Beego/plugins/apiauth/apiauth.go

// Copyright 2014 beego Author. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

// Package apiauth provides handlers to enable apiauth support.
//
// Simple Usage:
//	import(
//		"github.com/astaxie/beego"
//		"github.com/astaxie/beego/plugins/apiauth"
//	)
//
//	func main(){
//		// apiauth every request
//		beego.InsertFilter("*", beego.BeforeRouter,apiauth.APIBaiscAuth("appid","appkey"))
//		beego.Run()
//	}
//
// Advanced Usage:
//
//	func getAppSecret(appid string) string {
//		// get appsecret by appid
//		// maybe store in configure, maybe in database
//	}
//
//	beego.InsertFilter("*", beego.BeforeRouter,apiauth.APISecretAuth(getAppSecret, 360))
//
// Information:
//
// In the request user should include these params in the query
//
// 1. appid
//
//		 appid is assigned to the application
//
// 2. signature
//
//	get the signature use apiauth.Signature()
//
//	when you send to server remember use url.QueryEscape()
//
// 3. timestamp:
//
//       send the request time, the format is yyyy-mm-dd HH:ii:ss
//
package apiauth

import (
	"bytes"
	"crypto/hmac"
	"crypto/sha256"
	"encoding/base64"
	"fmt"
	"net/url"
	"sort"
	"time"

	"github.com/astaxie/beego"
	"github.com/astaxie/beego/context"
)

// AppIDToAppSecret is used to get appsecret throw appid
type AppIDToAppSecret func(string) string

// APIBasicAuth use the basic appid/appkey as the AppIdToAppSecret
func APIBasicAuth(appid, appkey string) beego.FilterFunc {
	ft := func(aid string) string {
		if aid == appid {
			return appkey
		}
		return ""
	}
	return APISecretAuth(ft, 300)
}

// APIBaiscAuth calls APIBasicAuth for previous callers
func APIBaiscAuth(appid, appkey string) beego.FilterFunc {
	return APIBasicAuth(appid, appkey)
}

// APISecretAuth use AppIdToAppSecret verify and
func APISecretAuth(f AppIDToAppSecret, timeout int) beego.FilterFunc {
	return func(ctx *context.Context) {
		if ctx.Input.Query("appid") == "" {
			ctx.ResponseWriter.WriteHeader(403)
			ctx.WriteString("miss query param: appid")
			return
		}
		appsecret := f(ctx.Input.Query("appid"))
		if appsecret == "" {
			ctx.ResponseWriter.WriteHeader(403)
			ctx.WriteString("not exist this appid")
			return
		}
		if ctx.Input.Query("signature") == "" {
			ctx.ResponseWriter.WriteHeader(403)
			ctx.WriteString("miss query param: signature")
			return
		}
		if ctx.Input.Query("timestamp") == "" {
			ctx.ResponseWriter.WriteHeader(403)
			ctx.WriteString("miss query param: timestamp")
			return
		}
		u, err := time.Parse("2006-01-02 15:04:05", ctx.Input.Query("timestamp"))
		if err != nil {
			ctx.ResponseWriter.WriteHeader(403)
			ctx.WriteString("timestamp format is error, should 2006-01-02 15:04:05")
			return
		}
		t := time.Now()
		if t.Sub(u).Seconds() > float64(timeout) {
			ctx.ResponseWriter.WriteHeader(403)
			ctx.WriteString("timeout! the request time is long ago, please try again")
			return
		}
		if ctx.Input.Query("signature") !=
			Signature(appsecret, ctx.Input.Method(), ctx.Request.Form, ctx.Input.URL()) {
			ctx.ResponseWriter.WriteHeader(403)
			ctx.WriteString("auth failed")
		}
	}
}

