| 
									
										
										
										
											2019-10-10 14:37:27 -06:00
										 |  |  | // Copyright 2015 Matthew Holt and The Caddy Authors | 
					
						
							|  |  |  | // | 
					
						
							|  |  |  | // Licensed under the Apache License, Version 2.0 (the "License"); | 
					
						
							|  |  |  | // you may not use this file except in compliance with the License. | 
					
						
							|  |  |  | // You may obtain a copy of the License at | 
					
						
							|  |  |  | // | 
					
						
							|  |  |  | //     http://www.apache.org/licenses/LICENSE-2.0 | 
					
						
							|  |  |  | // | 
					
						
							|  |  |  | // Unless required by applicable law or agreed to in writing, software | 
					
						
							|  |  |  | // distributed under the License is distributed on an "AS IS" BASIS, | 
					
						
							|  |  |  | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | 
					
						
							|  |  |  | // See the License for the specific language governing permissions and | 
					
						
							|  |  |  | // limitations under the License. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | package caddyauth | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | import ( | 
					
						
							|  |  |  | 	"fmt" | 
					
						
							|  |  |  | 	"net/http" | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2023-08-14 23:41:15 +08:00
										 |  |  | 	"go.uber.org/zap" | 
					
						
							| 
									
										
										
										
											2024-09-13 19:16:37 +02:00
										 |  |  | 	"go.uber.org/zap/zapcore" | 
					
						
							| 
									
										
										
										
											2023-08-14 23:41:15 +08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-10-10 14:37:27 -06:00
										 |  |  | 	"github.com/caddyserver/caddy/v2" | 
					
						
							|  |  |  | 	"github.com/caddyserver/caddy/v2/modules/caddyhttp" | 
					
						
							|  |  |  | ) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | func init() { | 
					
						
							|  |  |  | 	caddy.RegisterModule(Authentication{}) | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | // Authentication is a middleware which provides user authentication. | 
					
						
							| 
									
										
										
										
											2019-12-23 12:45:35 -07:00
										 |  |  | // Rejects requests with HTTP 401 if the request is not authenticated. | 
					
						
							| 
									
										
										
										
											2020-04-14 16:11:46 -06:00
										 |  |  | // | 
					
						
							| 
									
										
										
										
											2020-11-26 22:31:25 -05:00
										 |  |  | // After a successful authentication, the placeholder | 
					
						
							|  |  |  | // `{http.auth.user.id}` will be set to the username, and also | 
					
						
							|  |  |  | // `{http.auth.user.*}` placeholders may be set for any authentication | 
					
						
							|  |  |  | // modules that provide user metadata. | 
					
						
							|  |  |  | // | 
					
						
							| 
									
										
										
										
											2025-04-16 00:32:08 +02:00
										 |  |  | // In case of an error, the placeholder `{http.auth.<provider>.error}` | 
					
						
							|  |  |  | // will be set to the error message returned by the authentication | 
					
						
							|  |  |  | // provider. | 
					
						
							|  |  |  | // | 
					
						
							| 
									
										
										
										
											2020-04-14 16:11:46 -06:00
										 |  |  | // Its API is still experimental and may be subject to change. | 
					
						
							| 
									
										
										
										
											2019-10-10 14:37:27 -06:00
										 |  |  | type Authentication struct { | 
					
						
							| 
									
										
										
										
											2019-12-23 12:45:35 -07:00
										 |  |  | 	// A set of authentication providers. If none are specified, | 
					
						
							|  |  |  | 	// all requests will always be unauthenticated. | 
					
						
							| 
									
										
										
										
											2019-12-10 13:36:46 -07:00
										 |  |  | 	ProvidersRaw caddy.ModuleMap `json:"providers,omitempty" caddy:"namespace=http.authentication.providers"` | 
					
						
							| 
									
										
										
										
											2019-10-10 14:37:27 -06:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	Providers map[string]Authenticator `json:"-"` | 
					
						
							| 
									
										
										
										
											2020-12-03 11:33:55 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	logger *zap.Logger | 
					
						
							| 
									
										
										
										
											2019-10-10 14:37:27 -06:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | // CaddyModule returns the Caddy module information. | 
					
						
							|  |  |  | func (Authentication) CaddyModule() caddy.ModuleInfo { | 
					
						
							|  |  |  | 	return caddy.ModuleInfo{ | 
					
						
							| 
									
										
										
										
											2019-12-10 13:36:46 -07:00
										 |  |  | 		ID:  "http.handlers.authentication", | 
					
						
							|  |  |  | 		New: func() caddy.Module { return new(Authentication) }, | 
					
						
							| 
									
										
										
										
											2019-10-10 14:37:27 -06:00
										 |  |  | 	} | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | // Provision sets up a. | 
					
						
							|  |  |  | func (a *Authentication) Provision(ctx caddy.Context) error { | 
					
						
							| 
									
										
										
										
											2022-09-16 16:55:30 -06:00
										 |  |  | 	a.logger = ctx.Logger() | 
					
						
							| 
									
										
										
