Talk about persistent secret

Merge branch 'main' of https://github.com/nealey/simpleauth
actually working with caddy now
2022-09-10 14:05:46 -06:00 · 2022-09-10 13:56:59 -06:00 · 2022-09-10 13:55:04 -06:00
5 changed files with 107 additions and 88 deletions
--- a/README.md
+++ b/README.md
@ -9,7 +9,6 @@ I now use Caddy: it works with that too.
 All I need is a simple password, that's easy to fill with a password manager.
 This checks those boxes.

-
 ## Format of the `passwd` file

 It's just like `/etc/shadow`.
@ -22,11 +21,25 @@ until there's a Go library that supports everything.
 There's a program included called `crypt` that will output lines for this file.


+## Installation with Caddy
+
+Run simpleauth as a service.
+Make sure it can read your `passwd` file,
+which you set up in the previous section.
+
+You'll want a section like this in your Caddyfile:
+
+```
+forward_auth simpleauth:8080 {
+  uri /
+  copy_headers X-Simpleauth-Token
+}
+```
+
 ## Installation with Traefik

-You need to have traefik forward the Path `/` to this application.
-
-I only use docker swarm. You'd do something like the following:
+I don't use Traefik any longer, but when I did,
+I had it set up like this:

 ```yaml
 services:
@ -53,10 +66,23 @@ secrets:
    name: password-v1
 ```

-## Note
+# How It Works

-For some reason that I haven't bothered looking into,
-I have to first load `/` in the browser.
-I think it has something to do with cookies going through traefik simpleauth,
-and I could probably fix it with some JavaScript,
-but this is good enough for me.
+Simpleauth uses a token cookie, in addition to HTTP Basic authentication.
+The token is an HMAC digest of an expiration timestamp,
+plus the timestamp.
+When the HMAC is good, and the timestamp is in the future,
+the token is a valid authentication.
+This technique means there is no persistent server storage.
+
+If you use the default of pulling the session secret from the OS PRNG,
+then everybody will have to log in again every time the server restarts.
+You can use the `-secret` argument to provide a persistent secret,
+so this won't happen.
+
+Some things,
+like WebDAV,
+will only ever use HTTP Basic auth.
+That's okay:
+Simpleauth will issue a new token for every request,
+and the client will ignore it.
--- a/build/Containerfile
+++ b/build/Containerfile
@ -9,4 +9,4 @@ RUN go install -v ./...
 FROM alpine
 COPY --from=builder /go/bin/simpleauth /bin
 COPY --from=builder /go/src/app/static /static
-CMD ["/bin/simpleauth"]
+ENTRYPOINT ["/bin/simpleauth"]
--- a/cmd/simpleauth/main.go
+++ b/cmd/simpleauth/main.go
@ -17,13 +17,12 @@ import (
 	"github.com/nealey/simpleauth/pkg/token"
 )

-const CookieName = "auth"
+const CookieName = "simpleauth-token"

 var secret []byte = make([]byte, 256)
 var lifespan time.Duration
 var cryptedPasswords map[string]string
 var loginHtml []byte
-var successHtml []byte

 func authenticationValid(username, password string) bool {
 	c := crypt.SHA256.New()
@ -39,23 +38,19 @@ func rootHandler(w http.ResponseWriter, req *http.Request) {
 	if cookie, err := req.Cookie(CookieName); err == nil {
 		t, _ := token.ParseString(cookie.Value)
 		if t.Valid(secret) {
-			// Bypass logging and cookie setting:
-			// otherwise there is a torrent of logs
-			w.Write(successHtml)
+			fmt.Print(w, "Valid token")
 			return
 		}
 	}

-	authenticated := ""
-
-	if username, password, ok := req.BasicAuth(); ok {
-		if authenticationValid(username, password) {
-			authenticated = "HTTP-Basic"
-		}
+	acceptsHtml := false
+	if strings.Contains(req.Header.Get("Accept"), "text/html") {
+		acceptsHtml = true
 	}

-	if authenticationValid(req.FormValue("username"), req.FormValue("password")) {
-		authenticated = "Form"
+	authenticated := false
+	if username, password, ok := req.BasicAuth(); ok {
+		authenticated = authenticationValid(username, password)
 	}

 	// Log the request
@ -63,23 +58,40 @@ func rootHandler(w http.ResponseWriter, req *http.Request) {
 	if clientIP == "" {
 		clientIP = req.RemoteAddr
 	}
-	log.Printf("%s %s %s [%s]", clientIP, req.Method, req.URL, authenticated)
+	log.Printf("%s %s %s [auth:%v]", clientIP, req.Method, req.URL, authenticated)

