internal/context/auth.go

// Copyright 2014 The Gogs Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.

package context

import (
	"net/http"
	"net/url"
	"strings"

	"github.com/go-macaron/csrf"
	"gopkg.in/macaron.v1"

	"gogs.io/gogs/internal/auth"
	"gogs.io/gogs/internal/conf"
	"gogs.io/gogs/internal/tool"
)

type ToggleOptions struct {
	SignInRequired  bool
	SignOutRequired bool
	AdminRequired   bool
	DisableCSRF     bool
}

func Toggle(options *ToggleOptions) macaron.Handler {
	return func(c *Context) {
		// Cannot view any page before installation.
		if !conf.Security.InstallLock {
			c.RedirectSubpath("/install")
			return
		}

		// Check prohibit login users.
		if c.IsLogged && c.User.ProhibitLogin {
			c.Data["Title"] = c.Tr("auth.prohibit_login")
			c.Success( "user/auth/prohibit_login")
			return
		}

		// Check non-logged users landing page.
		if !c.IsLogged && c.Req.RequestURI == "/" && conf.Server.LandingURL != "/" {
			c.RedirectSubpath(conf.Server.LandingURL)
			return
		}

		// Redirect to dashboard if user tries to visit any non-login page.
		if options.SignOutRequired && c.IsLogged && c.Req.RequestURI != "/" {
			c.RedirectSubpath("/")
			return
		}

		if !options.SignOutRequired && !options.DisableCSRF && c.Req.Method == "POST" && !auth.IsAPIPath(c.Req.URL.Path) {
			csrf.Validate(c.Context, c.csrf)
			if c.Written() {
				return
			}
		}

		if options.SignInRequired {
			if !c.IsLogged {
				// Restrict API calls with error message.
				if auth.IsAPIPath(c.Req.URL.Path) {
					c.JSON(http.StatusForbidden, map[string]string{
						"message": "Only authenticated user is allowed to call APIs.",
					})
					return
				}

				c.SetCookie("redirect_to", url.QueryEscape(conf.Server.Subpath+c.Req.RequestURI), 0, conf.Server.Subpath)
				c.RedirectSubpath("/user/login")
				return
			} else if !c.User.IsActive && conf.Auth.RequireEmailConfirmation {
				c.Title("auth.active_your_account")
				c.Success("user/auth/activate")
				return
			}
		}

		// Redirect to log in page if auto-signin info is provided and has not signed in.
		if !options.SignOutRequired && !c.IsLogged && !auth.IsAPIPath(c.Req.URL.Path) &&
			len(c.GetCookie(conf.Security.CookieUsername)) > 0 {
			c.SetCookie("redirect_to", url.QueryEscape(conf.Server.Subpath+c.Req.RequestURI), 0, conf.Server.Subpath)
			c.RedirectSubpath("/user/login")
			return
		}

		if options.AdminRequired {
			if !c.User.IsAdmin {
				c.Status(http.StatusForbidden)
				return
			}
			c.PageIs("Admin")
		}
	}
}

// RequireBasicAuth verifies HTTP Basic Authentication header with given credentials.
func (c *Context) RequireBasicAuth(username, password string) {
	fields := strings.Fields(c.Req.Header.Get("Authorization"))
	if len(fields) != 2 || fields[0] != "Basic" {
		c.Status(http.StatusUnauthorized)
		return
	}

	uname, passwd, _ := tool.BasicAuthDecode(fields[1])
	if uname != username || passwd != password {
		c.Status(http.StatusForbidden)
		return
	}
}
move templateFuncs to one file, add middleware context. 2014-03-15 19:01:50 +08:00			`// Copyright 2014 The Gogs Authors. All rights reserved.`
			`// Use of this source code is governed by a MIT-style`
			`// license that can be found in the LICENSE file.`

Rename module: middleware -> context 2016-03-11 11:56:52 -05:00			`package context`
move templateFuncs to one file, add middleware context. 2014-03-15 19:01:50 +08:00
			`import (`
metrics: add initial Prometheus support (#4141) 2018-09-14 22:29:43 -04:00			`"net/http"`
Batch updates 2014-03-22 17:59:22 -04:00			`"net/url"`
metrics: add initial Prometheus support (#4141) 2018-09-14 22:29:43 -04:00			`"strings"`
Batch updates 2014-03-22 17:59:22 -04:00
fix import path, fix #1782 2015-10-15 21:28:12 -04:00			`"github.com/go-macaron/csrf"`
			`"gopkg.in/macaron.v1"`
Finish verify email 2014-03-19 12:50:44 -04:00
internal: move packages under this directory (#5836) * Rename pkg -> internal * Rename routes -> route * Move route -> internal/route * Rename models -> db * Move db -> internal/db * Fix route2 -> route * Move cmd -> internal/cmd * Bump version 2019-10-24 01:51:46 -07:00			`"gogs.io/gogs/internal/auth"`
conf: overhaul server settings (#5928) * conf: rename package * Requires Go 1.12 * Fix lint * Fix lint * Overhaul * db: fix tests * Save my work * Fix tests * Server.UnixSocketPermission * Server.LocalRootURL * SSH settings * Server.OfflineMode * Save my work * App.Version * Remove [server] STATIC_ROOT_PATH * Server.LandingURL 2020-02-22 09:05:26 +08:00			`"gogs.io/gogs/internal/conf"`
internal: move packages under this directory (#5836) * Rename pkg -> internal * Rename routes -> route * Move route -> internal/route * Rename models -> db * Move db -> internal/db * Fix route2 -> route * Move cmd -> internal/cmd * Bump version 2019-10-24 01:51:46 -07:00			`"gogs.io/gogs/internal/tool"`
move templateFuncs to one file, add middleware context. 2014-03-15 19:01:50 +08:00			`)`

