMissingUser { 283 | authSession.Options.MaxAge = -1 // kill the cookie 284 | authSession.Save(req, rw) 285 | if redirectWithMessage { 286 | a.goBack(rw, req) 287 | a.addMessage(rw, req, "Log in to do that.") 288 | } 289 | return mkerror("user not found") 290 | } else if err != nil { 291 | return mkerror(err.Error()) 292 | } 293 | } 294 | if username == nil { 295 | if redirectWithMessage { 296 | a.goBack(rw, req) 297 | a.addMessage(rw, req, "Log in to do that.") 298 | } 299 | return mkerror("user not logged in") 300 | } 301 | return nil 302 | } 303 | 304 | // AuthorizeRole runs Authorize on a user, then makes sure their role is at 305 | // least as high as the specified one, failing if not. 306 | func (a Authorizer) AuthorizeRole(rw http.ResponseWriter, req *http.Request, role string, redirectWithMessage bool) error { 307 | r, ok := a.roles[role] 308 | if !ok { 309 | return mkerror("role not found") 310 | } 311 | if err := a.Authorize(rw, req, redirectWithMessage); err != nil { 312 | return mkerror(err.Error()) 313 | } 314 | authSession, _ := a.cookiejar.Get(req, "auth") // should I check err? I've already checked in call to Authorize 315 | username := authSession.Values["username"] 316 | if user, err := a.backend.User(username.(string)); err == nil { 317 | if a.roles[user.Role] >= r { 318 | return nil 319 | } 320 | a.addMessage(rw, req, "You don't have sufficient privileges.") 321 | return mkerror("user doesn't have high enough role") 322 | } 323 | return mkerror("user not found") 324 | } 325 | 326 | // CurrentUser returns the currently logged in user and a boolean validating 327 | // the information. 328 | func (a Authorizer) CurrentUser(rw http.ResponseWriter, req *http.Request) (user UserData, e error) { 329 | if err := a.Authorize(rw, req, false); err != nil { 330 | return user, mkerror(err.Error()) 331 | } 332 | authSession, _ := a.cookiejar.Get(req, "auth") 333 | 334 | username, ok := authSession.Values["username"].(string) 335 | if !ok { 336 | return user, mkerror("User not found in authsession") 337 | } 338 | return a.backend.User(username) 339 | } 340 | 341 | // Logout clears an authentication session and add a logged out message. 342 | func (a Authorizer) Logout(rw http.ResponseWriter, req *http.Request) error { 343 | session, _ := a.cookiejar.Get(req, "auth") 344 | defer session.Save(req, rw) 345 | 346 | session.Options.MaxAge = -1 // kill the cookie 347 | a.addMessage(rw, req, "Logged out.") 348 | return nil 349 | } 350 | 351 | // DeleteUser removes a user from the Authorize. ErrMissingUser is returned if 352 | // the user to be deleted isn't found. 353 | func (a Authorizer) DeleteUser(username string) error { 354 | err := a.backend.DeleteUser(username) 355 | if err != nil && err != ErrDeleteNull { 356 | return mkerror(err.Error()) 357 | } 358 | return err 359 | } 360 | 361 | // Messages fetches a list of saved messages. Use this to get a nice message to print to 362 | // the user on a login page or registration page in case something happened 363 | // (username taken, invalid credentials, successful logout, etc). 364 | func (a Authorizer) Messages(rw http.ResponseWriter, req *http.Request) []string { 365 | session, _ := a.cookiejar.Get(req, "messages") 366 | flashes := session.Flashes() 367 | session.Save(req, rw) 368 | var messages []string 369 | for _, val := range flashes { 370 | messages = append(messages, val.(string)) 371 | } 372 | return messages 373 | } 374 | --------------------------------------------------------------------------------