icecheng/freeleaps-ops
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
db590f3f27
freeleaps-ops/apps/gitea-webhook-ambassador/internal/auth/middleware.go
zhenyus db590f3f27 refactor: update gitea-webhook-ambassador Dockerfile and configuration 
- Changed the build process to include a web UI build stage using Node.js.
- Updated Go build stage to copy web UI files to the correct location.
- Removed the main.go file as it is no longer needed.
- Added SQLite database configuration to example config.
- Updated dependencies in go.mod and go.sum, including new packages for JWT and SQLite.
- Modified .gitignore to include new database and configuration files.

Signed-off-by: zhenyus <zhenyus@mathmast.com>
2025-06-10 16:00:52 +08:00

138 lines
3.5 KiB
Go
Raw Blame History

package auth
import (
"crypto/subtle"
"encoding/json"
"fmt"
"net/http"
"strings"
"time"
"freeleaps.com/gitea-webhook-ambassador/internal/logger"
"github.com/golang-jwt/jwt/v5"
)
type Middleware struct {
secretKey string
}
func NewMiddleware(secretKey string) *Middleware {
logger.Debug("Creating auth middleware with secret key length: %d", len(secretKey))
return &Middleware{
secretKey: secretKey,
}
}
// VerifyToken verifies a JWT token and returns an error if invalid
func (m *Middleware) VerifyToken(r *http.Request) error {
// Get token from Authorization header
authHeader := r.Header.Get("Authorization")
if authHeader == "" {
return fmt.Errorf("no authorization header")
}
// Remove 'Bearer ' prefix
tokenString := strings.TrimPrefix(authHeader, "Bearer ")
// Parse and validate token
token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
}
return []byte(m.secretKey), nil
})
if err != nil {
return fmt.Errorf("invalid token: %w", err)
}
if !token.Valid {
return fmt.Errorf("token is not valid")
}
return nil
}
// LoginRequest represents the login request body
type LoginRequest struct {
SecretKey string `json:"secret_key"`
}
// LoginResponse represents the login response
type LoginResponse struct {
Token string `json:"token"`
}
// HandleLogin handles the login API request
func (m *Middleware) HandleLogin(w http.ResponseWriter, r *http.Request) {
// Only accept POST requests
if r.Method != http.MethodPost {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
// Parse JSON request
var req LoginRequest
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
http.Error(w, "Invalid request body", http.StatusBadRequest)
return
}
// Validate secret key
if subtle.ConstantTimeCompare([]byte(req.SecretKey), []byte(m.secretKey)) != 1 {
w.WriteHeader(http.StatusUnauthorized)
json.NewEncoder(w).Encode(map[string]string{
"error": "Invalid secret key",
})
return
}
// Generate JWT token
token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
"exp": time.Now().Add(24 * time.Hour).Unix(),
"iat": time.Now().Unix(),
})
// Sign the token
tokenString, err := token.SignedString([]byte(m.secretKey))
if err != nil {
logger.Error("Failed to generate token: %v", err)
http.Error(w, "Internal server error", http.StatusInternalServerError)
return
}
// Return the token
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(LoginResponse{
Token: tokenString,
})
}
// Authenticate middleware for protecting routes
func (m *Middleware) Authenticate(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Skip authentication for login page and static assets
if r.URL.Path == "/login" || strings.HasPrefix(r.URL.Path, "/css/") ||
strings.HasPrefix(r.URL.Path, "/js/") || strings.HasPrefix(r.URL.Path, "/img/") {
next.ServeHTTP(w, r)
return
}
if err := m.VerifyToken(r); err != nil {
logger.Debug("Token verification failed: %v", err)
if r.Header.Get("X-Requested-With") == "XMLHttpRequest" {
w.WriteHeader(http.StatusUnauthorized)
json.NewEncoder(w).Encode(map[string]string{
"error": "Invalid or expired token",
})
} else {
http.Redirect(w, r, "/login", http.StatusSeeOther)
}
return
}
// Token is valid, proceed
next.ServeHTTP(w, r)
})
}
Reference in New Issue View Git Blame Copy Permalink