// Signature used to generate signature with the appsecret/method/params/RequestURI
func Signature(appsecret, method string, params url.Values, RequestURL string) (result string) {
	var b bytes.Buffer
	keys := make([]string, len(params))
	pa := make(map[string]string)
	for k, v := range params {
		pa[k] = v[0]
		keys = append(keys, k)
	}

	sort.Strings(keys)

	for _, key := range keys {
		if key == "signature" {
			continue
		}

		val := pa[key]
		if key != "" && val != "" {
			b.WriteString(key)
			b.WriteString(val)
		}
	}

	stringToSign := fmt.Sprintf("%v\n%v\n%v\n", method, b.String(), RequestURL)

	sha256 := sha256.New
	hash := hmac.New(sha256, []byte(appsecret))
	hash.Write([]byte(stringToSign))
	return base64.StdEncoding.EncodeToString(hash.Sum(nil))
}
aws api auth plugins 2014-08-27 16:25:50 +00:00			`// Copyright 2014 beego Author. All Rights Reserved.`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`// Package apiauth provides handlers to enable apiauth support.`
modify the comments 2014-08-28 02:21:32 +00:00			`//`
aws api auth plugins 2014-08-27 16:25:50 +00:00			`// Simple Usage:`
			`// import(`
			`// "github.com/astaxie/beego"`
			`// "github.com/astaxie/beego/plugins/apiauth"`
			`// )`
			`//`
			`// func main(){`
			`// // apiauth every request`
apiauth add more comments & improve 2014-08-28 02:05:02 +00:00			`// beego.InsertFilter("*", beego.BeforeRouter,apiauth.APIBaiscAuth("appid","appkey"))`
aws api auth plugins 2014-08-27 16:25:50 +00:00			`// beego.Run()`
			`// }`
			`//`
apiauth add more comments & improve 2014-08-28 02:05:02 +00:00			`// Advanced Usage:`
			`//`
			`// func getAppSecret(appid string) string {`
			`// // get appsecret by appid`
modify the comments 2014-08-28 02:21:32 +00:00			`// // maybe store in configure, maybe in database`
apiauth add more comments & improve 2014-08-28 02:05:02 +00:00			`// }`
			`//`
golint plugins 2015-09-12 14:03:45 +00:00			`// beego.InsertFilter("*", beego.BeforeRouter,apiauth.APISecretAuth(getAppSecret, 360))`
apiauth add more comments & improve 2014-08-28 02:05:02 +00:00			`//`
fix the misspell99 2016-03-11 04:14:18 +00:00			`// Information:`
modify the comments 2014-08-28 02:21:32 +00:00			`//`
			`// In the request user should include these params in the query`
apiauth add more comments & improve 2014-08-28 02:05:02 +00:00			`//`
modify the comments 2014-08-28 02:21:32 +00:00			`// 1. appid`
apiauth add more comments & improve 2014-08-28 02:05:02 +00:00			`//`
fix typo 2016-01-17 15:48:17 +00:00			`// appid is assigned to the application`
apiauth add more comments & improve 2014-08-28 02:05:02 +00:00			`//`
modify the comments 2014-08-28 02:21:32 +00:00			`// 2. signature`
apiauth add more comments & improve 2014-08-28 02:05:02 +00:00			`//`
modify the comments 2014-08-28 02:21:32 +00:00			`// get the signature use apiauth.Signature()`
apiauth add more comments & improve 2014-08-28 02:05:02 +00:00			`//`
modify the comments 2014-08-28 02:21:32 +00:00			`// when you send to server remember use url.QueryEscape()`
apiauth add more comments & improve 2014-08-28 02:05:02 +00:00			`//`
modify the comments 2014-08-28 02:21:32 +00:00			`// 3. timestamp:`
apiauth add more comments & improve 2014-08-28 02:05:02 +00:00			`//`
			`// send the request time, the format is yyyy-mm-dd HH:ii:ss`
			`//`
aws api auth plugins 2014-08-27 16:25:50 +00:00			`package apiauth`

