basic_auth_ext

package module
v0.0.0-...-76a89dc Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 5, 2025 License: Apache-2.0 Imports: 19 Imported by: 0

README

caddy-basic-auth-ext

extend caddy's basic auth module with file-recorded accounts (like nginx) and simple permission controls

Usage

Caddyfile
basic_auth_ext [<matcher>] [<hash_algorithm> [<realm>]] {
    file <filename>
    [permission <permission-group>]
}
Account File

each line is a record of an account, split by blanks (space, tab, etc. can be one or more)

username    group1,group2,group3    hashed-password

username should be unique;

groups are comma-separated, group names are case-sensitive, should only contain alphanumeric characters and underscores

hashed-password is in Modular Crypt Format; for example, the result of caddy hash-password --algorithm <hash_algorithm> <password>

Sample Caddyfile & Account File

Caddyfile

{
	order basic_auth_ext before basic_auth
}

api.example.com {
	route /test {

		basic_auth_ext {
			file /path/to/accounts-demo.txt
			permission demo1
		}


		respond "User authenticated with ID: {http.auth.user.id} @ {http.auth.user.groups}"
	}
}
Account

accounts-demo.txt

test    demo1,demo2     $2a$14$LfmwCC8zryYMswbPZ8MxDOi0.BJveyPHat6o4UGekAZd.o8ZQRMsa
test2   demo2           $2a$14$drZc7KI0tCqdG.0mNWTgl.KkH8thh4rI/QMdxt2/FJEWDPOdJ9fGq

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var GetAccountMangerInstance = sync.OnceValue(NewAccountManager)

Functions

func AccountInfoCheckGroup 

func AccountInfoCheckGroup(group string) bool

Types

type Account 

type Account struct {

	// A user's username.
	Username string

	Password []byte

	// A user's groups. used as set of strings;
	// group names are case-sensitive, should only contain alphanumeric characters and underscores
	// Stored in
	Groups map[string]struct{}
}

func (*Account) AddGroup 

func (info *Account) AddGroup(group string) bool

Add a group to a user

func (*Account) InGroup 

func (info *Account) InGroup(group string) bool

Check if a user is in a group; if group is empty, always return true

func (*Account) RemoveGroup 

func (info *Account) RemoveGroup(group string)

Remove a group from a user

type AccountManager 

type AccountManager struct {
	// contains filtered or unexported fields
}

func NewAccountManager 

func NewAccountManager() *AccountManager

func (*AccountManager) Load 

func (m *AccountManager) Load(filePath string, hash caddyauth.Comparer) (*Accounts, error)

type Accounts 

type Accounts struct {

	// The file path
	File string

	// The hash algorithm used to hash the passwords
	Hash caddyauth.Comparer

	// The accounts in the file
	Accounts map[string]*Account
}

Accounts is a list of accounts from one file

func ParseAccountsFromFile 

func ParseAccountsFromFile(filePath string, hash caddyauth.Comparer) (*Accounts, error)

func (*Accounts) GetAccount 

func (a *Accounts) GetAccount(username string) *Account

type Cache 

type Cache struct {
	// contains filtered or unexported fields
}

Cache enables caching of basic auth results. This is especially helpful for secure password hashes which can be expensive to compute on every HTTP request.

func (*Cache) Compare 

func (c *Cache) Compare(hashedPassword []byte, plaintextPassword []byte) (bool, error)

Compare implements caddyauth.Comparer.

type HTTPBasicAuthExt 

type HTTPBasicAuthExt struct {
	// The algorithm with which the passwords are hashed. Default: bcrypt
	HashRaw json.RawMessage `json:"hash,omitempty" caddy:"namespace=http.authentication.hashes inline_key=algorithm"`

	// account file
	File string `json:"file,omitempty"`

	// permission (group) for this module
	Permission string `json:"permission,omitempty"`

	// The name of the realm. Default: restricted
	Realm string `json:"realm,omitempty"`

	// If non-nil, a mapping of plaintext passwords to their
	// hashes will be cached in memory (with random eviction).
	// This can greatly improve the performance of traffic-heavy
	// servers that use secure password hashing algorithms, with
	// the downside that plaintext passwords will be stored in
	// memory for a longer time (this should not be a problem
	// as long as your machine is not compromised, at which point
	// all bets are off, since basicauth necessitates plaintext
	// passwords being received over the wire anyway). Note that
	// a cache hit does not mean it is a valid password.
	HashCache *Cache `json:"hash_cache,omitempty"`
	// contains filtered or unexported fields
}

HTTPBasicAuthExt facilitates HTTP basic authentication.

func (HTTPBasicAuthExt) Authenticate 

func (hba HTTPBasicAuthExt) Authenticate(w http.ResponseWriter, req *http.Request) (caddyauth.User, bool, error)

Authenticate validates the user credentials in req and returns the user, if valid.

func (HTTPBasicAuthExt) CaddyModule 

func (HTTPBasicAuthExt) CaddyModule() caddy.ModuleInfo

CaddyModule returns the Caddy module information.

func (*HTTPBasicAuthExt) Cleanup 

func (hba *HTTPBasicAuthExt) Cleanup() error

Cleanup implements caddy.CleanerUpper.

func (*HTTPBasicAuthExt) Provision 

func (hba *HTTPBasicAuthExt) Provision(ctx caddy.Context) error

Provision provisions the HTTP basic auth provider.

func (*HTTPBasicAuthExt) UnmarshalCaddyfile 

func (hba *HTTPBasicAuthExt) UnmarshalCaddyfile(d *caddyfile.Dispenser) error

parseCaddyfile sets up the handler from Caddyfile tokens. Syntax: 

basic_auth_ext [<matcher>] [<hash_algorithm> [<realm>]] {
    file <filename>
    [permission <permission-group>]
}

If no hash algorithm is supplied, bcrypt will be assumed. UnmarshalCaddyfile implements caddyfile.Unmarshaler.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.