Talk about persistent secret

README.md

@@ -9,7 +9,6 @@ I now use Caddy: it works with that too.
 All I need is a simple password, that's easy to fill with a password manager.
 This checks those boxes.
 
-
 ## Format of the `passwd` file
 
 It's just like `/etc/shadow`.
@@ -22,11 +21,25 @@ until there's a Go library that supports everything.
 There's a program included called `crypt` that will output lines for this file.
 
 
+## Installation with Caddy
+
+Run simpleauth as a service.
+Make sure it can read your `passwd` file,
+which you set up in the previous section.
+
+You'll want a section like this in your Caddyfile:
+
+```
+forward_auth simpleauth:8080 {
+  uri /
+  copy_headers X-Simpleauth-Token
+}
+```
+
 ## Installation with Traefik
 
-You need to have traefik forward the Path `/` to this application.
+I don't use Traefik any longer, but when I did,
-
+I had it set up like this:
-I only use docker swarm. You'd do something like the following:
 
 ```yaml
 services:
@@ -53,10 +66,23 @@ secrets:
     name: password-v1
 ```
 
-## Note
+# How It Works
 
-For some reason that I haven't bothered looking into,
+Simpleauth uses a token cookie, in addition to HTTP Basic authentication.
-I have to first load `/` in the browser.
+The token is an HMAC digest of an expiration timestamp,
-I think it has something to do with cookies going through traefik simpleauth,
+plus the timestamp.
-and I could probably fix it with some JavaScript,
+When the HMAC is good, and the timestamp is in the future,
-but this is good enough for me.
+the token is a valid authentication.
+This technique means there is no persistent server storage.
+
+If you use the default of pulling the session secret from the OS PRNG,
+then everybody will have to log in again every time the server restarts.
+You can use the `-secret` argument to provide a persistent secret,
+so this won't happen.
+
+Some things,
+like WebDAV,
+will only ever use HTTP Basic auth.
+That's okay:
+Simpleauth will issue a new token for every request,
+and the client will ignore it.

build/Containerfile

@@ -9,4 +9,4 @@ RUN go install -v ./...
 FROM alpine
 COPY --from=builder /go/bin/simpleauth /bin
 COPY --from=builder /go/src/app/static /static
-CMD ["/bin/simpleauth"]
+ENTRYPOINT ["/bin/simpleauth"]

cmd/simpleauth/main.go

@@ -17,13 +17,12 @@ import (
 	"github.com/nealey/simpleauth/pkg/token"
 )
 
-const CookieName = "auth"
+const CookieName = "simpleauth-token"
 
 var secret []byte = make([]byte, 256)
 var lifespan time.Duration
 var cryptedPasswords map[string]string
 var loginHtml []byte
-var successHtml []byte
 
 func authenticationValid(username, password string) bool {
 	c := crypt.SHA256.New()
@@ -39,23 +38,19 @@ func rootHandler(w http.ResponseWriter, req *http.Request) {
 	if cookie, err := req.Cookie(CookieName); err == nil {
 		t, _ := token.ParseString(cookie.Value)
 		if t.Valid(secret) {
-			// Bypass logging and cookie setting:
+			fmt.Print(w, "Valid token")
-			// otherwise there is a torrent of logs
-			w.Write(successHtml)
 			return
 		}
 	}
 
-	authenticated := ""
+	acceptsHtml := false
+	if strings.Contains(req.Header.Get("Accept"), "text/html") {
+		acceptsHtml = true
+	}
 
+	authenticated := false
 	if username, password, ok := req.BasicAuth(); ok {
-		if authenticationValid(username, password) {
+		authenticated = authenticationValid(username, password)
-			authenticated = "HTTP-Basic"
-		}
-	}
-
-	if authenticationValid(req.FormValue("username"), req.FormValue("password")) {
-		authenticated = "Form"
 	}
 
 	// Log the request
@@ -63,12 +58,19 @@ func rootHandler(w http.ResponseWriter, req *http.Request) {
 	if clientIP == "" {
 		clientIP = req.RemoteAddr
 	}
-	log.Printf("%s %s %s [%s]", clientIP, req.Method, req.URL, authenticated)
+	log.Printf("%s %s %s [auth:%v]", clientIP, req.Method, req.URL, authenticated)
 
