33 lines
1021 B
Go
33 lines
1021 B
Go
package api
|
|
|
|
import (
|
|
"crypto/subtle"
|
|
"encoding/base64"
|
|
"net/http"
|
|
)
|
|
|
|
// BasicAuth returns basic auth handler.
|
|
func BasicAuth(username, password string) http.HandlerFunc {
|
|
// Inspired by https://github.com/codegangsta/martini-contrib/tree/v0.1/auth
|
|
return func(res http.ResponseWriter, req *http.Request) {
|
|
if !secureCompare(req.Header.Get("Authorization"),
|
|
"Basic "+base64.StdEncoding.EncodeToString([]byte(username+":"+password)),
|
|
) {
|
|
res.Header().Set("WWW-Authenticate",
|
|
"Basic realm=\"Authorization Required\"",
|
|
)
|
|
http.Error(res, "Not Authorized", http.StatusUnauthorized)
|
|
}
|
|
}
|
|
}
|
|
|
|
func secureCompare(given string, actual string) bool {
|
|
//nolint:gosec // TODO: fix later
|
|
if subtle.ConstantTimeEq(int32(len(given)), int32(len(actual))) == 1 {
|
|
return subtle.ConstantTimeCompare([]byte(given), []byte(actual)) == 1
|
|
}
|
|
// Securely compare actual to itself to keep constant time,
|
|
// but always return false
|
|
return subtle.ConstantTimeCompare([]byte(actual), []byte(actual)) == 1 && false
|
|
}
|