implemented login and jwt auth

internal/api/handler.go

@@ -6,6 +6,7 @@ import (
 	"net/http"
 
 	v1 "github.com/yusing/go-proxy/internal/api/v1"
+	"github.com/yusing/go-proxy/internal/api/v1/auth"
 	. "github.com/yusing/go-proxy/internal/api/v1/utils"
 	"github.com/yusing/go-proxy/internal/common"
 	"github.com/yusing/go-proxy/internal/config"
@@ -25,16 +26,17 @@ func NewHandler() http.Handler {
 	mux := NewServeMux()
 	mux.HandleFunc("GET", "/v1", v1.Index)
 	mux.HandleFunc("GET", "/v1/version", v1.GetVersion)
-	mux.HandleFunc("GET", "/v1/checkhealth", v1.CheckHealth)
-	mux.HandleFunc("HEAD", "/v1/checkhealth", v1.CheckHealth)
+	// mux.HandleFunc("GET", "/v1/checkhealth", v1.CheckHealth)
+	// mux.HandleFunc("HEAD", "/v1/checkhealth", v1.CheckHealth)
+	mux.HandleFunc("POST", "/v1/login", auth.LoginHandler)
 	mux.HandleFunc("POST", "/v1/reload", v1.Reload)
-	mux.HandleFunc("GET", "/v1/list", v1.List)
-	mux.HandleFunc("GET", "/v1/list/{what}", v1.List)
-	mux.HandleFunc("GET", "/v1/list/{what}/{which}", v1.List)
-	mux.HandleFunc("GET", "/v1/file", v1.GetFileContent)
-	mux.HandleFunc("GET", "/v1/file/{filename...}", v1.GetFileContent)
-	mux.HandleFunc("POST", "/v1/file/{filename...}", v1.SetFileContent)
-	mux.HandleFunc("PUT", "/v1/file/{filename...}", v1.SetFileContent)
+	mux.HandleFunc("GET", "/v1/list", auth.RequireAuth(v1.List))
+	mux.HandleFunc("GET", "/v1/list/{what}", auth.RequireAuth(v1.List))
+	mux.HandleFunc("GET", "/v1/list/{what}/{which}", auth.RequireAuth(v1.List))
+	mux.HandleFunc("GET", "/v1/file", auth.RequireAuth(v1.GetFileContent))
+	mux.HandleFunc("GET", "/v1/file/{filename...}", auth.RequireAuth(v1.GetFileContent))
+	mux.HandleFunc("POST", "/v1/file/{filename...}", auth.RequireAuth(v1.SetFileContent))
+	mux.HandleFunc("PUT", "/v1/file/{filename...}", auth.RequireAuth(v1.SetFileContent))
 	mux.HandleFunc("GET", "/v1/stats", v1.Stats)
 	mux.HandleFunc("GET", "/v1/stats/ws", v1.StatsWS)
 	return mux