										
											2019-10-10 14:37:27 -06:00
										 |  |  | 	a.Providers = make(map[string]Authenticator) | 
					
						
							| 
									
										
										
										
											2019-12-10 13:36:46 -07:00
										 |  |  | 	mods, err := ctx.LoadModule(a, "ProvidersRaw") | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		return fmt.Errorf("loading authentication providers: %v", err) | 
					
						
							|  |  |  | 	} | 
					
						
							| 
									
										
										
										
											2022-08-02 16:39:09 -04:00
										 |  |  | 	for modName, modIface := range mods.(map[string]any) { | 
					
						
							| 
									
										
										
										
											2019-12-10 13:36:46 -07:00
										 |  |  | 		a.Providers[modName] = modIface.(Authenticator) | 
					
						
							| 
									
										
										
										
											2019-10-10 14:37:27 -06:00
										 |  |  | 	} | 
					
						
							|  |  |  | 	return nil | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | func (a Authentication) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyhttp.Handler) error { | 
					
						
							| 
									
										
										
										
											2025-04-16 00:32:08 +02:00
										 |  |  | 	repl := r.Context().Value(caddy.ReplacerCtxKey).(*caddy.Replacer) | 
					
						
							| 
									
										
										
										
											2019-10-10 14:37:27 -06:00
										 |  |  | 	var user User | 
					
						
							|  |  |  | 	var authed bool | 
					
						
							|  |  |  | 	var err error | 
					
						
							|  |  |  | 	for provName, prov := range a.Providers { | 
					
						
							|  |  |  | 		user, authed, err = prov.Authenticate(w, r) | 
					
						
							|  |  |  | 		if err != nil { | 
					
						
							| 
									
										
										
										
											2024-09-13 19:16:37 +02:00
										 |  |  | 			if c := a.logger.Check(zapcore.ErrorLevel, "auth provider returned error"); c != nil { | 
					
						
							|  |  |  | 				c.Write(zap.String("provider", provName), zap.Error(err)) | 
					
						
							|  |  |  | 			} | 
					
						
							| 
									
										
										
										
											2025-04-16 00:32:08 +02:00
										 |  |  | 			// Set the error from the authentication provider in a placeholder, | 
					
						
							|  |  |  | 			// so it can be used in the handle_errors directive. | 
					
						
							|  |  |  | 			repl.Set("http.auth."+provName+".error", err.Error()) | 
					
						
							| 
									
										
										
										
											2019-10-10 14:37:27 -06:00
										 |  |  | 			continue | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 		if authed { | 
					
						
							|  |  |  | 			break | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	if !authed { | 
					
						
							|  |  |  | 		return caddyhttp.Error(http.StatusUnauthorized, fmt.Errorf("not authenticated")) | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2020-03-27 18:10:51 +01:00
										 |  |  | 	repl.Set("http.auth.user.id", user.ID) | 
					
						
							|  |  |  | 	for k, v := range user.Metadata { | 
					
						
							|  |  |  | 		repl.Set("http.auth.user."+k, v) | 
					
						
							|  |  |  | 	} | 
					
						
							| 
									
										
										
										
											2019-10-10 14:37:27 -06:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	return next.ServeHTTP(w, r) | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | // Authenticator is a type which can authenticate a request. | 
					
						
							|  |  |  | // If a request was not authenticated, it returns false. An | 
					
						
							|  |  |  | // error is only returned if authenticating the request fails | 
					
						
							|  |  |  | // for a technical reason (not for bad/missing credentials). | 
					
						
							|  |  |  | type Authenticator interface { | 
					
						
							|  |  |  | 	Authenticate(http.ResponseWriter, *http.Request) (User, bool, error) | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | // User represents an authenticated user. | 
					
						
							|  |  |  | type User struct { | 
					
						
							| 
									
										
										
										
											2020-03-27 18:10:51 +01:00
										 |  |  | 	// The ID of the authenticated user. | 
					
						
							| 
									
										
										
										
											2019-10-10 14:37:27 -06:00
										 |  |  | 	ID string | 
					
						
							| 
									
										
										
										
											2020-03-27 18:10:51 +01:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	// Any other relevant data about this | 
					
						
							|  |  |  | 	// user. Keys should be adhere to Caddy | 
					
						
							|  |  |  | 	// conventions (snake_casing), as all | 
					
						
							|  |  |  | 	// keys will be made available as | 
					
						
							|  |  |  | 	// placeholders. | 
					
						
							|  |  |  | 	Metadata map[string]string | 
					
						
							| 
									
										
										
										
											2019-10-10 14:37:27 -06:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | // Interface guards | 
					
						
							|  |  |  | var ( | 
					
						
							|  |  |  | 	_ caddy.Provisioner           = (*Authentication)(nil) | 
					
						
							|  |  |  | 	_ caddyhttp.MiddlewareHandler = (*Authentication)(nil) | 
					
						
							|  |  |  | ) |