2017-01-03 06:12:06 +02:00
|
|
|
package middleware
|
|
|
|
|
|
|
|
import (
|
|
|
|
"errors"
|
2021-07-15 22:34:01 +02:00
|
|
|
"fmt"
|
|
|
|
"github.com/labstack/echo/v5"
|
2022-01-24 22:03:45 +02:00
|
|
|
"net/http"
|
2017-01-03 06:12:06 +02:00
|
|
|
)
|
|
|
|
|
2021-07-15 22:34:01 +02:00
|
|
|
// KeyAuthConfig defines the config for KeyAuth middleware.
|
|
|
|
type KeyAuthConfig struct {
|
|
|
|
// Skipper defines a function to skip middleware.
|
|
|
|
Skipper Skipper
|
|
|
|
|
|
|
|
// KeyLookup is a string in the form of "<source>:<name>" or "<source>:<name>,<source>:<name>" that is used
|
|
|
|
// to extract key from the request.
|
|
|
|
// Optional. Default value "header:Authorization".
|
|
|
|
// Possible values:
|
|
|
|
// - "header:<name>" or "header:<name>:<cut-prefix>"
|
|
|
|
// `<cut-prefix>` is argument value to cut/trim prefix of the extracted value. This is useful if header
|
|
|
|
// value has static prefix like `Authorization: <auth-scheme> <authorisation-parameters>` where part that we
|
|
|
|
// want to cut is `<auth-scheme> ` note the space at the end.
|
|
|
|
// In case of basic authentication `Authorization: Basic <credentials>` prefix we want to remove is `Basic `.
|
|
|
|
// - "query:<name>"
|
|
|
|
// - "form:<name>"
|
|
|
|
// - "cookie:<name>"
|
|
|
|
// Multiple sources example:
|
|
|
|
// - "header:Authorization,header:X-Api-Key"
|
|
|
|
KeyLookup string
|
|
|
|
|
|
|
|
// Validator is a function to validate key.
|
|
|
|
// Required.
|
|
|
|
Validator KeyAuthValidator
|
|
|
|
|
|
|
|
// ErrorHandler defines a function which is executed when all lookups have been done and none of them passed Validator
|
|
|
|
// function. ErrorHandler is executed with last missing (ErrExtractionValueMissing) or an invalid key.
|
|
|
|
// It may be used to define a custom error.
|
|
|
|
//
|
|
|
|
// Note: when error handler swallows the error (returns nil) middleware continues handler chain execution towards handler.
|
|
|
|
// This is useful in cases when portion of your site/api is publicly accessible and has extra features for authorized users
|
|
|
|
// In that case you can use ErrorHandler to set default public auth value to request and continue with handler chain.
|
|
|
|
ErrorHandler KeyAuthErrorHandler
|
|
|
|
|
|
|
|
// ContinueOnIgnoredError allows the next middleware/handler to be called when ErrorHandler decides to
|
|
|
|
// ignore the error (by returning `nil`).
|
|
|
|
// This is useful when parts of your site/api allow public access and some authorized routes provide extra functionality.
|
|
|
|
// In that case you can use ErrorHandler to set a default public key auth value in the request context
|
|
|
|
// and continue. Some logic down the remaining execution chain needs to check that (public) key auth value then.
|
|
|
|
ContinueOnIgnoredError bool
|
|
|
|
}
|
2017-01-03 06:12:06 +02:00
|
|
|
|
2021-07-15 22:34:01 +02:00
|
|
|
// KeyAuthValidator defines a function to validate KeyAuth credentials.
|
2022-05-21 21:34:29 +02:00
|
|
|
type KeyAuthValidator func(c echo.Context, key string, source ExtractorSource) (bool, error)
|
2021-05-08 21:25:11 +02:00
|
|
|
|
2021-07-15 22:34:01 +02:00
|
|
|
// KeyAuthErrorHandler defines a function which is executed for an invalid key.
|
|
|
|
type KeyAuthErrorHandler func(c echo.Context, err error) error
|
2017-01-03 06:12:06 +02:00
|
|
|
|
2021-07-15 22:34:01 +02:00
|
|
|
// ErrKeyMissing denotes an error raised when key value could not be extracted from request
|
|
|
|
var ErrKeyMissing = echo.NewHTTPError(http.StatusUnauthorized, "missing key")
|
2017-01-03 06:12:06 +02:00
|
|
|
|
2021-07-15 22:34:01 +02:00
|
|
|
// ErrInvalidKey denotes an error raised when key value is invalid by validator
|
|
|
|
var ErrInvalidKey = echo.NewHTTPError(http.StatusUnauthorized, "invalid key")
|
2022-01-24 22:03:45 +02:00
|
|
|
|
2021-07-15 22:34:01 +02:00
|
|
|
// DefaultKeyAuthConfig is the default KeyAuth middleware config.
|
|
|
|
var DefaultKeyAuthConfig = KeyAuthConfig{
|
|
|
|
Skipper: DefaultSkipper,
|
|
|
|
KeyLookup: "header:" + echo.HeaderAuthorization + ":Bearer ",
|
2022-01-24 22:03:45 +02:00
|
|
|
}
|
|
|
|
|
2017-01-03 06:12:06 +02:00
|
|
|
// KeyAuth returns an KeyAuth middleware.
|
|
|
|
//
|
|
|
|
// For valid key it calls the next handler.
|
|
|
|
// For invalid key, it sends "401 - Unauthorized" response.
|
|
|
|
// For missing key, it sends "400 - Bad Request" response.
