diff options
Diffstat (limited to 'internal/authz/middleware.go')
| -rw-r--r-- | internal/authz/middleware.go | 31 |
1 files changed, 25 insertions, 6 deletions
diff --git a/internal/authz/middleware.go b/internal/authz/middleware.go index 31f7bf3..3156b67 100644 --- a/internal/authz/middleware.go +++ b/internal/authz/middleware.go @@ -4,9 +4,9 @@ package authz import ( "context" "encoding/hex" - "fmt" "log/slog" "net/http" + "strings" "git.ofmax.li/go-git-server/internal/admin" "golang.org/x/crypto/bcrypt" @@ -19,7 +19,7 @@ var ( AuthzUrnKey AuthzContextKey = "goGitAuthzUrn" ) -func Authentication(authMap TokenMap, next http.Handler) http.Handler { +func Authentication(authMap *SafeTokenMap, identityMap *IdentityMap, next http.Handler) http.Handler { return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) { slog.Info("access request recv") u, p, ok := req.BasicAuth() @@ -29,23 +29,42 @@ func Authentication(authMap TokenMap, next http.Handler) http.Handler { next.ServeHTTP(rw, req.WithContext(ctx)) return } - urn := fmt.Sprintf("uid:%s", u) - hash, ok := authMap[urn] + + // Look up the access ID from the provided username + accessID, exists := identityMap.GetID(FriendlyName(u)) + if !exists { + slog.Info("failed access", "username", u) + http.Error(rw, "Bad Request", http.StatusForbidden) + return + } + + hash, ok := authMap.Get(accessID) if !ok { - slog.Info("failed access", "urn", urn) + slog.Info("failed access", "access_id", accessID) http.Error(rw, "Bad Request", http.StatusForbidden) return } + token, err := hex.DecodeString(p) if err != nil { http.Error(rw, "Bad Request", http.StatusBadRequest) return } + if err := bcrypt.CompareHashAndPassword([]byte(hash), token); err != nil { - slog.Info("bad token for user", "urn", urn) + slog.Info("bad token for user", "access_id", accessID) http.Error(rw, "Bad Request", http.StatusForbidden) return } + + // Store the friendly name with appropriate prefix in context + friendlyName, _ := identityMap.GetName(accessID) + prefix := "uid:" // default to user + if strings.HasPrefix(string(friendlyName), "bot:") { + prefix = "aid:" + } + urn := prefix + string(friendlyName) + ctx := context.WithValue(req.Context(), AuthzUrnKey, urn) slog.Info("access request granted", "urn", urn) next.ServeHTTP(rw, req.WithContext(ctx)) |