internal/api/v1/auth/auth.go

@@ -0,0 +1,126 @@
+package auth
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	U "github.com/yusing/go-proxy/internal/api/v1/utils"
+	"github.com/yusing/go-proxy/internal/common"
+	E "github.com/yusing/go-proxy/internal/error"
+	"github.com/yusing/go-proxy/internal/utils/strutils"
+)
+
+type (
+	Credentials struct {
+		Username string `json:"username"`
+		Password string `json:"password"`
+	}
+	Claims struct {
+		Username string `json:"username"`
+		jwt.RegisteredClaims
+	}
+)
+
+var (
+	ErrInvalidUsername = E.New("invalid username")
+	ErrInvalidPassword = E.New("invalid password")
+)
+
+const tokenExpiration = 24 * time.Hour
+
+const jwtClaimKeyUsername = "username"
+
+func validatePassword(cred *Credentials) error {
+	if cred.Username != common.APIUser {
+		return ErrInvalidUsername.Subject(cred.Username)
+	}
+	if !bytes.Equal(common.HashPassword(cred.Password), common.APIPasswordHash) {
+		return ErrInvalidPassword.Subject(cred.Password)
+	}
+	return nil
+}
+
+func LoginHandler(w http.ResponseWriter, r *http.Request) {
+	var creds Credentials
+	err := json.NewDecoder(r.Body).Decode(&creds)
+	if err != nil {
+		U.HandleErr(w, r, err, http.StatusBadRequest)
+		return
+	}
+	if err := validatePassword(&creds); err != nil {
+		U.HandleErr(w, r, err, http.StatusUnauthorized)
+		return
+	}
+
+	expiresAt := time.Now().Add(tokenExpiration)
+	claim := &Claims{
+		Username: creds.Username,
+		RegisteredClaims: jwt.RegisteredClaims{
+			ExpiresAt: jwt.NewNumericDate(expiresAt),
+		},
+	}
+	token := jwt.NewWithClaims(jwt.SigningMethodES512, claim)
+	tokenStr, err := token.SignedString(common.APIJWTSecret)
+	if err != nil {
+		U.HandleErr(w, r, err)
+		return
+	}
+	http.SetCookie(w, &http.Cookie{
+		Name:     "token",
+		Value:    tokenStr,
+		Expires:  expiresAt,
+		HttpOnly: true,
+		SameSite: http.SameSiteStrictMode,
+		Path:     "/",
+	})
+	w.WriteHeader(http.StatusOK)
+}
+
+func RequireAuth(next http.HandlerFunc) http.HandlerFunc {
+	if common.IsDebugSkipAuth {
+		return next
+	}
+
+	return func(w http.ResponseWriter, r *http.Request) {
+		if checkToken(w, r) {
+			next(w, r)
+		}
+	}
+}
+
+func checkToken(w http.ResponseWriter, r *http.Request) (ok bool) {
+	tokenCookie, err := r.Cookie("token")
+	if err != nil {
+		U.HandleErr(w, r, E.PrependSubject("token", err), http.StatusUnauthorized)
+		return false
+	}
+	var claims Claims
+	token, err := jwt.ParseWithClaims(tokenCookie.Value, &claims, func(t *jwt.Token) (interface{}, error) {
+		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("Unexpected signing method: %v", t.Header["alg"])
+		}
+		return common.APIJWTSecret, nil
+	})
+
+	switch {
+	case err != nil:
+		break
+	case !token.Valid:
+		err = E.New("invalid token")
+	case claims.Username != common.APIUser:
+		err = E.New("username mismatch").Subject(claims.Username)
+	case claims.ExpiresAt.Before(time.Now()):
+		err = E.Errorf("token expired on %s", strutils.FormatTime(claims.ExpiresAt.Time))
+	}
+
+	if err != nil {
+		U.HandleErr(w, r, err, http.StatusForbidden)
+		return false
+	}
+
+	return true
+}

internal/api/v1/utils/error.go

@@ -6,16 +6,21 @@ import (
 	E "github.com/yusing/go-proxy/internal/error"
 )
 
+// HandleErr logs the error and returns an HTTP error response to the client.
+// If code is specified, it will be used as the HTTP status code; otherwise,
+// http.StatusInternalServerError is used.
+//
+// The error is only logged but not returned to the client.
 func HandleErr(w http.ResponseWriter, r *http.Request, origErr error, code ...int) {
 	if origErr == nil {
 		return
 	}
 	LogError(r).Msg(origErr.Error())
+	statusCode := http.StatusInternalServerError
 	if len(code) > 0 {
-		http.Error(w, origErr.Error(), code[0])
-		return
+		statusCode = code[0]
 	}
-	http.Error(w, origErr.Error(), http.StatusInternalServerError)
+	http.Error(w, http.StatusText(statusCode), statusCode)
 }
 
 func ErrMissingKey(k string) error {