-	if authenticated == "" {
+	if !authenticated {
+		w.Header().Set("Content-Type", "text/html")
+		if !acceptsHtml {
+			w.Header().Set("WWW-Authenticate", "Basic realm=\"simpleauth\"")
+		}
 		w.WriteHeader(http.StatusUnauthorized)
 		w.Write(loginHtml)
-	} else {
-		t := token.New(secret, time.Now().Add(lifespan))
-		http.SetCookie(w, &http.Cookie{
-			Name:     CookieName,
-			Value:    t.String(),
-			Path:     "/",
-			Secure:   true,
-			SameSite: http.SameSiteStrictMode,
-		})
-		w.WriteHeader(http.StatusOK)
-		w.Write(successHtml)
+		return
 	}
+
+	// Set Cookie
+	t := token.New(secret, time.Now().Add(lifespan))
+	http.SetCookie(w, &http.Cookie{
+		Name:     CookieName,
+		Value:    t.String(),
+		Path:     "/",
+		Secure:   true,
+		SameSite: http.SameSiteStrictMode,
+	})
+
+	// Set cookie value in our fancypants header
+	w.Header().Set("X-Simpleauth-Token", t.String())
+
+	if req.Header.Get("X-Simpleauth-Login") != "" {
+		// Caddy treats any response <300 as "please serve original content",
+		// so we'll use 302 (Found).
+		// According to RFC9110, the server SHOULD send a Location header with 302.
+		// We don't do that, because we don't know where to send you.
+		// It's possible 300 is a less incorrect code to use here.
+		w.WriteHeader(http.StatusFound)
+	}
+	fmt.Fprintln(w, "Authenticated")
 }

 func main() {
@ -134,10 +146,6 @@ func main() {
 	if err != nil {
 		log.Fatal(err)
 	}
-	successHtml, err = ioutil.ReadFile(path.Join(*htmlPath, "success.html"))
-	if err != nil {
-		log.Fatal(err)
-	}

 	// Read in secret
 	f, err := os.Open(*secretPath)
--- a/static/login.html
+++ b/static/login.html
@ -3,7 +3,6 @@
  <head>
    <title>Login</title>
    <meta name="viewport" content="width=device-width, initial-scale=1">
-    <link rel="icon" href="data:,">
    <style>
      html {
        font-family: sans-serif;
@ -20,39 +19,48 @@
    </style>
    <script>
      function error(msg) {
-        document.querySelector("#error").textContent = msg
-      }
+          document.querySelector("#error").textContent = msg
+        }

      async function login(evt) {
-        evt.preventDefault()
-        let data = new FormData(evt.target)
-        let username = data.get("username")
-        let password = data.get("password")
+          evt.preventDefault()
+          let data = new FormData(evt.target)
+          let username = data.get("username")
+          let password = data.get("password")

-        let headers = new Headers({
-          "Authorization": "Basic " + btoa(username + ":" + password),
-        })
-        let req = await fetch(evt.target.action, {
-          method: "GET",
-          headers: headers,
-          credentials: "same-origin",
-        })
-        if (! req.ok) {
-          error(req.statusText || "Authentication failed")
-          return
-        }
-        location.reload(true)
+          url = new URL(evt.target.action)
+          url.username = ""
+          url.password = ""
+
+          let headers = new Headers({
+              "Authorization": "Basic " + btoa(username + ":" + password),
+              "X-Simpleauth-Login": "true",
+          })
+          let req = await fetch(url, {
+              method: "GET",
+              headers: headers,
+              credentials: "same-origin",
+          })
+          let token = req.headers.get("X-Simpleauth-Token")
+          if (token) {
+            // Set a cookie, just in case
+            document.cookie = `simpleauth-token=${token}; path=/; Secure; SameSite=Strict`
+            location.reload(true)
+          } else {
+            error(req.statusText || "Authentication failed")
+          }
      }
-      function init() {
-        document.querySelector("form").addEventListener("submit", login)
+
+      async function init() {
+          document.querySelector("form").addEventListener("submit", login)
      }

      window.addEventListener("load", init)
    </script>
  </head>
  <body>
-    <h1>Log In</h1>
-    <form action="/" method="post">
+    <h1>Login</h1>
+    <form>
      <div>Username: <input type="text" autocomplete="username" name="username"></div>
      <div>Password: <input type="password" autocomplete="current-password" name="password"></div>
      <div><input type="submit" value="Log In"></div>
--- a/static/success.html
+++ b/static/success.html
@ -1,23 +0,0 @@
-<!DOCTYPE html>
-<html>
-    <head>
-        <title>Welcome</title>
-        <meta name="viewport" content="width=device-width, initial-scale=1">
-        <link rel="icon" href="data:,">
-        <style>
-            html {
-                font-family: sans-serif;
-                color: white;
-                background: seagreen linear-gradient(315deg, rgba(255,255,255,0.2), transparent); 
-                height: 100%;
-            }
-            div {
-                margin: 1em;
-            }
-        </style>
-    </head>
-    <body>
-        <h1>Welcome</h1>
-        <div>You have logged in successfully.</div>
-    </body>
-</html>
Author	SHA1	Message	Date
Neale Pickett	3bcc903be2	Talk about persistent secret	2022-09-10 14:05:46 -06:00
Neale Pickett	6d67ee3bfb	Merge branch 'main' of https://github.com/nealey/simpleauth	2022-09-10 13:56:59 -06:00
Neale Pickett	cc53ee7ad8	actually working with caddy now	2022-09-10 13:55:04 -06:00