			`import (`
1.simplify reading and writing file code 2.add apiauth test 2017-02-10 01:35:23 +00:00			`"bytes"`
aws api auth plugins 2014-08-27 16:25:50 +00:00			`"crypto/hmac"`
			`"crypto/sha256"`
			`"encoding/base64"`
			`"fmt"`
			`"net/url"`
			`"sort"`
			`"time"`

			`"github.com/astaxie/beego"`
			`"github.com/astaxie/beego/context"`
			`)`

golint plugins 2015-09-12 14:03:45 +00:00			`// AppIDToAppSecret is used to get appsecret throw appid`
			`type AppIDToAppSecret func(string) string`
aws api auth plugins 2014-08-27 16:25:50 +00:00
APIBaiscAuth is misspelling of APIBasicAuth Corrected APIBaiscAuth to APIBasicAuth. Maintained old name (forwarding to new one) for those still using the previous API function name. 2019-02-12 18:00:11 +00:00			`// APIBasicAuth use the basic appid/appkey as the AppIdToAppSecret`
			`func APIBasicAuth(appid, appkey string) beego.FilterFunc {`
aws api auth plugins 2014-08-27 16:25:50 +00:00			`ft := func(aid string) string {`
			`if aid == appid {`
			`return appkey`
			`}`
			`return ""`
			`}`
golint plugins 2015-09-12 14:03:45 +00:00			`return APISecretAuth(ft, 300)`
aws api auth plugins 2014-08-27 16:25:50 +00:00			`}`

APIBaiscAuth is misspelling of APIBasicAuth Corrected APIBaiscAuth to APIBasicAuth. Maintained old name (forwarding to new one) for those still using the previous API function name. 2019-02-12 18:00:11 +00:00			`// APIBaiscAuth calls APIBasicAuth for previous callers`
			`func APIBaiscAuth(appid, appkey string) beego.FilterFunc {`
Update apiauth.go fixed infinite recursive call 2019-03-14 13:14:12 +00:00			`return APIBasicAuth(appid, appkey)`
APIBaiscAuth is misspelling of APIBasicAuth Corrected APIBaiscAuth to APIBasicAuth. Maintained old name (forwarding to new one) for those still using the previous API function name. 2019-02-12 18:00:11 +00:00			`}`

golint plugins 2015-09-12 14:03:45 +00:00			`// APISecretAuth use AppIdToAppSecret verify and`
			`func APISecretAuth(f AppIDToAppSecret, timeout int) beego.FilterFunc {`
aws api auth plugins 2014-08-27 16:25:50 +00:00			`return func(ctx *context.Context) {`
			`if ctx.Input.Query("appid") == "" {`
fix the http: multiple response.WriteHeader calls 2015-08-28 15:08:00 +00:00			`ctx.ResponseWriter.WriteHeader(403)`
aws api auth plugins 2014-08-27 16:25:50 +00:00			`ctx.WriteString("miss query param: appid")`
			`return`
			`}`
			`appsecret := f(ctx.Input.Query("appid"))`
			`if appsecret == "" {`
fix the http: multiple response.WriteHeader calls 2015-08-28 15:08:00 +00:00			`ctx.ResponseWriter.WriteHeader(403)`
aws api auth plugins 2014-08-27 16:25:50 +00:00			`ctx.WriteString("not exist this appid")`
			`return`
			`}`
			`if ctx.Input.Query("signature") == "" {`
fix the http: multiple response.WriteHeader calls 2015-08-28 15:08:00 +00:00			`ctx.ResponseWriter.WriteHeader(403)`
aws api auth plugins 2014-08-27 16:25:50 +00:00			`ctx.WriteString("miss query param: signature")`
			`return`
			`}`
			`if ctx.Input.Query("timestamp") == "" {`
fix the http: multiple response.WriteHeader calls 2015-08-28 15:08:00 +00:00			`ctx.ResponseWriter.WriteHeader(403)`
aws api auth plugins 2014-08-27 16:25:50 +00:00			`ctx.WriteString("miss query param: timestamp")`
			`return`
			`}`
			`u, err := time.Parse("2006-01-02 15:04:05", ctx.Input.Query("timestamp"))`
			`if err != nil {`
fix the http: multiple response.WriteHeader calls 2015-08-28 15:08:00 +00:00			`ctx.ResponseWriter.WriteHeader(403)`
aws api auth plugins 2014-08-27 16:25:50 +00:00			`ctx.WriteString("timestamp format is error, should 2006-01-02 15:04:05")`
			`return`
			`}`
			`t := time.Now()`
apiauth add more comments & improve 2014-08-28 02:05:02 +00:00			`if t.Sub(u).Seconds() > float64(timeout) {`
fix the http: multiple response.WriteHeader calls 2015-08-28 15:08:00 +00:00			`ctx.ResponseWriter.WriteHeader(403)`
aws api auth plugins 2014-08-27 16:25:50 +00:00			`ctx.WriteString("timeout! the request time is long ago, please try again")`
			`return`
			`}`
			`if ctx.Input.Query("signature") !=`
RequestURI captures the signature field as well. This in turn results is failure of signature based validation. So what is need is only "/api/resource/action". which is given by ctx.Input.URL() 2016-09-04 06:06:17 +00:00			`Signature(appsecret, ctx.Input.Method(), ctx.Request.Form, ctx.Input.URL()) {`
fix the http: multiple response.WriteHeader calls 2015-08-28 15:08:00 +00:00			`ctx.ResponseWriter.WriteHeader(403)`
aws api auth plugins 2014-08-27 16:25:50 +00:00			`ctx.WriteString("auth failed")`
			`}`
			`}`
			`}`

