micro/api/server/auth/auth.go

package auth

import (
	"fmt"
	"net/http"
	"net/url"
	"strings"

	"github.com/micro/go-micro/v2/api/resolver"
	"github.com/micro/go-micro/v2/auth"
)

// CombinedAuthHandler wraps a server and authenticates requests
func CombinedAuthHandler(namespace string, r resolver.Resolver, h http.Handler) http.Handler {
	return authHandler{
		handler:   h,
		resolver:  r,
		auth:      auth.DefaultAuth,
		namespace: namespace,
	}
}

type authHandler struct {
	handler   http.Handler
	auth      auth.Auth
	resolver  resolver.Resolver
	namespace string
}

func (h authHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
	// Extract the token from the request
	var token string
	if header := req.Header.Get("Authorization"); len(header) > 0 {
		// Extract the auth token from the request
		if strings.HasPrefix(header, auth.BearerScheme) {
			token = header[len(auth.BearerScheme):]
		}
	} else {
		// Get the token out the cookies if not provided in headers
		if c, err := req.Cookie("micro-token"); err == nil && c != nil {
			token = strings.TrimPrefix(c.Value, auth.TokenCookieName+"=")
			req.Header.Set("Authorization", auth.BearerScheme+token)
		}
	}

	// Get the account using the token, fallback to a blank account
	// since some endpoints can be unauthenticated, so the lack of an
	// account doesn't necesserially mean a forbidden request
	acc, err := h.auth.Inspect(token)
	if err != nil {
		acc = &auth.Account{}
	}

	// Determine the name of the service being requested
	endpoint, err := h.resolver.Resolve(req)
	if err != nil {
		w.WriteHeader(http.StatusInternalServerError)
		return
	}
	resName := h.namespace + "." + endpoint.Name

	// Perform the verification check to see if the account has access to
	// the resource they're requesting
	err = h.auth.Verify(acc, &auth.Resource{
		Type:     "service",
		Name:     resName,
		Endpoint: endpoint.Path,
	})

	// The account has the necessary permissions to access the
	// resource
	if err == nil {
		h.handler.ServeHTTP(w, req)
		return
	}

	// The account is set, but they don't have enough permissions,
	// hence we 403.
	if len(acc.ID) > 0 {
		w.WriteHeader(http.StatusForbidden)
		return
	}

	// If there is no auth login url set, 401
	loginURL := h.auth.Options().LoginURL
	if loginURL == "" {
		w.WriteHeader(http.StatusUnauthorized)
		return
	}

	// Redirect to the login path
	params := url.Values{"redirect_to": {req.URL.Path}}
	loginWithRedirect := fmt.Sprintf("%v?%v", loginURL, params.Encode())
	http.Redirect(w, req, loginWithRedirect, http.StatusTemporaryRedirect)
}
Auth Provider (#1309) * auth provider mock interface * Auth Provider Options * Implement API Server Auth Package * Add weh utils * Add Login URL * Auth Provider Options * Add auth provider scope and setting token in cookie * Remove auth_login_url flag Co-authored-by: Asim Aslam <asim@aslam.me> Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-07 14:06:57 +03:00			`package auth`

			`import (`
Pass redirect_to param on auth (#1361) Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-17 23:04:16 +03:00			`"fmt"`
Auth Provider (#1309) * auth provider mock interface * Auth Provider Options * Implement API Server Auth Package * Add weh utils * Add Login URL * Auth Provider Options * Add auth provider scope and setting token in cookie * Remove auth_login_url flag Co-authored-by: Asim Aslam <asim@aslam.me> Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-07 14:06:57 +03:00			`"net/http"`
Pass redirect_to param on auth (#1361) Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-17 23:04:16 +03:00			`"net/url"`
Auth Provider (#1309) * auth provider mock interface * Auth Provider Options * Implement API Server Auth Package * Add weh utils * Add Login URL * Auth Provider Options * Add auth provider scope and setting token in cookie * Remove auth_login_url flag Co-authored-by: Asim Aslam <asim@aslam.me> Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-07 14:06:57 +03:00			`"strings"`

Pass resolver to api auth handler 2020-04-02 19:44:48 +03:00			`"github.com/micro/go-micro/v2/api/resolver"`
Auth Provider (#1309) * auth provider mock interface * Auth Provider Options * Implement API Server Auth Package * Add weh utils * Add Login URL * Auth Provider Options * Add auth provider scope and setting token in cookie * Remove auth_login_url flag Co-authored-by: Asim Aslam <asim@aslam.me> Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-07 14:06:57 +03:00			`"github.com/micro/go-micro/v2/auth"`
			`)`

			`// CombinedAuthHandler wraps a server and authenticates requests`
Pass resolver to api auth handler 2020-04-02 19:44:48 +03:00			`func CombinedAuthHandler(namespace string, r resolver.Resolver, h http.Handler) http.Handler {`
Auth Provider (#1309) * auth provider mock interface * Auth Provider Options * Implement API Server Auth Package * Add weh utils * Add Login URL * Auth Provider Options * Add auth provider scope and setting token in cookie * Remove auth_login_url flag Co-authored-by: Asim Aslam <asim@aslam.me> Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-07 14:06:57 +03:00			`return authHandler{`
Pass resolver to api auth handler 2020-04-02 19:44:48 +03:00			`handler: h,`
			`resolver: r,`
			`auth: auth.DefaultAuth,`
			`namespace: namespace,`
Auth Provider (#1309) * auth provider mock interface * Auth Provider Options * Implement API Server Auth Package * Add weh utils * Add Login URL * Auth Provider Options * Add auth provider scope and setting token in cookie * Remove auth_login_url flag Co-authored-by: Asim Aslam <asim@aslam.me> Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-07 14:06:57 +03:00			`}`
			`}`

			`type authHandler struct {`
Pass resolver to api auth handler 2020-04-02 19:44:48 +03:00			`handler http.Handler`
			`auth auth.Auth`
			`resolver resolver.Resolver`
			`namespace string`
Auth Provider (#1309) * auth provider mock interface * Auth Provider Options * Implement API Server Auth Package * Add weh utils * Add Login URL * Auth Provider Options * Add auth provider scope and setting token in cookie * Remove auth_login_url flag Co-authored-by: Asim Aslam <asim@aslam.me> Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-07 14:06:57 +03:00			`}`

			`func (h authHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {`
Fix bug where auth token is not set from cookie when excluded endpoint (#1360) Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-17 22:24:10 +03:00			`// Extract the token from the request`
			`var token string`
			`if header := req.Header.Get("Authorization"); len(header) > 0 {`
			`// Extract the auth token from the request`
Add ContextWithToken (#1407) * Add ContextWithToken * Tidying up BearerScheme Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-25 14:20:53 +03:00			`if strings.HasPrefix(header, auth.BearerScheme) {`
			`token = header[len(auth.BearerScheme):]`
Fix bug where auth token is not set from cookie when excluded endpoint (#1360) Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-17 22:24:10 +03:00			`}`
			`} else {`
			`// Get the token out the cookies if not provided in headers`
			`if c, err := req.Cookie("micro-token"); err == nil && c != nil {`
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`token = strings.TrimPrefix(c.Value, auth.TokenCookieName+"=")`
Add ContextWithToken (#1407) * Add ContextWithToken * Tidying up BearerScheme Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-25 14:20:53 +03:00			`req.Header.Set("Authorization", auth.BearerScheme+token)`
Fix bug where auth token is not set from cookie when excluded endpoint (#1360) Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-17 22:24:10 +03:00			`}`
			`}`
Auth Provider (#1309) * auth provider mock interface * Auth Provider Options * Implement API Server Auth Package * Add weh utils * Add Login URL * Auth Provider Options * Add auth provider scope and setting token in cookie * Remove auth_login_url flag Co-authored-by: Asim Aslam <asim@aslam.me> Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-07 14:06:57 +03:00
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`// Get the account using the token, fallback to a blank account`
			`// since some endpoints can be unauthenticated, so the lack of an`
			`// account doesn't necesserially mean a forbidden request`
			`acc, err := h.auth.Inspect(token)`
			`if err != nil {`
			`acc = &auth.Account{}`
Auth Provider (#1309) * auth provider mock interface * Auth Provider Options * Implement API Server Auth Package * Add weh utils * Add Login URL * Auth Provider Options * Add auth provider scope and setting token in cookie * Remove auth_login_url flag Co-authored-by: Asim Aslam <asim@aslam.me> Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-07 14:06:57 +03:00			`}`
Pass resolver to api auth handler 2020-04-02 19:44:48 +03:00
			`// Determine the name of the service being requested`
			`endpoint, err := h.resolver.Resolve(req)`
			`if err != nil {`
			`w.WriteHeader(http.StatusInternalServerError)`
			`return`
			`}`
			`resName := h.namespace + "." + endpoint.Name`