-	if authenticated == "" {
+	if !authenticated {
+		w.Header().Set("Content-Type", "text/html")
+		if !acceptsHtml {
+			w.Header().Set("WWW-Authenticate", "Basic realm=\"simpleauth\"")
+		}
 		w.WriteHeader(http.StatusUnauthorized)
 		w.Write(loginHtml)
-	} else {
+		return
+	}
+
+	// Set Cookie
 	t := token.New(secret, time.Now().Add(lifespan))
 	http.SetCookie(w, &http.Cookie{
 		Name:     CookieName,
@@ -77,9 +79,19 @@ func rootHandler(w http.ResponseWriter, req *http.Request) {
 		Secure:   true,
 		SameSite: http.SameSiteStrictMode,
 	})
-		w.WriteHeader(http.StatusOK)
+
-		w.Write(successHtml)
+	// Set cookie value in our fancypants header
+	w.Header().Set("X-Simpleauth-Token", t.String())
+
+	if req.Header.Get("X-Simpleauth-Login") != "" {
+		// Caddy treats any response <300 as "please serve original content",
+		// so we'll use 302 (Found).
+		// According to RFC9110, the server SHOULD send a Location header with 302.
+		// We don't do that, because we don't know where to send you.
+		// It's possible 300 is a less incorrect code to use here.
+		w.WriteHeader(http.StatusFound)
 	}
+	fmt.Fprintln(w, "Authenticated")
 }
 
 func main() {
@@ -134,10 +146,6 @@ func main() {
 	if err != nil {
 		log.Fatal(err)
 	}
-	successHtml, err = ioutil.ReadFile(path.Join(*htmlPath, "success.html"))
-	if err != nil {
-		log.Fatal(err)
-	}
 
 	// Read in secret
 	f, err := os.Open(*secretPath)

static/login.html

@@ -3,7 +3,6 @@
   <head>
     <title>Login</title>
     <meta name="viewport" content="width=device-width, initial-scale=1">
-    <link rel="icon" href="data:,">
     <style>
       html {
         font-family: sans-serif;
@@ -29,21 +28,30 @@
           let username = data.get("username")
           let password = data.get("password")
 
+          url = new URL(evt.target.action)
+          url.username = ""
+          url.password = ""
+
           let headers = new Headers({
               "Authorization": "Basic " + btoa(username + ":" + password),
+              "X-Simpleauth-Login": "true",
           })
-        let req = await fetch(evt.target.action, {
+          let req = await fetch(url, {
               method: "GET",
               headers: headers,
               credentials: "same-origin",
           })
-        if (! req.ok) {
+          let token = req.headers.get("X-Simpleauth-Token")
-          error(req.statusText || "Authentication failed")
+          if (token) {
-          return
+            // Set a cookie, just in case
-        }
+            document.cookie = `simpleauth-token=${token}; path=/; Secure; SameSite=Strict`
             location.reload(true)
+          } else {
+            error(req.statusText || "Authentication failed")
           }
-      function init() {
+      }
+
+      async function init() {
           document.querySelector("form").addEventListener("submit", login)
       }
 
@@ -51,8 +59,8 @@
     </script>
   </head>
   <body>
-    <h1>Log In</h1>
+    <h1>Login</h1>
-    <form action="/" method="post">
+    <form>
       <div>Username: <input type="text" autocomplete="username" name="username"></div>
       <div>Password: <input type="password" autocomplete="current-password" name="password"></div>
       <div><input type="submit" value="Log In"></div>

static/success.html

@@ -1,23 +0,0 @@
-<!DOCTYPE html>
-<html>
-    <head>
-        <title>Welcome</title>
-        <meta name="viewport" content="width=device-width, initial-scale=1">
-        <link rel="icon" href="data:,">
-        <style>
-            html {
-                font-family: sans-serif;
-                color: white;
-                background: seagreen linear-gradient(315deg, rgba(255,255,255,0.2), transparent); 
-                height: 100%;
-            }
-            div {
-                margin: 1em;
-            }
-        </style>
-    </head>
-    <body>
-        <h1>Welcome</h1>
-        <div>You have logged in successfully.</div>
-    </body>
-</html>