forked from TykTechnologies/tyk
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmw_auth_key.go
123 lines (98 loc) · 3.12 KB
/
mw_auth_key.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
package main
import (
"errors"
"net/http"
"strings"
"github.com/TykTechnologies/tyk/apidef"
"github.com/TykTechnologies/tyk/certs"
"github.com/TykTechnologies/tyk/request"
)
// KeyExists will check if the key being used to access the API is in the request data,
// and then if the key is in the storage engine
type AuthKey struct {
BaseMiddleware
}
func (k *AuthKey) Name() string {
return "AuthKey"
}
func (k *AuthKey) setContextVars(r *http.Request, token string) {
// Flatten claims and add to context
if !k.Spec.EnableContextVars {
return
}
if cnt := ctxGetData(r); cnt != nil {
// Key data
cnt["token"] = token
ctxSetData(r, cnt)
}
}
func (k *AuthKey) ProcessRequest(w http.ResponseWriter, r *http.Request, _ interface{}) (error, int) {
config := k.Spec.Auth
key := r.Header.Get(config.AuthHeaderName)
paramName := config.ParamName
if config.UseParam || paramName != "" {
if paramName == "" {
paramName = config.AuthHeaderName
}
paramValue := r.URL.Query().Get(paramName)
// Only use the paramValue if it has an actual value
if paramValue != "" {
key = paramValue
}
}
cookieName := config.CookieName
if config.UseCookie || cookieName != "" {
if cookieName == "" {
cookieName = config.AuthHeaderName
}
authCookie, err := r.Cookie(cookieName)
cookieValue := ""
if err == nil {
cookieValue = authCookie.Value
}
if cookieValue != "" {
key = cookieValue
}
}
// If key not provided in header or cookie and client certificate is provided, try to find certificate based key
if config.UseCertificate && key == "" && r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
key = generateToken(k.Spec.OrgID, certs.HexSHA256(r.TLS.PeerCertificates[0].Raw))
}
if key == "" {
// No header value, fail
k.Logger().Info("Attempted access with malformed header, no auth header found.")
return errors.New("Authorization field missing"), http.StatusUnauthorized
}
// Ignore Bearer prefix on token if it exists
key = stripBearer(key)
// Check if API key valid
session, keyExists := k.CheckSessionAndIdentityForValidKey(key, r)
if !keyExists {
k.Logger().WithField("key", obfuscateKey(key)).Info("Attempted access with non-existent key.")
// Fire Authfailed Event
AuthFailed(k, r, key)
// Report in health check
reportHealthValue(k.Spec, KeyFailure, "1")
return errors.New("Access to this API has been disallowed"), http.StatusForbidden
}
// Set session state on context, we will need it later
switch k.Spec.BaseIdentityProvidedBy {
case apidef.AuthToken, apidef.UnsetAuth:
ctxSetSession(r, &session, key, false)
k.setContextVars(r, key)
}
return nil, http.StatusOK
}
func stripBearer(token string) string {
token = strings.Replace(token, "Bearer", "", 1)
token = strings.Replace(token, "bearer", "", 1)
return strings.TrimSpace(token)
}
func AuthFailed(m TykMiddleware, r *http.Request, token string) {
m.Base().FireEvent(EventAuthFailure, EventKeyFailureMeta{
EventMetaDefault: EventMetaDefault{Message: "Auth Failure", OriginatingRequest: EncodeRequestToEvent(r)},
Path: r.URL.Path,
Origin: request.RealIP(r),
Key: token,
})
}