forked from TykTechnologies/tyk
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmw_auth_key.go
126 lines (101 loc) · 2.85 KB
/
mw_auth_key.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
package main
import (
"errors"
"net/http"
"strings"
"github.com/Sirupsen/logrus"
"github.com/TykTechnologies/tyk/apidef"
)
// KeyExists will check if the key being used to access the API is in the request data,
// and then if the key is in the storage engine
type AuthKey struct {
BaseMiddleware
}
func (k *AuthKey) Name() string {
return "AuthKey"
}
func (k *AuthKey) setContextVars(r *http.Request, token string) {
// Flatten claims and add to context
if !k.Spec.EnableContextVars {
return
}
if cnt := ctxGetData(r); cnt != nil {
// Key data
cnt["token"] = token
ctxSetData(r, cnt)
}
}
func (k *AuthKey) ProcessRequest(w http.ResponseWriter, r *http.Request, _ interface{}) (error, int) {
config := k.Spec.Auth
key := r.Header.Get(config.AuthHeaderName)
paramName := config.ParamName
if config.UseParam || paramName != "" {
if paramName == "" {
paramName = config.AuthHeaderName
}
paramValue := r.URL.Query().Get(paramName)
// Only use the paramValue if it has an actual value
if paramValue != "" {
key = paramValue
}
}
cookieName := config.CookieName
if config.UseCookie || cookieName != "" {
if cookieName == "" {
cookieName = config.AuthHeaderName
}
authCookie, err := r.Cookie(cookieName)
cookieValue := ""
if err == nil {
cookieValue = authCookie.Value
}
if cookieValue != "" {
key = cookieValue
}
}
if key == "" {
// No header value, fail
log.WithFields(logrus.Fields{
"path": r.URL.Path,
"origin": requestIP(r),
}).Info("Attempted access with malformed header, no auth header found.")
return errors.New("Authorization field missing"), 401
}
// Ignore Bearer prefix on token if it exists
key = stripBearer(key)
// Check if API key valid
session, keyExists := k.CheckSessionAndIdentityForValidKey(key)
if !keyExists {
log.WithFields(logrus.Fields{
"path": r.URL.Path,
"origin": requestIP(r),
"key": key,
}).Info("Attempted access with non-existent key.")
// Fire Authfailed Event
AuthFailed(k, r, key)
// Report in health check
reportHealthValue(k.Spec, KeyFailure, "1")
return errors.New("Key not authorised"), 403
}
// Set session state on context, we will need it later
switch k.Spec.BaseIdentityProvidedBy {
case apidef.AuthToken, apidef.UnsetAuth:
ctxSetSession(r, &session)
ctxSetAuthToken(r, key)
k.setContextVars(r, key)
}
return nil, 200
}
func stripBearer(token string) string {
token = strings.Replace(token, "Bearer", "", 1)
token = strings.Replace(token, "bearer", "", 1)
return strings.TrimSpace(token)
}
func AuthFailed(m TykMiddleware, r *http.Request, token string) {
m.Base().FireEvent(EventAuthFailure, EventKeyFailureMeta{
EventMetaDefault: EventMetaDefault{Message: "Auth Failure", OriginatingRequest: EncodeRequestToEvent(r)},
Path: r.URL.Path,
Origin: requestIP(r),
Key: token,
})
}