httpauth

package module
v0.0.0-...-2da839a Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 1, 2016 License: MIT Imports: 7 Imported by: 213

README

goji/httpauth GoDoc Build Status

httpauth currently provides HTTP Basic Authentication middleware for Go. It is compatible with Go's own net/http, goji, Gin & anything that speaks the http.Handler interface.

Example

httpauth provides a SimpleBasicAuth function to get you up and running. Particularly ideal for development servers.

Note that HTTP Basic Authentication credentials are sent over the wire "in the clear" (read: plaintext!) and therefore should not be considered a robust way to secure a HTTP server. If you're after that, you'll need to use SSL/TLS ("HTTPS") at a minimum.

Install It
$ go get github.com/goji/httpauth
Goji v2
Simple Usage

The fastest and simplest way to get started using httpauth is to use the SimpleBasicAuth function.


package main

import(
    "net/http"

    "goji.io"
)

func main() {
    mux := goji.NewMux()

    mux.Use(httpauth.SimpleBasicAuth("dave", "somepassword"))
    mux.Use(SomeOtherMiddleware)

    // YourHandler now requires HTTP Basic Auth
    mux.Handle(pat.Get("/some-route"), YourHandler))

    log.Fatal(http.ListenAndServe("localhost:8000", mux))
}
Advanced Usage

For more control over the process, pass a AuthOptions struct to BasicAuth instead. This allows you to:

  • Configure the authentication realm.
  • Provide your own UnauthorizedHandler (anything that satisfies http.Handler) so you can return a better looking 401 page.
  • Define a custom authentication function, which is discussed in the next section.

func main() {

    authOpts := httpauth.AuthOptions{
        Realm: "DevCo",
        User: "dave",
        Password: "plaintext!",
        UnauthorizedHandler: myUnauthorizedHandler,
    }

    mux := goji.NewMux()

    mux.Use(BasicAuth(authOpts))
    mux.Use(SomeOtherMiddleware)

    mux.Handle(pat.Get("/some-route"), YourHandler))

    log.Fatal(http.ListenAndServe("localhost:8000", mux))
}
Custom Authentication Function

httpauth will accept a custom authentication function. Normally, you would not set AuthOptions.User nor AuthOptions.Password in this scenario. You would instead validate the given credentials against an external system such as a database. The contrived example below is for demonstration purposes only.

func main() {

    authOpts := httpauth.AuthOptions{
        Realm: "DevCo",
        AuthFunc: myAuthFunc,
        UnauthorizedHandler: myUnauthorizedHandler,
    }

    mux := goji.NewMux()

    mux.Use(BasicAuth(authOpts))
    mux.Use(SomeOtherMiddleware)

    mux.Handle(pat.Get("/some-route"), YourHandler))

    log.Fatal(http.ListenAndServe("localhost:8000", mux))
}

// myAuthFunc is not secure.  It checks to see if the password is simply
// the username repeated three times.
func myAuthFunc(user, pass string, r *http.Request) bool {
    return pass == strings.Repeat(user, 3)
}
gorilla/mux

Since it's all http.Handler, httpauth works with gorilla/mux (and most other routers) as well:

package main

import (
	"net/http"

	"github.com/goji/httpauth"
	"github.com/gorilla/mux"
)

func main() {
	r := mux.NewRouter()

	r.HandleFunc("/", YourHandler)
	http.Handle("/", httpauth.SimpleBasicAuth("dave", "somepassword")(r))

	http.ListenAndServe(":7000", nil)
}

func YourHandler(w http.ResponseWriter, r *http.Request) {
	w.Write([]byte("Gorilla!\n"))
}
net/http

If you're using vanilla net/http:

package main

import(
	"net/http"

	"github.com/goji/httpauth"
)

func main() {
	http.Handle("/", httpauth.SimpleBasicAuth("dave", "somepassword")(http.HandlerFunc(YourHandler)))
	http.ListenAndServe(":7000", nil)
}

Contributing

Send a pull request! Note that features on the (informal) roadmap include HTTP Digest Auth.

License

MIT Licensed. See the LICENSE file for details.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func BasicAuth

func BasicAuth(o AuthOptions) func(http.Handler) http.Handler

BasicAuth provides HTTP middleware for protecting URIs with HTTP Basic Authentication as per RFC 2617. The server authenticates a user:password combination provided in the "Authorization" HTTP header.

Example:

   package main

   import(
          "net/http"
          "github.com/zenazn/goji"
          "github.com/goji/httpauth"
   )

   func main() {
        basicOpts := httpauth.AuthOptions{
                    Realm: "Restricted",
                    User: "Dave",
                    Password: "ClearText",
                }

        goji.Use(httpauth.BasicAuth(basicOpts), SomeOtherMiddleware)
        goji.Get("/thing", myHandler)
}

Note: HTTP Basic Authentication credentials are sent in plain text, and therefore it does not make for a wholly secure authentication mechanism. You should serve your content over HTTPS to mitigate this, noting that "Basic Authentication" is meant to be just that: basic!

func SimpleBasicAuth

func SimpleBasicAuth(user, password string) func(http.Handler) http.Handler

SimpleBasicAuth is a convenience wrapper around BasicAuth. It takes a user and password, and returns a pre-configured BasicAuth handler using the "Restricted" realm and a default 401 handler.

Example:

package main

import(
       "net/http"
       "github.com/zenazn/goji/web/httpauth"
)

func main() {

     goji.Use(httpauth.SimpleBasicAuth("dave", "somepassword"), SomeOtherMiddleware)
     goji.Get("/thing", myHandler)
 }

Types

type AuthOptions

type AuthOptions struct {
	Realm               string
	User                string
	Password            string
	AuthFunc            func(string, string, *http.Request) bool
	UnauthorizedHandler http.Handler
}

AuthOptions stores the configuration for HTTP Basic Authentication.

A http.Handler may also be passed to UnauthorizedHandler to override the default error handler if you wish to serve a custom template/response.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL