Semaphore/api/auth.go

package api

import (
	"github.com/semaphoreui/semaphore/api/helpers"
	"github.com/semaphoreui/semaphore/db"
	"github.com/semaphoreui/semaphore/util"
	"github.com/gorilla/context"
	log "github.com/sirupsen/logrus"
	"net/http"
	"strings"
	"time"
)

func authenticationHandler(w http.ResponseWriter, r *http.Request) bool {
	var userID int

	authHeader := strings.ToLower(r.Header.Get("authorization"))

	if len(authHeader) > 0 && strings.Contains(authHeader, "bearer") {
		token, err := helpers.Store(r).GetAPIToken(strings.Replace(authHeader, "bearer ", "", 1))

		if err != nil {
			if err != db.ErrNotFound {
				log.Error(err)
			}

			w.WriteHeader(http.StatusUnauthorized)
			return false
		}

		userID = token.UserID
	} else {
		// fetch session from cookie
		cookie, err := r.Cookie("semaphore")
		if err != nil {
			w.WriteHeader(http.StatusUnauthorized)
			return false
		}

		value := make(map[string]interface{})
		if err = util.Cookie.Decode("semaphore", cookie.Value, &value); err != nil {
			w.WriteHeader(http.StatusUnauthorized)
			return false
		}

		user, ok := value["user"]
		sessionVal, okSession := value["session"]
		if !ok || !okSession {
			w.WriteHeader(http.StatusUnauthorized)
			return false
		}

		userID = user.(int)
		sessionID := sessionVal.(int)

		// fetch session
		session, err := helpers.Store(r).GetSession(userID, sessionID)

		if err != nil {
			w.WriteHeader(http.StatusUnauthorized)
			return false
		}

		if time.Since(session.LastActive).Hours() > 7*24 {
			// more than week old unused session
			// destroy.
			if err := helpers.Store(r).ExpireSession(userID, sessionID); err != nil {
				// it is internal error, it doesn't concern the user
				log.Error(err)
			}

			w.WriteHeader(http.StatusUnauthorized)
			return false
		}

		if err := helpers.Store(r).TouchSession(userID, sessionID); err != nil {
			log.Error(err)
			w.WriteHeader(http.StatusUnauthorized)
			return false
		}
	}

	user, err := helpers.Store(r).GetUser(userID)
	if err != nil {
		if err != db.ErrNotFound {
			// internal error
			log.Error(err)
		}
		w.WriteHeader(http.StatusUnauthorized)
		return false
	}

	context.Set(r, "user", &user)
	return true
}

// nolint: gocyclo
func authentication(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		ok := authenticationHandler(w, r)
		if ok {
			next.ServeHTTP(w, r)
		}
	})
}

// nolint: gocyclo
func authenticationWithStore(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		store := helpers.Store(r)

		var ok bool

		db.StoreSession(store, r.URL.String(), func() {
			ok = authenticationHandler(w, r)
		})

		if ok {
			next.ServeHTTP(w, r)
		}
	})
}

func adminMiddleware(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		user := context.Get(r, "user").(*db.User)

		if !user.Admin {
			w.WriteHeader(http.StatusForbidden)
			return
		}

		next.ServeHTTP(w, r)
	})
}
refactoring 2016-05-24 11:55:48 +02:00			`package api`
Initial v2 work 2016-01-05 00:32:53 +01:00
			`import (`
feat(be): ansible-semaphore -> semaphoreui 2024-10-26 14:56:17 +02:00			`"github.com/semaphoreui/semaphore/api/helpers"`
			`"github.com/semaphoreui/semaphore/db"`
			`"github.com/semaphoreui/semaphore/util"`
feat(be): do not keep connection by BoltDB 2022-11-09 17:30:35 +01:00			`"github.com/gorilla/context"`
feat(options): implement manipulation methods 2024-07-08 13:15:04 +02:00			`log "github.com/sirupsen/logrus"`
🎉 gin -> net/http 2017-02-23 00:21:49 +01:00			`"net/http"`
API Tokens, Documentation - API Tokens - More documentation - Update API 2016-04-09 21:09:57 +02:00			`"strings"`
Initial v2 work 2016-01-05 00:32:53 +01:00			`"time"`
			`)`

fix: authentization bug 2023-03-13 14:04:58 +01:00			`func authenticationHandler(w http.ResponseWriter, r *http.Request) bool {`
feat(be): do not keep connection by BoltDB 2022-11-09 17:30:35 +01:00			`var userID int`
API Tokens, Documentation - API Tokens - More documentation - Update API 2016-04-09 21:09:57 +02:00
feat(be): do not keep connection by BoltDB 2022-11-09 17:30:35 +01:00			`authHeader := strings.ToLower(r.Header.Get("authorization"))`
refactor(be): template and environment endpoints use Store Rename util to helpers Bind returns bool instead of error 2020-12-03 14:51:15 +01:00
feat(be): do not keep connection by BoltDB 2022-11-09 17:30:35 +01:00			`if len(authHeader) > 0 && strings.Contains(authHeader, "bearer") {`
			`token, err := helpers.Store(r).GetAPIToken(strings.Replace(authHeader, "bearer ", "", 1))`
Set version on windows taskfile It doesn't otherwise build on windows since by default it's `1`: ```powershell Taskfiles versions should match. First is "2" but second is "1" ``` backup 2019-07-09 09:21:49 +02:00
feat(be): do not keep connection by BoltDB 2022-11-09 17:30:35 +01:00			`if err != nil {`
			`if err != db.ErrNotFound {`
			`log.Error(err)`
API Tokens, Documentation - API Tokens - More documentation - Update API 2016-04-09 21:09:57 +02:00			`}`

feat(be): do not keep connection by BoltDB 2022-11-09 17:30:35 +01:00			`w.WriteHeader(http.StatusUnauthorized)`
fix: authentization bug 2023-03-13 14:04:58 +01:00			`return false`
feat(be): do not keep connection by BoltDB 2022-11-09 17:30:35 +01:00			`}`
Initial v2 work 2016-01-05 00:32:53 +01:00
feat(be): do not keep connection by BoltDB 2022-11-09 17:30:35 +01:00			`userID = token.UserID`
			`} else {`
			`// fetch session from cookie`
			`cookie, err := r.Cookie("semaphore")`
			`if err != nil {`
			`w.WriteHeader(http.StatusUnauthorized)`
fix: authentization bug 2023-03-13 14:04:58 +01:00			`return false`
feat(be): do not keep connection by BoltDB 2022-11-09 17:30:35 +01:00			`}`
Initial v2 work 2016-01-05 00:32:53 +01:00
feat(be): do not keep connection by BoltDB 2022-11-09 17:30:35 +01:00			`value := make(map[string]interface{})`
			`if err = util.Cookie.Decode("semaphore", cookie.Value, &value); err != nil {`
			`w.WriteHeader(http.StatusUnauthorized)`
fix: authentization bug 2023-03-13 14:04:58 +01:00			`return false`
feat(be): do not keep connection by BoltDB 2022-11-09 17:30:35 +01:00			`}`
Initial v2 work 2016-01-05 00:32:53 +01:00
feat(be): do not keep connection by BoltDB 2022-11-09 17:30:35 +01:00			`user, ok := value["user"]`
			`sessionVal, okSession := value["session"]`
			`if !ok \|\| !okSession {`
			`w.WriteHeader(http.StatusUnauthorized)`
fix: authentization bug 2023-03-13 14:04:58 +01:00			`return false`
feat(be): do not keep connection by BoltDB 2022-11-09 17:30:35 +01:00			`}`
refactor(be): template and environment endpoints use Store Rename util to helpers Bind returns bool instead of error 2020-12-03 14:51:15 +01:00
feat(be): do not keep connection by BoltDB 2022-11-09 17:30:35 +01:00			`userID = user.(int)`
			`sessionID := sessionVal.(int)`
Initial v2 work 2016-01-05 00:32:53 +01:00
feat(be): do not keep connection by BoltDB 2022-11-09 17:30:35 +01:00			`// fetch session`
			`session, err := helpers.Store(r).GetSession(userID, sessionID)`
Initial v2 work 2016-01-05 00:32:53 +01:00
feat(be): do not keep connection by BoltDB 2022-11-09 17:30:35 +01:00			`if err != nil {`
			`w.WriteHeader(http.StatusUnauthorized)`
fix: authentization bug 2023-03-13 14:04:58 +01:00			`return false`
feat(be): do not keep connection by BoltDB 2022-11-09 17:30:35 +01:00			`}`
Initial v2 work 2016-01-05 00:32:53 +01:00
feat: remove demo mode 2023-08-27 15:00:54 +02:00			`if time.Since(session.LastActive).Hours() > 7*24 {`
feat(be): do not keep connection by BoltDB 2022-11-09 17:30:35 +01:00			`// more than week old unused session`
			`// destroy.`
			`if err := helpers.Store(r).ExpireSession(userID, sessionID); err != nil {`
			`// it is internal error, it doesn't concern the user`
refactor(be): template and environment endpoints use Store Rename util to helpers Bind returns bool instead of error 2020-12-03 14:51:15 +01:00			`log.Error(err)`
🎉 remove redis dependency - Remove mandrill - Remove redis - Sessions & more transparency into who's logged into your user - Session is stored in cookies (map of two integers.) - Encrypted sessions, configurable keys (auto-generated) 2016-04-30 14:28:47 +02:00			`}`
feat(be): do not keep connection by BoltDB 2022-11-09 17:30:35 +01:00
			`w.WriteHeader(http.StatusUnauthorized)`
fix: authentization bug 2023-03-13 14:04:58 +01:00			`return false`
Set version on windows taskfile It doesn't otherwise build on windows since by default it's `1`: ```powershell Taskfiles versions should match. First is "2" but second is "1" ``` backup 2019-07-09 09:21:49 +02:00			`}`
Initial v2 work 2016-01-05 00:32:53 +01:00
feat(be): do not keep connection by BoltDB 2022-11-09 17:30:35 +01:00			`if err := helpers.Store(r).TouchSession(userID, sessionID); err != nil {`
			`log.Error(err)`
return 401 instead of 403 on unauthorized pages 2018-10-22 09:19:33 +02:00			`w.WriteHeader(http.StatusUnauthorized)`
fix: authentization bug 2023-03-13 14:04:58 +01:00			`return false`
🎉 remove redis dependency - Remove mandrill - Remove redis - Sessions & more transparency into who's logged into your user - Session is stored in cookies (map of two integers.) - Encrypted sessions, configurable keys (auto-generated) 2016-04-30 14:28:47 +02:00			`}`
feat(be): do not keep connection by BoltDB 2022-11-09 17:30:35 +01:00			`}`
API Tokens, Documentation - API Tokens - More documentation - Update API 2016-04-09 21:09:57 +02:00
feat(be): do not keep connection by BoltDB 2022-11-09 17:30:35 +01:00			`user, err := helpers.Store(r).GetUser(userID)`
			`if err != nil {`
			`if err != db.ErrNotFound {`
			`// internal error`
			`log.Error(err)`
			`}`
			`w.WriteHeader(http.StatusUnauthorized)`
fix: authentization bug 2023-03-13 14:04:58 +01:00			`return false`
feat(be): do not keep connection by BoltDB 2022-11-09 17:30:35 +01:00			`}`

			`context.Set(r, "user", &user)`
fix: authentization bug 2023-03-13 14:04:58 +01:00			`return true`
feat(be): do not keep connection by BoltDB 2022-11-09 17:30:35 +01:00			`}`

			`// nolint: gocyclo`
			`func authentication(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
fix: authentization bug 2023-03-13 14:04:58 +01:00			`ok := authenticationHandler(w, r)`
			`if ok {`
			`next.ServeHTTP(w, r)`
			`}`
feat(be): do not keep connection by BoltDB 2022-11-09 17:30:35 +01:00			`})`
			`}`

			`// nolint: gocyclo`
			`func authenticationWithStore(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
test: remove date/time pattern from open api 2022-11-09 18:04:35 +01:00			`store := helpers.Store(r)`
feat(be): do not keep connection by BoltDB 2022-11-09 17:30:35 +01:00
fix: authentization bug 2023-03-13 14:04:58 +01:00			`var ok bool`
fix(be): do not expire session for demo mode 2023-08-26 13:16:25 +02:00
feat(be): support session connection for boltdb 2022-11-18 23:23:30 +01:00			`db.StoreSession(store, r.URL.String(), func() {`
fix: authentization bug 2023-03-13 14:04:58 +01:00			`ok = authenticationHandler(w, r)`
feat(be): support session connection for boltdb 2022-11-18 23:23:30 +01:00			`})`
Remove mulekick router, use mux directly Revert one more commit 2019-07-09 18:14:06 +02:00
fix: authentization bug 2023-03-13 14:04:58 +01:00			`if ok {`
			`next.ServeHTTP(w, r)`
			`}`
Set version on windows taskfile It doesn't otherwise build on windows since by default it's `1`: ```powershell Taskfiles versions should match. First is "2" but second is "1" ``` backup 2019-07-09 09:21:49 +02:00			`})`
Initial v2 work 2016-01-05 00:32:53 +01:00			`}`
feat(options): implement manipulation methods 2024-07-08 13:15:04 +02:00
			`func adminMiddleware(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`user := context.Get(r, "user").(*db.User)`

			`if !user.Admin {`
			`w.WriteHeader(http.StatusForbidden)`
			`return`
			`}`

			`next.ServeHTTP(w, r)`
			`})`
			`}`