package auth
import (
"fmt"
"net"
"net/http"
"net/url"
"strings"
"github.com/micro/go-micro/v2/auth"
"github.com/micro/go-micro/v2/logger"
)
// CombinedAuthHandler wraps a server and authenticates requests
func CombinedAuthHandler(h http.Handler) http.Handler {
return authHandler{
handler: h,
auth: auth.DefaultAuth,
}
}
type authHandler struct {
handler http.Handler
auth auth.Auth
}
func (h authHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
// Determine the namespace
namespace, err := namespaceFromRequest(req)
if err != nil {
w.WriteHeader(http.StatusInternalServerError)
return
}
// Set the namespace in the header
req.Header.Set(auth.NamespaceKey, namespace)
// Extract the token from the request
var token string
if header := req.Header.Get("Authorization"); len(header) > 0 {
// Extract the auth token from the request
if strings.HasPrefix(header, auth.BearerScheme) {
token = header[len(auth.BearerScheme):]
}
} else {
// Get the token out the cookies if not provided in headers
if c, err := req.Cookie("micro-token"); err == nil && c != nil {
token = strings.TrimPrefix(c.Value, auth.TokenCookieName+"=")
req.Header.Set("Authorization", auth.BearerScheme+token)
}
}
// Get the account using the token, fallback to a blank account
// since some endpoints can be unauthenticated, so the lack of an
// account doesn't necesserially mean a forbidden request
acc, err := h.auth.Inspect(token)
if err != nil {
acc = &auth.Account{Namespace: namespace}
}
// Check the accounts namespace matches the namespace we're operating
// within. If not forbid the request and log the occurance.
if acc.Namespace != namespace {
logger.Warnf("Cross namespace request forbidden: account %v (%v) requested access to %v in the %v namespace", acc.ID, acc.Namespace, req.URL.Path, namespace)
w.WriteHeader(http.StatusForbidden)
}
// Perform the verification check to see if the account has access to
// the resource they're requesting
err = h.auth.Verify(acc, &auth.Resource{
Type: "service",
Name: "go.micro.web",
Endpoint: req.URL.Path,
Namespace: namespace,
})
// The account has the necessary permissions to access the resource
if err == nil {
h.handler.ServeHTTP(w, req)
return
}
// The account is set, but they don't have enough permissions, hence
// we return a forbidden error.
if len(acc.ID) > 0 {
w.WriteHeader(http.StatusForbidden)
return
}
// If there is no auth login url set, 401
loginURL := h.auth.Options().LoginURL
if loginURL == "" {
w.WriteHeader(http.StatusUnauthorized)
return
}
// Redirect to the login path
params := url.Values{"redirect_to": {req.URL.Path}}
loginWithRedirect := fmt.Sprintf("%v?%v", loginURL, params.Encode())
http.Redirect(w, req, loginWithRedirect, http.StatusTemporaryRedirect)
}
func namespaceFromRequest(req *http.Request) (string, error) {
// check for an ip address
if net.ParseIP(req.Host) != nil {
return auth.DefaultNamespace, nil
}
// split the host to remove the port
host, _, err := net.SplitHostPort(req.Host)
if err != nil {
return "", err
}
// check for dev enviroment
if host == "localhost" || host == "127.0.0.1" {
return auth.DefaultNamespace, nil
}
// if host is not a subdomain, deturn default namespace
comps := strings.Split(host, ".")
if len(comps) != 3 {
return auth.DefaultNamespace, nil
}
// check for the micro.mu domain
domain := fmt.Sprintf("%v.%v", comps[1], comps[2])
if domain == "micro.mu" {
return auth.DefaultNamespace, nil
}
// return the subdomain as the host
return comps[0], nil
}