109 lines
3.0 KiB
Go
109 lines
3.0 KiB
Go
// auth/middleware.go
|
|
package auth
|
|
|
|
import (
|
|
"crypto/subtle"
|
|
"html/template"
|
|
"net/http"
|
|
"time"
|
|
)
|
|
|
|
type AuthMiddleware struct {
|
|
username string
|
|
password string
|
|
sessions *SessionManager
|
|
templates *template.Template
|
|
}
|
|
|
|
func NewAuthMiddleware(username, password string, sessions *SessionManager, templates *template.Template) *AuthMiddleware {
|
|
return &AuthMiddleware{
|
|
username: username,
|
|
password: password,
|
|
sessions: sessions,
|
|
templates: templates,
|
|
}
|
|
}
|
|
|
|
func (a *AuthMiddleware) Login(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method == "GET" {
|
|
showError := r.URL.Query().Get("error") == "1"
|
|
a.serveLoginPage(w, showError)
|
|
return
|
|
}
|
|
|
|
if r.Method != "POST" {
|
|
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
|
|
return
|
|
}
|
|
|
|
username := r.FormValue("username")
|
|
password := r.FormValue("password")
|
|
|
|
// 使用常量时间比较防止时序攻击
|
|
usernameMatch := subtle.ConstantTimeCompare([]byte(username), []byte(a.username)) == 1
|
|
passwordMatch := subtle.ConstantTimeCompare([]byte(password), []byte(a.password)) == 1
|
|
|
|
if usernameMatch && passwordMatch {
|
|
sessionID := a.sessions.Create(30 * time.Minute)
|
|
|
|
http.SetCookie(w, &http.Cookie{
|
|
Name: "session_id",
|
|
Value: sessionID,
|
|
Path: "/",
|
|
HttpOnly: true,
|
|
Secure: r.TLS != nil, // 只在 HTTPS 时设置 Secure
|
|
SameSite: http.SameSiteStrictMode,
|
|
MaxAge: 1800,
|
|
})
|
|
|
|
http.Redirect(w, r, "/", http.StatusSeeOther)
|
|
return
|
|
}
|
|
|
|
// 登录失败,延迟响应防止暴力破解
|
|
time.Sleep(2 * time.Second)
|
|
http.Redirect(w, r, "/login?error=1", http.StatusSeeOther)
|
|
}
|
|
|
|
func (a *AuthMiddleware) Logout(w http.ResponseWriter, r *http.Request) {
|
|
cookie, err := r.Cookie("session_id")
|
|
if err == nil {
|
|
a.sessions.Delete(cookie.Value)
|
|
}
|
|
|
|
http.SetCookie(w, &http.Cookie{
|
|
Name: "session_id",
|
|
Value: "",
|
|
Path: "/",
|
|
HttpOnly: true,
|
|
Secure: r.TLS != nil,
|
|
MaxAge: -1,
|
|
})
|
|
|
|
http.Redirect(w, r, "/login", http.StatusSeeOther)
|
|
}
|
|
|
|
func (a *AuthMiddleware) Require(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
cookie, err := r.Cookie("session_id")
|
|
if err != nil || !a.sessions.Valid(cookie.Value) {
|
|
http.Redirect(w, r, "/login", http.StatusFound)
|
|
return
|
|
}
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
|
|
func (a *AuthMiddleware) serveLoginPage(w http.ResponseWriter, showError bool) {
|
|
data := struct {
|
|
Error bool
|
|
}{
|
|
Error: showError,
|
|
}
|
|
|
|
w.Header().Set("Content-Type", "text/html; charset=utf-8")
|
|
if err := a.templates.ExecuteTemplate(w, "login.html", data); err != nil {
|
|
http.Error(w, "Internal server error", http.StatusInternalServerError)
|
|
}
|
|
}
|