mirror of
https://github.com/caddyserver/caddy.git
synced 2026-05-13 09:06:41 +00:00
caddyauth: set user placeholders before auth rejection (#7685)
* caddyauth: set user placeholders before auth rejection * docs: update auth placeholder comment
This commit is contained in:
Rayan Salhab
GitHub
parent
ef496e58ef
commit
7e77eec0ae
2 changed files with 90 additions and 7 deletions
|
|
@ -32,10 +32,10 @@ func init() {
|
|||
// Authentication is a middleware which provides user authentication.
|
||||
// Rejects requests with HTTP 401 if the request is not authenticated.
|
||||
//
|
||||
// After a successful authentication, the placeholder
|
||||
// When an authentication provider returns user information, the placeholder
|
||||
// `{http.auth.user.id}` will be set to the username, and also
|
||||
// `{http.auth.user.*}` placeholders may be set for any authentication
|
||||
// modules that provide user metadata.
|
||||
// modules that provide user metadata, even if authentication is rejected.
|
||||
//
|
||||
// In case of an error, the placeholder `{http.auth.<provider>.error}`
|
||||
// will be set to the error message returned by the authentication
|
||||
|
|
@ -91,6 +91,12 @@ func (a Authentication) ServeHTTP(w http.ResponseWriter, r *http.Request, next c
|
|||
repl.Set("http.auth."+provName+".error", err.Error())
|
||||
continue
|
||||
}
|
||||
if authed || user.ID != "" || len(user.Metadata) > 0 {
|
||||
repl.Set("http.auth.user.id", user.ID)
|
||||
for k, v := range user.Metadata {
|
||||
repl.Set("http.auth.user."+k, v)
|
||||
}
|
||||
}
|
||||
if authed {
|
||||
break
|
||||
}
|
||||
|
|
@ -99,11 +105,6 @@ func (a Authentication) ServeHTTP(w http.ResponseWriter, r *http.Request, next c
|
|||
return caddyhttp.Error(http.StatusUnauthorized, fmt.Errorf("not authenticated"))
|
||||
}
|
||||
|
||||
repl.Set("http.auth.user.id", user.ID)
|
||||
for k, v := range user.Metadata {
|
||||
repl.Set("http.auth.user."+k, v)
|
||||
}
|
||||
|
||||
return next.ServeHTTP(w, r)
|
||||
}
|
||||
|
||||
|
|
|
|||
82
modules/caddyhttp/caddyauth/caddyauth_test.go
Normal file
82
modules/caddyhttp/caddyauth/caddyauth_test.go
Normal file
|
|
@ -0,0 +1,82 @@
|
|||
// Copyright 2015 Matthew Holt and The Caddy Authors
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package caddyauth
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
|
||||
"github.com/caddyserver/caddy/v2"
|
||||
"github.com/caddyserver/caddy/v2/modules/caddyhttp"
|
||||
)
|
||||
|
||||
func TestAuthenticationSetsUserPlaceholdersOnUnauthorized(t *testing.T) {
|
||||
repl := caddy.NewReplacer()
|
||||
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
||||
req = req.WithContext(context.WithValue(req.Context(), caddy.ReplacerCtxKey, repl))
|
||||
|
||||
a := Authentication{
|
||||
Providers: map[string]Authenticator{
|
||||
"test": staticAuthenticator{
|
||||
user: User{
|
||||
ID: "alice",
|
||||
Metadata: map[string]string{
|
||||
"role": "admin",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
nextCalled := false
|
||||
err := a.ServeHTTP(httptest.NewRecorder(), req, caddyhttp.HandlerFunc(func(http.ResponseWriter, *http.Request) error {
|
||||
nextCalled = true
|
||||
return nil
|
||||
}))
|
||||
if err == nil {
|
||||
t.Fatal("expected unauthorized error")
|
||||
}
|
||||
|
||||
var handlerErr caddyhttp.HandlerError
|
||||
if !errors.As(err, &handlerErr) {
|
||||
t.Fatalf("expected caddyhttp.HandlerError, got %T", err)
|
||||
}
|
||||
if handlerErr.StatusCode != http.StatusUnauthorized {
|
||||
t.Fatalf("expected status %d, got %d", http.StatusUnauthorized, handlerErr.StatusCode)
|
||||
}
|
||||
if nextCalled {
|
||||
t.Fatal("next handler was called")
|
||||
}
|
||||
|
||||
if got, ok := repl.GetString("http.auth.user.id"); !ok || got != "alice" {
|
||||
t.Fatalf("expected http.auth.user.id to be alice, got %q (ok=%v)", got, ok)
|
||||
}
|
||||
if got, ok := repl.GetString("http.auth.user.role"); !ok || got != "admin" {
|
||||
t.Fatalf("expected http.auth.user.role to be admin, got %q (ok=%v)", got, ok)
|
||||
}
|
||||
}
|
||||
|
||||
type staticAuthenticator struct {
|
||||
user User
|
||||
authed bool
|
||||
err error
|
||||
}
|
||||
|
||||
func (s staticAuthenticator) Authenticate(http.ResponseWriter, *http.Request) (User, bool, error) {
|
||||
return s.user, s.authed, s.err
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue