127 lines
2.6 KiB
Go
127 lines
2.6 KiB
Go
package auth
|
|
|
|
import (
|
|
"context"
|
|
"encoding/base64"
|
|
"errors"
|
|
"fmt"
|
|
"log/slog"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/gofiber/fiber/v2"
|
|
)
|
|
|
|
func Authenticate() fiber.Handler {
|
|
return func(ctx *fiber.Ctx) error {
|
|
header := ctx.Get(fiber.HeaderAuthorization)
|
|
authCtx, err := authHeader(ctx.Context(), header)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if authCtx == nil {
|
|
authCtx = &AuthCtx{}
|
|
}
|
|
|
|
SetAuthCtx(ctx, authCtx)
|
|
return ctx.Next()
|
|
}
|
|
}
|
|
|
|
func authHeader(ctx context.Context, header string) (*AuthCtx, error) {
|
|
if header == "" {
|
|
return nil, nil
|
|
}
|
|
|
|
var split = strings.Split(header, " ")
|
|
if len(split) != 2 {
|
|
slog.Debug("Authorization 头格式不正确")
|
|
return nil, ErrAuthenticateUnauthorize
|
|
}
|
|
|
|
var token = strings.TrimSpace(split[1])
|
|
if token == "" {
|
|
slog.Debug("提供的令牌为空")
|
|
return nil, ErrAuthenticateUnauthorize
|
|
}
|
|
|
|
var authCtx *AuthCtx
|
|
var err error
|
|
switch split[0] {
|
|
|
|
case "Bearer":
|
|
authCtx, err = authBearer(ctx, token)
|
|
if err != nil {
|
|
slog.Debug("Bearer 认证失败", "err", err)
|
|
return nil, ErrAuthenticateUnauthorize
|
|
}
|
|
|
|
case "Basic":
|
|
authCtx, err = authBasic(ctx, token)
|
|
if err != nil {
|
|
slog.Debug("Basic 认证失败", "err", err)
|
|
return nil, ErrAuthenticateUnauthorize
|
|
}
|
|
|
|
default:
|
|
slog.Debug("无效的认证方式", "method", split[0])
|
|
return nil, ErrAuthenticateUnauthorize
|
|
}
|
|
|
|
return authCtx, err
|
|
}
|
|
|
|
func authBearer(_ context.Context, token string) (*AuthCtx, error) {
|
|
session, err := FindSession(token, time.Now())
|
|
if err != nil {
|
|
slog.Debug("Bearer 认证失败", "err", err)
|
|
return nil, ErrAuthenticateUnauthorize
|
|
}
|
|
|
|
scopes := []string{}
|
|
if session.Scopes != nil {
|
|
scopes = strings.Split(*session.Scopes, " ")
|
|
}
|
|
return &AuthCtx{
|
|
User: session.User,
|
|
Admin: session.Admin,
|
|
Client: session.Client,
|
|
Scopes: scopes,
|
|
Session: session,
|
|
}, nil
|
|
}
|
|
|
|
func authBasic(_ context.Context, token string) (*AuthCtx, error) {
|
|
|
|
// 解析 Basic 认证信息
|
|
var base, err = base64.RawURLEncoding.DecodeString(token)
|
|
if err != nil {
|
|
base, err = base64.URLEncoding.DecodeString(token)
|
|
if err != nil {
|
|
return nil, errors.New("令牌格式错误,无法解析令牌")
|
|
}
|
|
}
|
|
|
|
var split = strings.Split(string(base), ":")
|
|
if len(split) != 2 {
|
|
return nil, errors.New("令牌格式错误,必须是 <client_id>:<client_secret> 格式")
|
|
}
|
|
|
|
client, err := authClient(split[0], split[1])
|
|
if err != nil {
|
|
return nil, fmt.Errorf("客户端认证失败:%w", err)
|
|
}
|
|
|
|
scopes := []string{}
|
|
if client.Permissions != nil {
|
|
for _, p := range client.Permissions {
|
|
scopes = append(scopes, p.Name)
|
|
}
|
|
}
|
|
return &AuthCtx{
|
|
Client: client,
|
|
Scopes: scopes,
|
|
}, nil
|
|
}
|