-
-
Save abbot/a30e91ffec76934c6fbc to your computer and use it in GitHub Desktop.
Attempt to reproduce #16
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| test:$apr1$JI4wh3am$AmhephVqLTUyAVpFQeHZC0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "flag" | |
| auth "github.com/abbot/go-http-auth" | |
| "github.com/gorilla/mux" | |
| "log" | |
| "net/http" | |
| "time" | |
| ) | |
| func main() { | |
| var passwordFile, staticDir string | |
| flag.StringVar(&staticDir, "static-dir", "", "The directory containing static content to be served.") | |
| flag.StringVar(&passwordFile, "password-file", "htpasswd", "The path to the password file that should match the format of htpasswd.") | |
| flag.Parse() | |
| if len(staticDir) == 0 { | |
| log.Fatalf("static-dir must be provided") | |
| } | |
| log.Printf("staticDir = %s", staticDir) | |
| secrets := auth.HtpasswdFileProvider(passwordFile) | |
| authenticator := auth.NewBasicAuthenticator("gitrest", secrets) | |
| r := mux.NewRouter().StrictSlash(false) | |
| r.PathPrefix("/").Handler(http.FileServer(http.Dir(staticDir))) | |
| http.Handle("/", authenticator.Wrap(func(w http.ResponseWriter, ar *auth.AuthenticatedRequest) { | |
| r.ServeHTTP(w, &ar.Request) | |
| })) | |
| s := &http.Server{ | |
| Addr: ":8080", | |
| ReadTimeout: 10 * time.Second, | |
| WriteTimeout: 10 * time.Second, | |
| MaxHeaderBytes: 1 << 20, | |
| } | |
| log.Fatal(s.ListenAndServe()) | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| go run main.go -static-dir=. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| curl -vsf -u test:topsecret http://localhost:8080/ -o /dev/null && echo "good password: success." || echo "good password: fail." | |
| curl -vsf -u test:meh http://localhost:8080/ -o /dev/null && echo "bad password: success." || echo "bad password: fail." |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
OK. Found the problem and in the process learned more about HTTP Basic Authorization than I ever thought I would.
I was not using the curl -u option in my curl commands. Instead, I base64 encoded a string using the command line base64 command and then passed that into curl using the -H. For example, I was using:
curl -X GET -v -H "Authorization: Basic dGVzdDp0b3BzZWNyZXQK" http://192.168.56.102:8080The correct command is:
curl -X GET -v -H "Authorization: Basic dGVzdDp0b3BzZWNyZXQ=" http://192.168.56.102:8080Note the difference in the encoded test:topsecret.
The problem was the command line base64 command uses RFC 4648 instead of the HTTP spec RFC 2045.
To add to the confusion, when I printed out the decoded string on the server that is using go-http-auth it showed test:topsecret. But, digging even deeper, I found that when the string was encoded using RFC 4648, there was an extra newline character tacked onto topsecret, causing the rest of the algorithm to produce the wrong result.
So, like I said, I now know a lot more about HTTP basic auth than I ever thought I would.
Thanks for your help and patience. And thanks again for a nice library.