			`// Perform the verification check to see if the account has access to`
			`// the resource they're requesting`
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`err = h.auth.Verify(acc, &auth.Resource{`
			`Type: "service",`
Pass resolver to api auth handler 2020-04-02 19:44:48 +03:00			`Name: resName,`
			`Endpoint: endpoint.Path,`
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`})`
Support Wildcard Auth Excludes (#1357) Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-17 19:03:49 +03:00
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`// The account has the necessary permissions to access the`
			`// resource`
			`if err == nil {`
			`h.handler.ServeHTTP(w, req)`
			`return`
Auth Provider (#1309) * auth provider mock interface * Auth Provider Options * Implement API Server Auth Package * Add weh utils * Add Login URL * Auth Provider Options * Add auth provider scope and setting token in cookie * Remove auth_login_url flag Co-authored-by: Asim Aslam <asim@aslam.me> Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-07 14:06:57 +03:00			`}`

Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`// The account is set, but they don't have enough permissions,`
			`// hence we 403.`
			`if len(acc.ID) > 0 {`
			`w.WriteHeader(http.StatusForbidden)`
Auth Provider (#1309) * auth provider mock interface * Auth Provider Options * Implement API Server Auth Package * Add weh utils * Add Login URL * Auth Provider Options * Add auth provider scope and setting token in cookie * Remove auth_login_url flag Co-authored-by: Asim Aslam <asim@aslam.me> Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-07 14:06:57 +03:00			`return`
			`}`

			`// If there is no auth login url set, 401`
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`loginURL := h.auth.Options().LoginURL`
Auth Provider (#1309) * auth provider mock interface * Auth Provider Options * Implement API Server Auth Package * Add weh utils * Add Login URL * Auth Provider Options * Add auth provider scope and setting token in cookie * Remove auth_login_url flag Co-authored-by: Asim Aslam <asim@aslam.me> Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-07 14:06:57 +03:00			`if loginURL == "" {`
Updated auth interface (#1384) * Updated auth interface * Add Rule * Remove Rule * Return token from Renew * Renew => Refresh * Implement Tokens & Default Auth Implementation * Change default auth to noop * Change default auth to noop * Move token.Token to auth.Token * Remove Token from Account * Auth service implementation * Decode JWT locally * Cookie for secret * Move string to bottom of interface definition * Depricate auth_exclude * Update auth wrappers * Update go.sum Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-23 19:19:30 +03:00			`w.WriteHeader(http.StatusUnauthorized)`
Return store.ErrNotFound if not found when calling over rpc (#1353) Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-16 13:30:56 +03:00			`return`
Auth Provider (#1309) * auth provider mock interface * Auth Provider Options * Implement API Server Auth Package * Add weh utils * Add Login URL * Auth Provider Options * Add auth provider scope and setting token in cookie * Remove auth_login_url flag Co-authored-by: Asim Aslam <asim@aslam.me> Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-07 14:06:57 +03:00			`}`

			`// Redirect to the login path`
Pass redirect_to param on auth (#1361) Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-17 23:04:16 +03:00			`params := url.Values{"redirect_to": {req.URL.Path}}`
			`loginWithRedirect := fmt.Sprintf("%v?%v", loginURL, params.Encode())`
			`http.Redirect(w, req, loginWithRedirect, http.StatusTemporaryRedirect)`
Auth Provider (#1309) * auth provider mock interface * Auth Provider Options * Implement API Server Auth Package * Add weh utils * Add Login URL * Auth Provider Options * Add auth provider scope and setting token in cookie * Remove auth_login_url flag Co-authored-by: Asim Aslam <asim@aslam.me> Co-authored-by: Ben Toogood <ben@micro.mu> 2020-03-07 14:06:57 +03:00			`}`