mirror of
https://github.com/hkalexling/Mango.git
synced 2026-04-24 00:03:12 -04:00
Alex Ling
104 lines
2.8 KiB
Crystal
104 lines
2.8 KiB
Crystal
require "kemal"
|
|
require "../storage"
|
|
require "../util/*"
|
|
|
|
class AuthHandler < Kemal::Handler
|
|
# Some of the code is copied form kemalcr/kemal-basic-auth on GitHub
|
|
|
|
BASIC = "Basic"
|
|
AUTH = "Authorization"
|
|
AUTH_MESSAGE = "Could not verify your access level for that URL.\n" \
|
|
"You have to login with proper credentials"
|
|
HEADER_LOGIN_REQUIRED = "Basic realm=\"Login Required\""
|
|
|
|
def require_basic_auth(env)
|
|
env.response.status_code = 401
|
|
env.response.headers["WWW-Authenticate"] = HEADER_LOGIN_REQUIRED
|
|
env.response.print AUTH_MESSAGE
|
|
call_next env
|
|
end
|
|
|
|
def validate_token(env)
|
|
token = env.session.string? "token"
|
|
!token.nil? && Storage.default.verify_token token
|
|
end
|
|
|
|
def validate_token_admin(env)
|
|
token = env.session.string? "token"
|
|
!token.nil? && Storage.default.verify_admin token
|
|
end
|
|
|
|
def validate_auth_header(env)
|
|
if env.request.headers[AUTH]?
|
|
if value = env.request.headers[AUTH]
|
|
if value.size > 0 && value.starts_with?(BASIC)
|
|
token = verify_user value
|
|
return false if token.nil?
|
|
|
|
env.session.string "token", token
|
|
return true
|
|
end
|
|
end
|
|
end
|
|
false
|
|
end
|
|
|
|
def verify_user(value)
|
|
username, password = Base64.decode_string(value[BASIC.size + 1..-1])
|
|
.split(":")
|
|
Storage.default.verify_user username, password
|
|
end
|
|
|
|
def handle_opds_auth(env)
|
|
if validate_token(env) || validate_auth_header(env)
|
|
call_next env
|
|
else
|
|
env.response.status_code = 401
|
|
env.response.headers["WWW-Authenticate"] = HEADER_LOGIN_REQUIRED
|
|
env.response.print AUTH_MESSAGE
|
|
end
|
|
end
|
|
|
|
def handle_auth(env)
|
|
if request_path_startswith(env, ["/login", "/logout"]) ||
|
|
requesting_static_file env
|
|
return call_next(env)
|
|
end
|
|
|
|
unless validate_token(env) || Config.current.disable_login
|
|
env.session.string "callback", env.request.path
|
|
return redirect env, "/login"
|
|
end
|
|
|
|
if request_path_startswith env, ["/admin", "/api/admin", "/download"]
|
|
# The token (if exists) takes precedence over the default user option.
|
|
# this is why we check the default username first before checking the
|
|
# token.
|
|
should_reject = true
|
|
if Config.current.disable_login &&
|
|
Storage.default.username_is_admin Config.current.default_username
|
|
should_reject = false
|
|
end
|
|
if env.session.string? "token"
|
|
should_reject = !validate_token_admin(env)
|
|
end
|
|
if should_reject
|
|
env.response.status_code = 403
|
|
send_error_page "HTTP 403: You are not authorized to visit " \
|
|
"#{env.request.path}"
|
|
return
|
|
end
|
|
end
|
|
|
|
call_next env
|
|
end
|
|
|
|
def call(env)
|
|
if request_path_startswith env, ["/opds"]
|
|
handle_opds_auth env
|
|
else
|
|
handle_auth env
|
|
end
|
|
end
|
|
end
|