add csrf check 2014-03-23 01:44:02 +08:00			`type ToggleOptions struct {`
Rename module: middleware -> context 2016-03-11 11:56:52 -05:00			`SignInRequired bool`
			`SignOutRequired bool`
			`AdminRequired bool`
			`DisableCSRF bool`
Show owner/poster tags of comments and fix #1312 2015-08-14 02:43:40 +08:00			`}`

New UI merge in progress 2014-07-26 00:24:27 -04:00			`func Toggle(options *ToggleOptions) macaron.Handler {`
Refactoring: rename ctx -> c 2017-06-03 07:26:09 -04:00			`return func(c *Context) {`
Clean api code 2014-05-05 13:08:01 -04:00			`// Cannot view any page before installation.`
conf: overhaul security settings 2020-02-22 20:46:16 +08:00			`if !conf.Security.InstallLock {`
refactor: unify error handling in routing layer 2020-03-16 01:22:27 +08:00			`c.RedirectSubpath("/install")`
Fix install bugs 2014-03-30 11:58:21 -04:00			`return`
			`}`

#2937 able to prohibit user login 2016-07-16 10:22:16 +08:00			`// Check prohibit login users.`
Refactoring: rename ctx -> c 2017-06-03 07:26:09 -04:00			`if c.IsLogged && c.User.ProhibitLogin {`
			`c.Data["Title"] = c.Tr("auth.prohibit_login")`
refactor: unify error handling in routing layer 2020-03-16 01:22:27 +08:00			`c.Success( "user/auth/prohibit_login")`
#2937 able to prohibit user login 2016-07-16 10:22:16 +08:00			`return`
			`}`

			`// Check non-logged users landing page.`
conf: overhaul server settings (#5928) * conf: rename package * Requires Go 1.12 * Fix lint * Fix lint * Overhaul * db: fix tests * Save my work * Fix tests * Server.UnixSocketPermission * Server.LocalRootURL * SSH settings * Server.OfflineMode * Save my work * App.Version * Remove [server] STATIC_ROOT_PATH * Server.LandingURL 2020-02-22 09:05:26 +08:00			`if !c.IsLogged && c.Req.RequestURI == "/" && conf.Server.LandingURL != "/" {`
refactor: unify error handling in routing layer 2020-03-16 01:22:27 +08:00			`c.RedirectSubpath(conf.Server.LandingURL)`
Fix #543 2014-11-24 18:47:59 -05:00			`return`
			`}`

Clean api code 2014-05-05 13:08:01 -04:00			`// Redirect to dashboard if user tries to visit any non-login page.`
Refactoring: rename ctx -> c 2017-06-03 07:26:09 -04:00			`if options.SignOutRequired && c.IsLogged && c.Req.RequestURI != "/" {`
refactor: unify error handling in routing layer 2020-03-16 01:22:27 +08:00			`c.RedirectSubpath("/")`
Work on admin 2014-03-20 07:50:26 -04:00			`return`
			`}`

Refactoring: rename ctx -> c 2017-06-03 07:26:09 -04:00			`if !options.SignOutRequired && !options.DisableCSRF && c.Req.Method == "POST" && !auth.IsAPIPath(c.Req.URL.Path) {`
			`csrf.Validate(c.Context, c.csrf)`
			`if c.Written() {`
Convert captcha, cache, csrf as middlewares 2014-07-31 17:25:34 -04:00			`return`
			`}`
add csrf check 2014-03-23 01:44:02 +08:00			`}`