golint plugins 2015-09-12 14:03:45 +00:00			`// Signature used to generate signature with the appsecret/method/params/RequestURI`
RequestURI captures the signature field as well. This in turn results is failure of signature based validation. So what is need is only "/api/resource/action". which is given by ctx.Input.URL() 2016-09-04 06:06:17 +00:00			`func Signature(appsecret, method string, params url.Values, RequestURL string) (result string) {`
1.simplify reading and writing file code 2.add apiauth test 2017-02-10 01:35:23 +00:00			`var b bytes.Buffer`
			`keys := make([]string, len(params))`
aws api auth plugins 2014-08-27 16:25:50 +00:00			`pa := make(map[string]string)`
			`for k, v := range params {`
			`pa[k] = v[0]`
1.simplify reading and writing file code 2.add apiauth test 2017-02-10 01:35:23 +00:00			`keys = append(keys, k)`
aws api auth plugins 2014-08-27 16:25:50 +00:00			`}`
1.simplify reading and writing file code 2.add apiauth test 2017-02-10 01:35:23 +00:00
			`sort.Strings(keys)`

			`for _, key := range keys {`
			`if key == "signature" {`
aws api auth plugins 2014-08-27 16:25:50 +00:00			`continue`
			`}`
1.simplify reading and writing file code 2.add apiauth test 2017-02-10 01:35:23 +00:00
			`val := pa[key]`
			`if key != "" && val != "" {`
			`b.WriteString(key)`
			`b.WriteString(val)`
aws api auth plugins 2014-08-27 16:25:50 +00:00			`}`
			`}`
1.simplify reading and writing file code 2.add apiauth test 2017-02-10 01:35:23 +00:00
			`stringToSign := fmt.Sprintf("%v\n%v\n%v\n", method, b.String(), RequestURL)`
aws api auth plugins 2014-08-27 16:25:50 +00:00
			`sha256 := sha256.New`
			`hash := hmac.New(sha256, []byte(appsecret))`
golint plugins 2015-09-12 14:03:45 +00:00			`hash.Write([]byte(stringToSign))`
apiauth add more comments & improve 2014-08-28 02:05:02 +00:00			`return base64.StdEncoding.EncodeToString(hash.Sum(nil))`
aws api auth plugins 2014-08-27 16:25:50 +00:00			`}`