Feat/forward auth (#28)

* feat: add a simple auth forward url

* doc: update readme

* fix: tests

* fix: linter issues

* doc: update basic auth section

Author: DblK

.golangci.yml

@@ -3,6 +3,8 @@ linters-settings:
     line-length: 200
   gocyclo:
     min-complexity: 20
+  gocognit:
+    min-complexity: 30
 
 linters:
   enable:
@@ -57,5 +59,8 @@ issues:
       linters:
         - gochecknoglobals
         - dupl
+    - path: security.go
+      linters:
+        - gocognit
   include:
     - EXC0002

README.md

@@ -49,6 +49,7 @@ Here is the list of all main features so far:
 - [X] Simple ticket check in NSP/NSZ (based on titledb file)
 - [X] Collect basic statistics
 - [X] An API to query information about your shop
+- [X] Handle Basic Auth from Tinfoil through Forward Auth Endpoint
 
 ## Filtering
 
@@ -118,7 +119,7 @@ Use a reverse proxy (like [traefik](https://github.com/traefik/traefik), [caddy]
 
 ### Example for caddy
 
-To work with `caddy`, you need to put in your `Caddyfile` something similar to this:
+To work with [`caddy`](https://caddyserver.com/), you need to put in your `Caddyfile` something similar to this:
 
 ```Caddyfile
 tinshop.example.com:80 {
@@ -139,10 +140,12 @@ If you want to have HTTPS, ensure `caddy` handle it (it will with Let's Encrypt)
 
 ## How can I add a `basic auth` to protect my shop?
 
-TinShop **does not** implement basic auth by itself.  
-You should configure it inside your reverse proxy.
+TinShop **does** handle basic auth but not by itself.  
+You should look for `forwardAuth` in the `config.yaml` to set the endpoint that will handle the authentication in behalf of TinShop.
 
-For other type of protection, you can whitelist your own switch and this will do the trick.
+In the future, a proper user management will be incorporated into TinShop to handle it.
+
+In addition, for other type of protection, you can whitelist/blacklist your own switch and this will do the trick.
 
 ## I have tons of missing title displayed in `tinfoil`, what should I do?
 

config.example.yaml

@@ -62,6 +62,12 @@ security:
   # You can find the uid of a switch in the log upon access
   backlist:
     - NOACCESSNOACCESSNOACCESSNOACCESSNOACCESSNOACCESSNOACCESSNOACCESS
+  # Endpoint to which a query will be sent to verify user/password/uid to
+  # Headers sent :
+  # - Authorization: same as sent by switch
+  # - Device-Id: Switch fingerprint
+  # Response with status code other than 200 will be treated as failure
+  forwardAuth: https://auth.tinshop.com/switch
 
 # This section describe all custom title db to show up properly in tinfoil
 customTitledb:

config/config.go

@@ -28,6 +28,7 @@ type security struct {
 	Whitelist   []string `mapstructure:"whitelist"`
 	Backlist    []string `mapstructure:"backlist"`
 	BannedTheme []string `mapstructure:"bannedTheme"`
+	ForwardAuth string   `mapstructure:"forwardAuth"`
 }
 
 type nsp struct {
@@ -261,6 +262,11 @@ func (cfg *File) VerifyNSP() bool {
 	return cfg.NSP.CheckVerified
 }
 
+// ForwardAuthURL returns the url of the forward auth
+func (cfg *File) ForwardAuthURL() string {
+	return cfg.Security.ForwardAuth
+}
+
 // IsBlacklisted tells if the uid is blacklisted or not
 func (cfg *File) IsBlacklisted(uid string) bool {
 	if len(cfg.Security.Whitelist) != 0 {

mock_repository/mock_config.go

@@ -45,6 +45,7 @@ type Config interface {
 	ShopTemplateData() ShopTemplate
 	SetShopTemplateData(ShopTemplate)
 
+	ForwardAuthURL() string
 	IsBlacklisted(string) bool
 	IsWhitelisted(string) bool
 	IsBannedTheme(string) bool

repository/interfaces.go

@@ -47,6 +47,8 @@ func (s *TinShop) TinfoilMiddleware(next http.Handler) http.Handler {
 				return
 			}
 
+			// TODO: Here implement usage of IsWhitelisted
+
 			// Check for banned theme
 			var theme = strings.Join(headers["Theme"], "")
 			if s.Shop.Config.IsBannedTheme(theme) {
@@ -72,6 +74,26 @@ func (s *TinShop) TinfoilMiddleware(next http.Handler) http.Handler {
 			// Enforce true tinfoil queries
 			// TODO: Check Uauth and Hauth headers
 			log.Printf("Switch %s, %s, %s, %s, %s, %s requesting %s", headers["Theme"], headers["Uid"], headers["Version"], headers["Language"], headers["Hauth"], headers["Uauth"], r.RequestURI)
+
+			// Check user password
+			if s.Shop.Config.ForwardAuthURL() != "" && headers["Authorization"] != nil {
+				log.Println("[Security] Forwarding auth to", s.Shop.Config.ForwardAuthURL())
+				client := &http.Client{}
+				req, _ := http.NewRequest("GET", s.Shop.Config.ForwardAuthURL(), nil)
+				req.Header.Add("Authorization", strings.Join(headers["Authorization"], ""))
+				req.Header.Add("Device-Id", strings.Join(headers["Uid"], ""))
+				resp, err := client.Do(req)
+				if err != nil {
+					log.Print(err)
+					_ = shopTemplate.Execute(w, s.Shop.Config.ShopTemplateData())
+					return
+				}
+				defer resp.Body.Close()
+				if resp.StatusCode != 200 {
+					_ = shopTemplate.Execute(w, s.Shop.Config.ShopTemplateData())
+					return
+				}
+			}
 		}
 
 		// Call the next handler, which can be another middleware in the chain, or the final handler.

security.go

@@ -106,6 +106,11 @@ var _ = Describe("Security", func() {
 					Return(false).
 					AnyTimes()
 
+				myMockConfig.EXPECT().
+					ForwardAuthURL().
+					Return("").
+					AnyTimes()
+
 				myMockConfig.EXPECT().
 					IsBlacklisted(gomock.Any()).
 					Return(true).
@@ -160,6 +165,11 @@ var _ = Describe("Security", func() {
 					Return(false).
 					AnyTimes()
 
+				myMockConfig.EXPECT().
+					ForwardAuthURL().
+					Return("").
+					AnyTimes()
+
 				myMockConfig.EXPECT().
 					IsBlacklisted(gomock.Any()).
 					Return(false).
@@ -219,6 +229,11 @@ var _ = Describe("Security", func() {
 					Return(false).
 					AnyTimes()
 
+				myMockConfig.EXPECT().
+					ForwardAuthURL().
+					Return("").
+					AnyTimes()
+
 				myMockConfig.EXPECT().
 					IsBlacklisted(gomock.Any()).
 					Return(false).
@@ -279,6 +294,11 @@ var _ = Describe("Security", func() {
 					Return(false).
 					AnyTimes()
 
+				myMockConfig.EXPECT().
+					ForwardAuthURL().
+					Return("").
+					AnyTimes()
+
 				myMockConfig.EXPECT().
 					IsBlacklisted(gomock.Any()).
 					Return(false).
@@ -338,6 +358,11 @@ var _ = Describe("Security", func() {
 					Return(false).
 					AnyTimes()
 
+				myMockConfig.EXPECT().
+					ForwardAuthURL().
+					Return("").
+					AnyTimes()
+
 				myMockConfig.EXPECT().
 					IsBlacklisted(gomock.Any()).
 					Return(false).