|
|
|
|
func KeyAuth(fn KeyAuthValidator) echo.MiddlewareFunc {
|
|
|
|
c := DefaultKeyAuthConfig
|
|
|
|
c.Validator = fn
|
|
|
|
return KeyAuthWithConfig(c)
|
|
|
|
}
|
|
|
|
|
2021-07-15 22:34:01 +02:00
|
|
|
// KeyAuthWithConfig returns an KeyAuth middleware or panics if configuration is invalid.
|
|
|
|
//
|
|
|
|
// For first valid key it calls the next handler.
|
|
|
|
// For invalid key, it sends "401 - Unauthorized" response.
|
|
|
|
// For missing key, it sends "400 - Bad Request" response.
|
2017-01-03 06:12:06 +02:00
|
|
|
func KeyAuthWithConfig(config KeyAuthConfig) echo.MiddlewareFunc {
|
2021-07-15 22:34:01 +02:00
|
|
|
return toMiddlewareOrPanic(config)
|
|
|
|
}
|
|
|
|
|
|
|
|
// ToMiddleware converts KeyAuthConfig to middleware or returns an error for invalid configuration
|
|
|
|
func (config KeyAuthConfig) ToMiddleware() (echo.MiddlewareFunc, error) {
|
2017-01-03 06:12:06 +02:00
|
|
|
if config.Skipper == nil {
|
|
|
|
config.Skipper = DefaultKeyAuthConfig.Skipper
|
|
|
|
}
|
|
|
|
if config.KeyLookup == "" {
|
|
|
|
config.KeyLookup = DefaultKeyAuthConfig.KeyLookup
|
|
|
|
}
|
|
|
|
if config.Validator == nil {
|
2021-07-15 22:34:01 +02:00
|
|
|
return nil, errors.New("echo key-auth middleware requires a validator function")
|
2017-01-03 06:12:06 +02:00
|
|
|
}
|
|
|
|
|
2023-02-28 22:12:14 +02:00
|
|
|
extractors, cErr := createExtractors(config.KeyLookup)
|
|
|
|
if cErr != nil {
|
|
|
|
return nil, fmt.Errorf("echo key-auth middleware could not create key extractor: %w", cErr)
|
2021-07-15 22:34:01 +02:00
|
|
|
}
|
|
|
|
if len(extractors) == 0 {
|
|
|
|
return nil, errors.New("echo key-auth middleware could not create extractors from KeyLookup string")
|
2017-01-03 06:12:06 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
return func(next echo.HandlerFunc) echo.HandlerFunc {
|
|
|
|
return func(c echo.Context) error {
|
|
|
|
if config.Skipper(c) {
|
|
|
|
return next(c)
|
|
|
|
}
|
|
|
|
|
2022-01-24 22:03:45 +02:00
|
|
|
var lastExtractorErr error
|
|
|
|
var lastValidatorErr error
|
|
|
|
for _, extractor := range extractors {
|
2022-05-21 21:34:29 +02:00
|
|
|
keys, source, extrErr := extractor(c)
|
2021-07-15 22:34:01 +02:00
|
|
|
if extrErr != nil {
|
|
|
|
lastExtractorErr = extrErr
|
2022-01-24 22:03:45 +02:00
|
|
|
continue
|
|
|
|
}
|
|
|
|
for _, key := range keys {
|
2022-05-21 21:34:29 +02:00
|
|
|
valid, err := config.Validator(c, key, source)
|
2022-01-24 22:03:45 +02:00
|
|
|
if err != nil {
|
|
|
|
lastValidatorErr = err
|
|
|
|
continue
|
|
|
|
}
|
2021-07-15 22:34:01 +02:00
|
|
|
if !valid {
|
|
|
|
lastValidatorErr = ErrInvalidKey
|
|
|
|
continue
|
2022-01-24 22:03:45 +02:00
|
|
|
}
|
2021-07-15 22:34:01 +02:00
|
|
|
return next(c)
|
2021-05-08 21:25:11 +02:00
|
|
|
}
|
2017-01-03 06:12:06 +02:00
|
|
|
}
|
2022-01-24 22:03:45 +02:00
|
|
|
|
2021-07-15 22:34:01 +02:00
|
|
|
// prioritize validator errors over extracting errors
|
2022-01-24 22:03:45 +02:00
|
|
|
err := lastValidatorErr
|
2021-07-15 22:34:01 +02:00
|
|
|
if err == nil {
|
|
|
|
err = lastExtractorErr
|
2022-01-24 22:03:45 +02:00
|
|
|
}
|
|
|
|
if config.ErrorHandler != nil {
|
2021-07-15 22:34:01 +02:00
|
|
|
tmpErr := config.ErrorHandler(c, err)
|
2022-01-24 22:03:45 +02:00
|
|
|
if config.ContinueOnIgnoredError && tmpErr == nil {
|
|
|
|
return next(c)
|
|
|
|
}
|
|
|
|
return tmpErr
|
|
|
|
}
|
2021-07-15 22:34:01 +02:00
|
|
|
if lastValidatorErr == nil {
|
|
|
|
return ErrKeyMissing.WithInternal(err)
|
2017-01-03 06:12:06 +02:00
|
|
|
}
|
2021-07-15 22:34:01 +02:00
|
|
|
return echo.ErrUnauthorized.WithInternal(err)
|
2021-07-20 07:06:23 +02:00
|
|
|
}
|
2021-07-15 22:34:01 +02:00
|
|
|
}, nil
|
2021-07-20 07:06:23 +02:00
|
|
|
}
|