Merge pull request #958 from owncloud/basic-auth-cache

implement basic auth cache
2026-03-06 04:49:48 -06:00 · 2020-11-26 17:33:47 +01:00
parent cda8aadf50 cb2e2a3896
commit dbb52f29ad
7 changed files with 83 additions and 41 deletions
--- a/proxy/pkg/middleware/basic_auth.go
+++ b/proxy/pkg/middleware/basic_auth.go
@@ -2,12 +2,11 @@ package middleware

 import (
 	"fmt"
-	"net/http"
-	"strings"
-
 	accounts "github.com/owncloud/ocis/accounts/pkg/proto/v0"
 	"github.com/owncloud/ocis/ocis-pkg/log"
 	"github.com/owncloud/ocis/ocis-pkg/oidc"
+	"net/http"
+	"strings"
 )

 const publicFilesEndpoint = "/remote.php/dav/public-files/"
@@ -15,50 +14,49 @@ const publicFilesEndpoint = "/remote.php/dav/public-files/"
 // BasicAuth provides a middleware to check if BasicAuth is provided
 func BasicAuth(optionSetters ...Option) func(next http.Handler) http.Handler {
 	options := newOptions(optionSetters...)
+	logger := options.Logger
+	oidcIss := options.OIDCIss
+
 	if options.EnableBasicAuth {
 		options.Logger.Warn().Msg("basic auth enabled, use only for testing or development")
 	}

+	h := basicAuth{
+		logger:         logger,
+		enabled:        options.EnableBasicAuth,
+		accountsClient: options.AccountsClient,
+	}
+
 	return func(next http.Handler) http.Handler {
-		return &basicAuth{
-			next:           next,
-			logger:         options.Logger,
-			enabled:        options.EnableBasicAuth,
-			accountsClient: options.AccountsClient,
-			oidcIss:        options.OIDCIss,
-		}
+		return http.HandlerFunc(
+			func(w http.ResponseWriter, req *http.Request) {
+				if h.isPublicLink(req) || !h.isBasicAuth(req) {
+					next.ServeHTTP(w, req)
+					return
+				}
+
+				account, ok := h.getAccount(req)
+
+				if !ok {
+					w.WriteHeader(http.StatusUnauthorized)
+					return
+				}
+
+				claims := &oidc.StandardClaims{
+					OcisID: account.Id,
+					Iss:    oidcIss,
+				}
+
+				next.ServeHTTP(w, req.WithContext(oidc.NewContext(req.Context(), claims)))
+			},
+		)
 	}
 }

 type basicAuth struct {
-	next           http.Handler
 	logger         log.Logger
 	enabled        bool
 	accountsClient accounts.AccountsService
-	oidcIss        string
-}
-
-func (m basicAuth) ServeHTTP(w http.ResponseWriter, req *http.Request) {
-	if m.isPublicLink(req) || !m.isBasicAuth(req) {
-		m.next.ServeHTTP(w, req)
-		return
-	}
-
-	login, password, _ := req.BasicAuth()
-
-	account, status := getAccount(m.logger, m.accountsClient, fmt.Sprintf("login eq '%s' and password eq '%s'", strings.ReplaceAll(login, "'", "''"), strings.ReplaceAll(password, "'", "''")))
-
-	if status != 0 {
-		w.WriteHeader(http.StatusUnauthorized)
-		return
-	}
-
-	claims := &oidc.StandardClaims{
-		OcisID: account.Id,
-		Iss:    m.oidcIss,
-	}
-
-	m.next.ServeHTTP(w, req.WithContext(oidc.NewContext(req.Context(), claims)))
 }

 func (m basicAuth) isPublicLink(req *http.Request) bool {
@@ -72,3 +70,19 @@ func (m basicAuth) isBasicAuth(req *http.Request) bool {

 	return m.enabled && ok && login != "" && password != ""
 }
+
+func (m basicAuth) getAccount(req *http.Request) (*accounts.Account, bool) {
+	login, password, _ := req.BasicAuth()
+
+	account, status := getAccount(
+		m.logger,
+		m.accountsClient,
+		fmt.Sprintf(
+			"login eq '%s' and password eq '%s'",
+			strings.ReplaceAll(login, "'", "''"),
+			strings.ReplaceAll(password, "'", "''"),
+		),
+	)
+
+	return account, status == 0
+}
--- a/proxy/pkg/middleware/oidc_auth.go
+++ b/proxy/pkg/middleware/oidc_auth.go
@@ -10,9 +10,9 @@ import (
 	"github.com/dgrijalva/jwt-go"

 	gOidc "github.com/coreos/go-oidc"
+	"github.com/owncloud/ocis/ocis-pkg/cache"
 	"github.com/owncloud/ocis/ocis-pkg/log"
 	"github.com/owncloud/ocis/ocis-pkg/oidc"
-	"github.com/owncloud/ocis/proxy/pkg/cache"
 	"golang.org/x/oauth2"
 )