Rename module: middleware -> context 2016-03-11 11:56:52 -05:00			`if options.SignInRequired {`
Refactoring: rename ctx -> c 2017-06-03 07:26:09 -04:00			`if !c.IsLogged {`
#1128: API calls are not hidden behind sign in 2015-07-15 19:17:57 +08:00			`// Restrict API calls with error message.`
Refactoring: rename ctx -> c 2017-06-03 07:26:09 -04:00			`if auth.IsAPIPath(c.Req.URL.Path) {`
refactor: unify error handling in routing layer 2020-03-16 01:22:27 +08:00			`c.JSON(http.StatusForbidden, map[string]string{`
			`"message": "Only authenticated user is allowed to call APIs.",`
Convert all API handers to use *context.APIContext 2016-03-13 18:49:16 -04:00			`})`
#1128: API calls are not hidden behind sign in 2015-07-15 19:17:57 +08:00			`return`
			`}`

conf: overhaul server settings (#5928) * conf: rename package * Requires Go 1.12 * Fix lint * Fix lint * Overhaul * db: fix tests * Save my work * Fix tests * Server.UnixSocketPermission * Server.LocalRootURL * SSH settings * Server.OfflineMode * Save my work * App.Version * Remove [server] STATIC_ROOT_PATH * Server.LandingURL 2020-02-22 09:05:26 +08:00			`c.SetCookie("redirect_to", url.QueryEscape(conf.Server.Subpath+c.Req.RequestURI), 0, conf.Server.Subpath)`
refactor: unify error handling in routing layer 2020-03-16 01:22:27 +08:00			`c.RedirectSubpath("/user/login")`
add csrf check 2014-03-23 01:44:02 +08:00			`return`
conf: overhaul auth and user settings (#5942) * conf: overhaul auth and user settings * ci: update travis Go versions 2020-02-27 18:06:38 +08:00			`} else if !c.User.IsActive && conf.Auth.RequireEmailConfirmation {`
refactor: unify error handling in routing layer 2020-03-16 01:22:27 +08:00			`c.Title("auth.active_your_account")`
			`c.Success("user/auth/activate")`
add csrf check 2014-03-23 01:44:02 +08:00			`return`
			`}`
			`}`

Rename module: middleware -> context 2016-03-11 11:56:52 -05:00			`// Redirect to log in page if auto-signin info is provided and has not signed in.`
Refactoring: rename ctx -> c 2017-06-03 07:26:09 -04:00			`if !options.SignOutRequired && !c.IsLogged && !auth.IsAPIPath(c.Req.URL.Path) &&`
conf: overhaul security settings 2020-02-22 20:46:16 +08:00			`len(c.GetCookie(conf.Security.CookieUsername)) > 0 {`
conf: overhaul server settings (#5928) * conf: rename package * Requires Go 1.12 * Fix lint * Fix lint * Overhaul * db: fix tests * Save my work * Fix tests * Server.UnixSocketPermission * Server.LocalRootURL * SSH settings * Server.OfflineMode * Save my work * App.Version * Remove [server] STATIC_ROOT_PATH * Server.LandingURL 2020-02-22 09:05:26 +08:00			`c.SetCookie("redirect_to", url.QueryEscape(conf.Server.Subpath+c.Req.RequestURI), 0, conf.Server.Subpath)`
refactor: unify error handling in routing layer 2020-03-16 01:22:27 +08:00			`c.RedirectSubpath("/user/login")`
#2748 fix redirect loop with auto-signin 2016-03-04 09:15:11 -05:00			`return`
work on #1891 2015-11-18 23:52:09 -05:00			`}`

Rename module: middleware -> context 2016-03-11 11:56:52 -05:00			`if options.AdminRequired {`
Refactoring: rename ctx -> c 2017-06-03 07:26:09 -04:00			`if !c.User.IsAdmin {`
refactor: unify error handling in routing layer 2020-03-16 01:22:27 +08:00			`c.Status(http.StatusForbidden)`
add csrf check 2014-03-23 01:44:02 +08:00			`return`
			`}`
refactor: unify error handling in routing layer 2020-03-16 01:22:27 +08:00			`c.PageIs("Admin")`
move templateFuncs to one file, add middleware context. 2014-03-15 19:01:50 +08:00			`}`
			`}`
			`}`
metrics: add initial Prometheus support (#4141) 2018-09-14 22:29:43 -04:00
refactor: unify error handling in routing layer 2020-03-16 01:22:27 +08:00			`// RequireBasicAuth verifies HTTP Basic Authentication header with given credentials.`
metrics: add initial Prometheus support (#4141) 2018-09-14 22:29:43 -04:00			`func (c *Context) RequireBasicAuth(username, password string) {`
			`fields := strings.Fields(c.Req.Header.Get("Authorization"))`
			`if len(fields) != 2 \|\| fields[0] != "Basic" {`
			`c.Status(http.StatusUnauthorized)`
			`return`
			`}`

			`uname, passwd, _ := tool.BasicAuthDecode(fields[1])`
			`if uname != username \|\| passwd != password {`
			`c.Status(http.StatusForbidden)`
			`return`
			`}`
			`}`